FireEye nPulse Acquisition Validates Digital Forensics Growth, Say Partners


FireEye said this week it will acquire network packet analysis vendor nPulse Technologies for $60 million in a move that the firm said would bolster its incident investigation and remediation capabilities.

The Milpitas, Calif.-based network security vendor said that besides the network packet recording and analysis capabilities being added to its product portfolio, the acquisition is meant to bolster its managed service capabilities, providing digital forensics investigators with information-rich data to determine the nature and scope of a serious malware infection.  

“When combined with Mandiant services and the services capabilities of our partners, we'll be able to provide customers complete visibility into the network with quality analytics that accelerate the path from detection to resolution," said FireEye CEO Dave DeWalt in a statement Tuesday announcing the acquisition. "This acquisition is a vital part of our long-term strategy to build a single security platform that protects against the most advanced threats and offers customers one solution to detect, contain, resolve and prevent threats."

[Related: Missed FireEye Alerts Reportedly Warned Of Security Lapse At Target]

Charlottesville, Va.-based nPulse was founded in 2011 by president and CEO Tim Sullivan, who also founded Fidelis Security Systems. NPulse is known by forensics teams for its speed. Its traffic-recording and analysis platform has been popular with clients, said Mark P. Williamson, chief technology officer at Gaithersburg, Md.-based security consultancy and reseller Conquest Security.

NPulse created a way to not only capture data very quickly, but also write it to disk in a way that boosts performance, and provides context that helps speed analysis, Williamson told CRN.

"For this activity, you not only need to be able to grab it off the wire quickly, but also do something with that data," said Williamson, whose firm partnered with nPulse. "NPulse's expertise in that area gave them a big advantage over other platforms."

Other vendors that do network packet capture and analysis, such as Solera Networks, recently acquired by Blue Coat, and RSA-NetWitness have focused heavily on analysis, according to consultants who perform digital forensics after a breach takes place. Each platform has its proprietary inspection engines and unique capabilities favorited by forensics investigators, they said.

Analysis using the tools is happening after a breach takes place, but Williamson and other consultants said the packet-analysis platforms have gotten faster in detecting behavioral anomalies that signal suspicious activity. It's a way to add a layer beyond signature-based detection, Williamson said.

"We're beginning to reach a point at being able to determine what is happening in realtime and build out predictive capabilities to figure out how the next attack is going to take place," he said.

The products developed by nPulse include a data storage system with search capabilities and built-in case management software. It also sells a 20-Gbps capture probe appliance for multipetabyte traffic recording, and a line-rate inspection probe that can inspect email, messaging and other data for embedded URLs and other files in network traffic.

DeWalt said FireEye will use the acquisition to build out its platform. Engineers at the network security appliance manufacturer are developing a product that brings together network and endpoint forensics, he said. The deep visibility can bolster active defense capabilities to respond to malware infections and contain them, cutting off an attacker's movement in the network before data is stolen, he said.

"Preventing malicious code from entering the network is always key, but now we need to know more -- when the malicious code appeared, how the network was compromised and if any data was removed," DeWalt said. "This is the new reality of enterprise security."

PUBLISHED MAY 7, 2014