FireEye CEO, CFO Discuss Hacking Attempt, Impact Of Equifax Breach, And Company's 'First True Channel-Friendly Product'

Stopping The Bad Guys

FireEye worked with law enforcement and spent hundreds of hours investigating a hacker's July claim that he had breached the company's corporate network, all of which culminated in an arrest Thursday.

In the Milpitas, Calif.-based company's third quarter, which ended Sept. 30, FireEye saw sales climb 1.7 percent to $189.6 million and recorded a loss of $72.9 million, improved from a loss of $123.4 million in the same quarter last year.

CEO Kevin Mandia and CFO Frank Verdecanna talked with CRN before the company's earnings call about how they addressed the unsuccessful corporate network hacking attempt with customers, the impact of the Equifax breach on their Mandiant incident response services business, and why the company's new endpoint protection offering, FireEye Endpoint 4.0, is its "first true channel-friendly product."

Mandia and Verdecanna also addressed how their Helix platform helps customers make sense of alerts, the benefits of having a single interface for all their products, and how their new CMO will help FireEye stake out a thought leadership position in the industry.

Read on to learn how FireEye plans to compete and win in the endpoint security market.

What effect, if any, did the attempted breach have on FireEye's performance?

Mandia: It's impossible to measure, first and foremost. Does it take a lot of time? Absolutely. I'm very proud of our security team, our internal investigative team, Steve Booth – our CISO – that had to deal with this. It just makes you realize firsthand the anonymity of the internet really bolsters some wrongdoers to do certain things. It impacted us tremendously in the amount of time and effort that went into investigating it. We're in the business of doing that, but we're in the business of doing that for our customers, and then, all of a sudden, we had to ramp up and do it for ourselves. So there's a lot of direct, real costs. As for how it influenced buyers' decisions, I don't consider it ever a positive upside when you have an anonymous person making false claims about your company.

What conversations did you have with customers and partners?

Verdecanna: The good thing is that it happened early in the quarter. So any customers or prospects that were concerned about it had a good opportunity to sit down with our CISO or Kevin and walk through it. Ultimately, we ended up delivering results above all our guidance ranges. I don't think it really had a negative influence on it [the quarter], but it did take some time for us to get through some of those discussions and just make sure everybody was comfortable.

How much time and effort was involved in getting to the bottom of this?

Mandia: Our guys did an exceptional job. It wasn't in dozens of hours. It was in hundreds of hours. But we had to roll up our sleeves and do it. And we had to convince the world. You have to prove the negative, which is really annoying. I don't want to underestimate the unfairness of the situation of an anonymous person making false claims. I think we'll be more forthcoming on that information as the investigation unfolds.

What, if any, long-term impact will this have on your business?

Mandia: There's no measurable negative impact. I'm sensitive to this issue from dealing with victim companies and CEOs on a daily basis. Almost every two weeks, I get a phone call from somebody that has been breached, and we have a cleansing discussion. And by the way, we weren't breached. We were claimed to have been breached. These things are a frustration to deal with. And over time, I hope to find that as a nation or as an internet community, that we can bring risks or repercussions to the folks that do it.

What was the biggest impact ?

Verdecanna: Had we been breached, that would have been a whole different ball game. The fact is that we were able to prove that we weren't breached. The negative consequence was really more just kind of time proving that out, and then just getting customers comfortable that we weren't in fact breached.

What types of questions are you getting asked as a result of the Equifax breach?

Mandia: Bad things happen to good people all of the time. We're in the business of responding to a lot of these incidents. I think it's just one more case of many, many headline-type things that just shows the potential liabilities if you have a breach and know about it. It tends to go up. It also brings other things to the forefront. We've got to figure out who's doing these things. We've got to impose risks and repercussions to the folks doing these things. In regards to that breach or any other breach, it's hard for me to show whether or not it's had a direct impact on our business. We've been in the business the whole time. This is what we do.

What impact do breaches like Equifax have on your Mandiant incident response services business?

Verdecanna : This quarter we had a record Mandiant billings quarter. The breach environment has been really strong, and you saw that in that we have a record Mandiant quarter last quarter, and then we beat it again this quarter. That helps the services side, but it also helps especially the pull-through side on the products side as well.

What type of traction has your new endpoint protection product gained in the channel?

Verdecanna: For our Q3, we actually had a record quarter. I think people were kind of buying it in advance, knowing that they were going to get that functionality at the end of the quarter. We saw an immediate boost in Q3, but then we also saw the pipeline build very nicely. I think if you look at that pipeline, a lot of that is coming from channel partners. And it's an area that we've not had a lot of leverage in in the past. I look at it as almost our first true channel-friendly product. It's a product that the channel has been selling from other vendors for many years. They're very familiar with the endpoint market, and I think we fit and play really nicely now in that market.

What makes the new endpoint offering so channel-friendly?

Verdecanna: One is the pricing. The cloud version of our endpoint is priced very competitively within that market. The other thing is that it's actually attacking existing budget spend. If you look at a lot of our products, we're kind of evangelizing into new markets. On the endpoint, there's actually existing spend there that we can go tackle. What we're seeing is some displacement of some existing vendors where we think we have a much better technological product, and now we're priced effectively in that market.

What are you able to do in the endpoint that the existing vendors aren't?

Mandia: For the last 13 years, our endpoint tech has responded behind the endpoint tech that has failed to detect the breach. All of our incident responders are technology-enabled using our endpoint technology. First and foremost, it's those experts that have to do precision-strike forensics on enormous networks. And that's the complicated stuff. We can detect what anti-virus detects, and we can detect what anti-virus misses in a multiple of ways. Some of it is heuristic, some of it is indicators, we have machine-learning models being applied. And our endpoint is going to have rapid greater detection efficacy all the time because of that front-line experience.

