Fireeye – Pye in the Skye?

Fireeye came out of stealth last week. The company has raised $6.5 in Series A funding from two of Silicon Valley’s marquee Venture Capital firms – Sequoia Capital and Norwest Venture Partners. The Sequoia partner involved is Gaurav Garg (my fellow ARL alum) and Promod Haque (who else?) is leading the round from Norwest. The fact that Haque’s success in enterprise networking is rivaled only by his fellow Delhi-ite means that this company might be worth watching.

Fireeye works on what they call effortless Network Admission Control (NAC). Before I get into what I think their product does, a short blurb on what NAC is: a huge security threat to organizations in recent years has been employees and visitors bringing in their (potentially infected) laptops into the corporate network. Since this is something that cannot be caught by a gateway device, what is needed is a policy that decides what hosts to let into the network and what hosts to leave out. NAC is a Cisco led initiative that helps IT-managers make that decision. Cisco has a list of NAC partners whose products it recommends. Since Fireeye is not on that list, it looks to me that they’re using the term (NAC) to differentiate themselves from Cisco recommended solutions.

The reason? The use case for most NAC products on the market is pretty much the same today. Someone who wants to bring their laptop on the network takes it to their sysadmin who makes a call on whether or not to admit the laptop based on the recommendation on the NAC product in use. Pretty much every NAC product that’s in use today does one of two things: Determine whether or not a host (1) is patched (2) complies with an organization’s security policy. While Fireeye does not claim to do either of these things, what they claim to have is the ability to detect whether or not a host is an imminent threat to the network (thereby eliminating the overhead incurred by the sysadmin while using state-of-the-art NAC products). Their catch-phrase seems to be -- "If it doesn't infect, let it connect."

How is this done? (Anything past this point in the post is a result of conjecture – isn’t that what blogs are for? :)). The Fireeye device runs multiple instances of Windows that are used as a sandbox of sorts. The device receives a port mirror of all traffic that traverses a switch. It downloads executables that are traversing the network and observes the effect of running them (by monitoring the IDT/GDT or attempts to write to the Windows registry for example). This is certainly not the first time sandboxing is being used to identify malware. Security vendors routinely use systems like these as an integral part of their research infrastructure. But what Fireeye has done represents the first attempt by a company to move this functionality to the network switch. The key question for any gateway based product is how real-time can it be? Malware authors are known to employ stealth techniques (the executable remains dormant for several hours or even days (thanks to Rajesh for this piece of insight)) to defeat precisely these types of systems. I am not sure if Fireeye does anything to get past these sorts of tactics.

The other thing that product literature said about this product is the sysadmin is alerted via email or SNMP once the device has made a determination that a host constitutes an imminent threat to the network. If I were a sysadmin, this would be a hard sell to me. What if I were away eating Masaman curry at my favorite Thai restaurant when I get that critical email that says – “Host X is about to hose your network and cost you your job.” The point I am trying to make is this product will at best serve to compliment existing NAC solutions and not replace them. Yet another weapon in an organization’s security arsenal (which is what most security products are anyways). Companies are likely to continue being anal about admitting only patched hosts and policy compliance (esp. in the wake of SOX).