This article provides an introduction to FireEye and FireEye's unique technology, and to answer questions often posed by prospective buys interested in FireEye's products. Partners and current FireEye customers can find more detailed product information in the Support Community and Support Knowledge Base.
- What does FireEye Threat Prevention do?
- How is FireEye different?
- Is FireEye MVX a Sandbox?
- How does FireEye detect malware without signatures?
- What is DTI?
- Why can’t event zero be blocked?
- How can I tell if a host is infected?
- Does FireEye depend on any 3rd parties to maintain software?
- How often do new software versions get released?
What does FireEye Threat Prevention do?
FireEye provides a platform to combat next generation cyber threats. The FireEye Platform does this with a multi-faceted approach to security – Prevent, Detect, Contain, Resolve.
- Prevent - Prevention must enable real-time, proactive blocking and provide rich and actionable intelligence to better understand the nature of attacks for continuous improvement of the security posture.
- Detect - Today’s advanced threats require an architecture that is aware of the multi-stage and multi-vector nature of attacks. The security solution should be able to detect known and unknown threats in real time and be able to scale with the demands of the network.
- Contain - Effective containment demands real-time validation of threats coupled with the ability to rapidly stop the impact of an attack on compromised systems.
- Resolve - To limit exfiltration and serious business impact, security incidents must be investigated, scoped, and resolved in a timely and cost effective way. The FireEye Platform provides products, people, and intelligence to deliver the industry’s first continuous threat protection model. The global, real-time platform prevents, detects, contains, and resolves advanced threats to help secure brands, intellectual property, and data.
The FireEye Platform provides products, people, and intelligence to deliver the industry’s first continuous threat protection model. The global, real-time platform prevents, detects, contains, and resolves advanced threats to help secure brands, intellectual property, and data.
How is FireEye different?
Is FireEye MVX a Sandbox?
No, FireEye is not Sandbox.
The purpose of sandboxing is to prevent malicious behavior from infecting the examining system. Traditional sandbox technology examines a file within a sterile environment without any external influences. Examining a single file within a sandbox is insufficient if that file contains obfuscated or encrypted code.
Common sandbox technology is well known to malware writers who can test for the presence of various indicators that the file is being run within a debugger or virtual environment and cease to function.
FireEye not only performs deep analysis on the file, but will have also captured the original exploit, which may contain the decryption keys for the malware.
Due to the patented and proprietary hypervisor, FireEye will not give away any indications that the file is being run in our VXE and so the execution and subsequent monitoring of that file will continue.
How does FireEye detect malware without signatures?
FireEye uses a 2-stage process:
- Stage 2, Analysis, is a MVX Core Environment incorporating a purpose built Hypervisor and web cache with extensive logging and analysis tools. Using the headers of the original requests one or more MVX environments are selected and loaded with the suspect DataStream. By logging and analysing every action, the MVX engine accurately identifies malicious events.
What is DTI?
The FireEye Dynamic Threat Intelligence Cloud (DTI) is used to share and distribute IOC coordinates generated by all active FireEye appliances enabled to communicate. This is a best practice that allows wire speed blocking of zero day malware.
Why can’t event zero be blocked?
The first incidence of a new threat cannot be blocked until deemed malicious or without adding unacceptable latency (FireEye appliances perform real-time analysis in parallel to prevent latency).
Note that not every organization will see the first incidence of a new malware. FireEye's Dynamic Threat Intelligence Cloud allows all FireEye appliances to block malware just as soon as any contributing appliance has deemed a sample malicious and submitted the new signatures.
How can I tell if a host is infected?
A Red Severity Indicator means it is very likely an attack was successful and the host is infected. Callback activity would confirm this.
An Amber Severity Indicator means it’s unlikely to have been successful because the FireEye had to serve a dummy binary, known as the Honey binary, in place of the original but missing binary. This will be shown in the event logging.
The absence of any callback activity would confirm this.
In addition, with HX agent deployed on host, infection detected on the network can be pro-actively verified on the agent without waiting for callback (consequence of successful infection). Once verified, HX agent can isolate the host from the network to avoid lateral movement.
Does FireEye depend on any 3rd parties to maintain software?
No, FireEye retains all the source code and maintains all developments and transitions internally.
How often do new software versions get released?
- New major software releases come out approximately every 6-9 months.
- Patches come out every 4 to 6 weeks.
- Guest images releases come out every 6 to 8 weeks.
- Links to dedicated infected https sites are socially engineered targeted attacks and usually distributed via email. The FireEye Email MPS Appliance detects these threats.