FAQ:  FireEye Threat Intelligence

Version 1

    (Special Thanks to Yogi Chandiramani for making this Great FAQ)

     

     

    Introduction

     

    The goal of this document is to address customer questions and concerns that the Sales Engineers often encounter about our Threat Intelligence Offerings.

     

    Available Threat Intelligence Packages:

    • Dynamic Threat Intelligence (DTI)
      • 2-way (default):  FireEye automatically pushes information to and pulls anonymous information from appliances
      • 1-way:  FireEye automatically pushes information to appliances only; no pull of anonymous information
      • Offline:  The appliance is not connected to DTI and push/pull of information occurs manually
    • Advanced Threat Intelligence (ATI and ATI+)
      • ATI:
      • ATI+:

     

     

    DynamicThreat Intelligence (DTI) FAQs

     

    Do we use 3rd party databases to detect callbacks?

     

    No, all checksums and callback coordinates in the DTI are generated by FireEye appliances or the FireEye Content team.

     

    What data is shared with the FireEye Dynamic Threat Intelligence Cloud?

     

    Two types of data are shared: real time statistics and security content information.

     

    Real-Time Statistics

    • License Information: license status.
    • Appliance Health: Environmental information relating to all components 
such as fans and hard disk drive with System Activity Report data.
    • Traffic Measurements: Traffic throughput statistics and capacity monitoring
    • Statistics of Critical Sub-systems Capacity: Interface status, packet counts, number of flows, broken or asymmetric flows, binaries, packet loss, protocol-based stats, memory usage, and Kernel level information.

     

    Security Content Information

    • The following information is uploaded to the DTI cloud via encrypted protocol (HTTPS):

      • Timestamp: The timestamp can be used as a reference for other events and can provide additional information about the attack and the methods used.
      • URL: List of malicious URLs contacted during traffic analysis in the Virtual execution (VX) engine.
      • MD5: An MD5 hash is generated for information such as IP address, MAC address, and so on, in order to maintain the data for analysis without it ever being traceable or recognizable in its original form. This information is important for correlation of multiple threats on a common host.
      • File Types: File types used in the course of an attack. FireEye determines the entry point, the payload, and the methods used.
    • The following information is NOT uploaded to the DTI cloud:
      • No customer specific proprietary information
      • No PCAPS


     

    What's the benefit of sharing data with DTI Cloud?

     

    Sharing data allows proactive operational monitoring and support by the FireEye customer support team, including the identification of targeted attacks. The 
collection of shared content is processed internally by FireEye to extract the 
malicious content before anonymizing and delivering to the DTI cloud for 
distribution to the FireEye customer community. All FireEye appliances upload 
information using a secure (HTTPS) connection to cloud.fireeye.com. 


    Additionally, Fireeye has implemented a unique technology in DTI to detect 
zeroday callbacks.

     

    Do FireEye appliances have to the upload to the DTI Cloud?

     

    FireEye appliances can get the benefit of the cloud without uploading any data with a 1-way download license. 
FireEye appliances can also be deployed in a totally disconnected mode, 
allowing upgrades and updates to be provided via the offline portal. For government or defense vertical customers, FireEye has designed an offline portal that enables downloading updates form the DTI cloud on a local server and then uploads those to the appliances.

     

    Can FireEye appliance connect to DTI Cloud via a web proxy?

     

    Yes, FireEye appliances can download updates via a web proxy. Basic authentication is supported.

     

     

    ATI  /ATI+ FAQs

    Will ATI be available for all the products or just for some?

     

    ATI is on the roadmap for all FireEye products. NX currently supports it since version 7.4`` and TAP supports it as the Alert Context feature. EX and ETP will support this feature in Q2 2015 with the other products to follow.

     

    Can FireEye Intelligence Center be sold standalone?

     

    FireEye Intelligence Center is not a product on its own. It is a feature of ATI+ and can only be sold as such. On a case by case basis a very small subset of customers – subject to deal desk approval maybe permitted to purchase this capability without it being associated with an underlying FireEye product. Historically these exceptions have been granted only to Intelligence agencies subject to very specific terms and conditions to ensure our intellectual property is protected from being arbitrarily redistributed.

     

    Will ATI information (badges) still function on older/in the past events prior to activation of ATI?

     

    Yes. ATI checks every hour for events that occurred up to 3 months prior.

     

    What are the different configurations for the threat intelligence offerings?

     

     

    ATI

    ATI+

    DTI 2-Way Customers

    CAN purchase ATI

    CAN purchase ATI+

    DTI 1-Way Customers

    CANNOT purchase ATI

    CAN purchase ATI+

    DTI Offline Portal Customers

    CANNOT purchase ATI

    CAN purchase ATI+

     

    How will the price of ATI+ compare with the previous pricing model of per node for MD-CM?

     

    Based on modeling done pricing will be comparable and also in line with competitive pricing with other threat intelligence offerings in the industry. However, there will be a requirement of a minimum purchase history of AED 366,356.35 net to FireEye – not including professional services.

     

    Why are the threat intelligence offerings priced per appliance?

     

    Customers get more value from our threat intelligence offerings the more of our platforms they have deployed. DTI specifically enables detection within each of our platforms while ATI provides alert context within the products. ATI+ includes access to our Intelligence portal as well as 24/7 detection efficacy monitoring and alerting for critical alerts. Both of these capabilities provide more to customers if they have more of our technology deployed. Moving forward from a roadmap perspective we also intend to bring better integration between the product UI and the Intelligence portal to make the pivoting from detection to intelligence center even more efficient.

     

    Can a customer purchase ATI / ATI+ on just one of their appliances?

     

    No. Customers will be required to purchase ATI or ATI+ on all their appliances so that all of them are at the same intelligence level. Since ATI (as of November 2014) is only available for NX, customers purchasing ATI will need to buy it for all their NX devices. When support for EX is available if they purchase ATI, they will need to upgrade all their NX and EX devices and so on.

     

    Can prospects POV ATI / ATI+?

     

    Yes. ATI will be turned on by default. ATI+ can also be POVed by filling out a form much like was done in the case of Continuous Monitoring. Bear in mind when POVing ATI+ access is only provided to a demo Intelligence portal with very limited information.

     

    What about customers currently subscribing to Managed Defense – Continuous Monitoring (MD-CM)) or Oculus Continuous Monitoring (OCM)?

     

    MD-CM customers will be grandfathered for the duration of the subscription into ATI+. At time of renewal they will need to move to ATI+ pricing. Customers with OCM will be grandfathered in for the appliances they have purchased the OCM subscription for. At renewal they will be required to purchase ATI+ on all their appliances.

     

    Can customers currently with DTI upgrade to ATI or ATI+?

     

    Yes, customers with a current DTI subscription can upgrade to one of the higher levels of intelligence.