What else makes your endpoint offering different?

Mandia: Long story made short, we answered the mail on the legacy stuff, detecting what A/V detects, but then we got to the next-gen endpoint prevention by detecting what A/V misses. An extra bonus that most other endpoint technologies do not have is scale your experts, so that when 99 percent prevention isn't good enough – which on the internet still leaves some hair on the challenge – you have experts that can go out and get inquisitive and search your enterprise for evidence of compromise or other things. The other thing that's really good with our endpoint is we can do containment capabilities, which is also important for nimble security programs.

Where do channel partners need to be doing more to truly protect their clients?

Verdecanna : The Helix is an area that we feel like is truly differentiated, and I think if you talk to any CISO, their biggest pain point is really not having the bandwidth to tackle all the alerts. Helix does provide context to all of those alerts that people get. So that gives companies the tools to really be able to get value out of all of the security technology they've purchased. It also provides key context. Right now, they're drowning in alerts, and I really think that's a key piece of the Helix puzzle.

How can Helix help address some industrywide challenges?

Mandia: Cybersecurity as an industry, in my opinion, has created a whole bunch of fire alarms without sending any firemen. And so all of these alerts come in, and people are trying to figure out which ones are smoke and no fire, and which are real fire. And when you get past that, there's a lot of times you have to triage something and you just lack the expertise to do it. It is our goal that our intelligence in the Helix product answers questions at the moment you need it with the click of a button so you can take a Tier 1 less experienced staff, and they can benefit from our 10-plus years of experience codifying what we're dealing with on the front lines.

What's next for the Helix platform?

Mandia: If that's not good enough, we can be your Tier 3, or our partners can be your Tier 3. And right inside the Helix platform, expertise will be made available to you. And that's going to be something where we've still got to bring a lot of that clarity to market, but I call it the 'Quick to chat. Quick to get help.' It's something we've very laser-focused on bringing to market in 2018. The Helix platform is going to be the basis for that. And that's pretty cool. Now, instead of just having a smoke alarm go off and everybody exiting the building, if all of these products are firing on something bad, the expertise to put out the fire is coming 30 seconds later through the platform.

How does the new endpoint offering play into the broader Helix platform?

Mandia: I look at Helix as something that's been in the works throughout my whole career. We've got to make this alert-to-fix problem something that takes minutes, if not automated. What we're doing over time is making the Helix interface the interface to all our products because it links with our intelligence, it has great workflow in it. We should have one interface for all our products, by the way. I think that makes a lot of sense, and it just provides more value.

What's the benefit to having a single interface for all your products?

Mandia: Because in that interface, you can go from alert to what we think matters, meaning, 'What do we think about that alert with our intel context?,' to automating the fixes, meaning, Iif we see this again, use our orchestration playbooks to update the network base and endpoint base countermeasures.' So I think over time, Helix will become the interface to all our products. But at the same time, it will also become the analytics brain. You'll always have decisions that have to be made based on a lot of data. And then you'll have a lot of decisions that need to be made at run time in run-time speed. So you'll distribute the decisions sometimes to the spokes.

What is FireEye's long-term vision for Helix?

Mandia: I look at Helix over time as being viewed as the brain, with all our machine-learning models, and with exceptional amounts of capability to help take security-relevant data and distill it down from billions of events, and say, 'Here's the two things you should be worried about.' Every year, we spend hundreds of thousands of hours consulting, finding a needle in the haystack at all our client sites. And I just feel, 'who better to codify that and productize that than FireEye?' And to do that with Helix.

What impact will the hiring of a new CMO have on the channel?

Mandia: There's going to be a lot on their shoulders. And we made two hires in marketing. Vasu Jakkal as chief marketing officer, and we brought in Phil Montgomery for product marketing. And those are key positions to this organization. These folks have to get their sea legs very quickly because we have a real need to market our innovation, and I want to do so, and we're on a mission to do so. We are thought leaders, and my marching orders to Vasu are, 'We've got to market our innovation right. But in the same time frame, market our thought leadership.'

How can FireEye go about marketing its thought leadership?

Mandia: Everybody's that writing about security is writing about stuff we have first-hand knowledge of. We can't always comment. We can't always share things. But we can be the voice that's the unvarnished truth when we decide to talk. I've seen companies report on major political-appointee-type folks losing their email. And they have no first-hand knowledge on how it happened. And we do. So my marching orders are market our innovation. Make sure our channel is trained on it, make sure our sales is enabled on it, but make sure we also hold a thought leadership position. I think it's only been six weeks for Vasu, and Phil's not much longer than that. They have laser focus on what we've got to do.

What are the main things partners should be taking away from your performance last quarter?

Verdecanna : We're very happy with our third-quarter results. We beat the guidance range of every financial metric, with the exception of billings, where we came in at the high end of the range and above consensus. From a quarter perspective, the financial metrics all look great. We also had a record quarter in our endpoint sales. At the end of Q3, we released our endpoint protection product, which included anti-virus. Getting to a record endpoint sales quarter is a pretty big milestone for us as well. If you look at the full financials, we've got the non-GAAP operating loss down to 2 percent. If you look at it on a year-to-date basis, we've actually reduced our operating losses by $125 million, and it puts us in a really good spot, on track to be non-GAAP operating profitable in Q4.

Is there anything else the channel community should know?

Mandia: I think we've got our endpoint. In my opinion, our endpoint is the most channel-friendly product we've had. We turned it on in the channel on Sept. 28, and I'm just excited to see what those results are. It's important for FireEye to have an endpoint solution because we are the company responding behind everybody else's endpoint solution when it fails. So I feel pretty confident we're going to have a good endpoint solution. And our channel should want their customers to have it.