The coverage of FireEye’s acquisition of Mandiant in most business publications (see reports in the New York Times and Wall Street Journal) has focused on the dynamic personalities of the CEOs rather than on the implications for delivering security capabilities. But a closer look at this deal shows that the logic driving the future shape of cyber-security products has changed. The new model is a hybrid product that will be a mix of cloud-based capabilities, analytics, SaaS applications, distributed monitoring, and professional services, deployed in several layers. CIOs and CISOs should study this new model and prepare their organizations to adopt it in a series of stages.
Here’s what’s happening:
- The days of perimeter-based security are long gone (see “Why Most Companies Are Fighting the Wrong Security Battle”). While firewalls, intrusion detection, anti-virus software, and such are all needed, the fact is, they aren’t enough to keep the bad guys out.
- Modern cyber-security is not only about making sure you have strong locks around the building, and even stronger ones around the crown jewels, but also must address the question of how to detect when the bad guys gotten in, are poking around, and have started shipping valuable information outside your company. These attacks, called Advanced Persistent Threats (APTs) are the real enemy.
- As I pointed out in “How To Choose The Right Eyes and Ears for Cybersecurity,” the only way to find APTs is to have a broad and sophisticated understanding of what’s normal. FireEye has been building the brain for such a system for quite a while, but what is also needed are Eyes and Ears, Hands and Arms, and Legs, as I describe in this article: “Teaching Your CEO about Cyber Security: An Anatomical Analogy.”
- This is where it starts to get complex. Once you find something abnormal, what do you do? APTs are fiendishly clever. Mandiant has made its name by coming in and figuring out what’s wrong, stopping it, and improving the cybersecurity landscape so that a similar attack can be prevented. Though Mandiant’s offer is supported by advanced technology, it is primarily a service, one that is heavily reliant an expert team.
Here’s the challenge then: How do you detect and respond to threats? How can a CEO say to his board, “We have done everything that is prudent to protect our company. Our spending is at an adequate level and we are vigilant about expanding our ability to protect ourselves”?
The problem is that very few companies can afford to have the talent found at Mandiant working on staff, but from time to time, almost every company will need such talent to determine if an attack has succeeded and what to do about it.
The product management logic of the FireEye acquisition of Mandiant now becomes clear. Cybersecurity will become a form of technology enabled insurance. You will buy FireEye enhanced by Mandiant to implement a model along the following lines:
- A monthly fee will cover the license for FireEye, the brain, and any additional eyes and ears that will be needed to protect and monitor your environment.
- It is likely that FireEye will make recommendations about best practices for products it doesn’t sell such as perimeter security or special scanning technology for file systems and such.
- Your security operations team will run this environment, keep it up to date, and analyze attacks as they come in. A distilled form of the data from the eyes and ears will be shipped to FireEye’s operations center for further analysis.
- Another monthly fee will cover automated advanced analysis of your security data and incident response. When your team cannot figure out what’s happening, the pros from Mandiant will be on retainer and come in and save the day. That’s their business now.
With this offer in place, a CEO can rest easy, knowing that in the face of a serious breach, he can rely on the experts from FireEye to explain why his security was adequate. Of course, if the CEO, CIO, and CISO reject recommendations after they have bought this insurance, they will likely be held responsible.
My guess is that cybersecurity companies will start formally using the insurance analogy quite soon. In addition, with such a model in place, insurance companies will then be able to write policies about cybersecurity risk, because the risk can be better understood. This is something that the Department of Homeland Security is seeking to promote, and FireEye may make possible.
Follow Dan Woods on Twitter:
Dan Woods is CTO and editor of CITO Research, a publication that seeks to advance the craft of technology leadership. For more stories like this one visit www.CITOResearch.com. Dan has performed research for FireEye and other cybersecurity companies.