5 Reasons FireEye Antimalware Technology Is Overvalued By Wall Street10:00 AM EST Tue. Sep. 24, 2013
FireEye, which has been gaining attention for its white-hot antimalware detection system, was one of the most anticipated tech IPOs of 2013, and FireEye's IPO on Friday exceeded expectations. The Milpitas, Calif.-based security appliance maker valued its IPO at $20 per share, and Wall Street investors have embraced the company's stock. It ended its first day of trading with gains of 80 percent at $36.00 per share.
FireEye uses a sandboxing approach to isolate and inspect the behavior of suspicious files. Security experts told CRN that while FireEye's technology is a much-needed alternative to traditional signature-based defenses, technology vendors are already implementing similar sandboxing and cybercriminals are developing ways to thwart it.
Here are five reasons security experts say Wall Street may be overvaluing FireEye's technology.
An in-line FireEye deployment can be expensive and involve extensive configuration, said Paula Musich, principal analyst at Washington, D.C.-based research firm, Current Analysis. While early adopters are happy with their results, it's unclear if the threat detection capabilities the appliance provides are worth the steep investment and ongoing maintenance costs, Musich said. It's also going to be difficult for businesses to evaluate, Musich said. "Larger enterprises can do their own bake-offs, but doing bake-offs of this technology is not going to be for the faint of heart," she said.
As of the end of June, FireEye had about 1,100 customers in more than 40 countries. Financial analysts are also debating FireEye's financials. The company's net losses increased to $67 million, but executives have convinced a substantial number of investors that its strategy will eventually pay off.
In its financial filings with the Securities and Exchange Commission, FireEye said the IT security market may not continue to adopt the company's virtual machine-based security platform. Security solution providers that CRN contacted said companies are less willing to adopt a point solution for malware detection. Scott Fuhriman, vice president of sales and product development at St. Louis-based Tierpoint, a Fortinet partner, said firms that buy advanced malware platforms already have robust capabilities and large IT staffs. If it is a highly secure environment, the business will be running multiple antimalware platforms. At midsize organizations in the middle of reducing their datacenter footprint, replacing an existing system with a newer model that has extended capabilities makes more sense than deploying another network appliance, Fuhriman said.
The FireEye antimalware system has the potential to generate a lot of alerts, which is not necessarily bad, but it will require a response team to make it effective, said Andreas Mertz at IT-Cube, a certified FireEye partner based in Munich, Germany. Mertz said the firms he's seen deploying the technology are not doing so in-line, making it an incident response tool rather than a real-time detection engine.
Deployment of the appliance is favored at large defense contractors and the financial sector, which can afford large IT teams and handle coordinating with outside consultants and other service providers for assistance with isolating and containing advanced threats.
FireEye connectors are being created to help automate responses.
Security experts told CRN that malware detection requires more than just quarantining an infected system and then reimaging it. Antimalware researchers use forensics malware tools to reverse-engineer advanced threats to determine their capabilities and attempt to pinpoint their origin.
Pete Lindstrom, vice president of Spire Security, said an alert generated by the FireEye system may not necessarily indicate a malware infected system because FireEye doesn't replicate all the images in the business. Understanding the alerts requires an experienced threat team that can determine what needs addressing quickly and what can be ignored, he said. Companies also find that they need additional software to handle the alerts, said Rick Holland, a senior analyst at Forrester Research. Mandiant integrates workflow to help responders understand the extent of an incident, Holland said. Guidance Software also provides a connector to its EnCase Cybersecurity platform to prioritize incident response.
Next-generation firewalls and intrusion prevention systems are building in similar file-behavior mechanisms, said Garry Sidaway, global director of security strategy at managed services provider WideAngle, an NTT Com Security firm.
Check Point Software Technologies, Lastline, Palo Alto Networks and Sourcefire, recently acquired by Cisco Systems, have components that isolate suspicious files and monitor their behavior to detect malware. Fortinet said it would deploy a similar capability later this year. In addition, cloud security vendor Zscaler said its Web gateway service now uses file behavioral analysis to detect advanced persistent threats.