FireEye's DeWalt: 10 Ways Channel Could Transform Threat Detection

Channel Partners See Value In Advanced Threat Detection

Early adopters of FireEye's advanced threat detection platform are choosing a layered approach to detecting custom malware and so-called advanced persistent threats, say solution providers. Firms are investing in products that specialize in network analysis, malware inspection and endpoint behavioral analysis vendors, said Dan Thormodsgaard, vice president of solutions architecture at FishNet Security. FireEye and other emerging vendors are part of that strategy, he said.

FireEye recently rolled out a new data center appliance and threat detection for Android devices. The company released earnings data last week, beating financial analyst estimates for the quarter. In a wide-ranging interview with CRN, FireEye CEO Dave DeWaltr and the company's new channel chief, Steve Pataky, addressed the company's go-to-market strategy, the product road map, and the ecosystem of services and third-party integration being built around the advanced threat detection platform.

Channel-Exclusive Sales Model

DeWalt told CRN that FireEye has no direct sales model. "Well north of 90 percent of the business is fulfilled through the channel today," DeWalt said. In the last six months, the company revamped its channel program, called Fuel. It added training and certification programs with incentives and invited early partners to the company's kickoff earlier this year to be "part of the family."

In August, FireEye hired sales channel veteran Steve Pataky (pictured) to further develop its partner program. Pataky, who was responsible for architecting the Juniper Networks Partner Advantage Program, said the company is leveraging tech partners as part of its go-to-market strategy to add value for its customer base, but also to build additional sales opportunities for partners.

Tech Alliance Program

Part of FireEye's strategy is to keep its platform relatively open so other security vendors can add connectors for additional capabilities. The Tech Alliance Program supports third-party tools for automated incident response capabilities, security forensics investigations and other integration points to tap into the platform's data. The company has 26 established technology partners.

"Most security vendors aren't very open in terms of their platform to integrate lots of partners," DeWalt said. "We are building lots of APIs for the platform to integrate."

Future Channel Investments

FireEye also plans additional investments in its channel program, DeWalt said. The company is investing heavily in marketing, sales and training, and certification programs. The two-tiered program consists of VARs and distributors. "Our entire approach to the market is to work with the channel," DeWalt said.

FireEye is adding staff and channel support personnel. The company has more than 1,000 employees and has added 100 employees a month over the last year, DeWalt said. The goal is to put in a global architecture to disrupt the market, he said. "We're very aggressive with our spend," DeWalt said. "It's a very aggressive growth strategy, and we are going after the market with everything we got."

Go Big, Go Small, Go Wide

DeWalt told CRN that his strategy is to invest heavily in marketing and sales in the early stages of the company. Scalable appliances were designed first for the largest carriers and enterprises of the world, but the company also will sell virtual appliances in very small form factors for small and midsize businesses. FireEye would then "go wide" with the form factors and architecture, he said.

Some investors criticized FireEye for having a sharp jump in operation expenses this year. When asked by CRN whether the company would find ways to reduce operational expenses, DeWalt said the aggressive spending was a key part of his market strategy. "I'm attacking the market in an opportunity of a lifetime for a vendor to disrupt the market," DeWalt said. "We're putting in a global architecture to disrupt this market, and I'm going to continue down that path as fast as I can deploy it -- and successfully deploy it under control. We're going after the market with everything we've got, and partners are at the core of that."

Partners See Value In Services Enablement

Channel partners told CRN that the platform has helped them create additional sales opportunities around FireEye's detection capabilities. In addition to the networking skills needed to deploy and tune the appliance, monitoring, incident response and data forensics capabilities also are needed by businesses.

FireEye's Pataky said active partners are looking beyond the product component to understand how the platform impacts their support and services practices. "The validation we're seeing is in the investments they're making in building out deeper practices with FireEye at the core," Pataky said.


DeWalt: It Starts With Web, Email

DeWalt said the company is far from a point-product vendor. The platform's integration points and its ability to communicate to share threat data between customers and virtual machines make it more effective than single point products that address a single threat, he said.

FireEye's engineering strategy has been to build one product at a time. It started with an appliance that addressed web threats, followed by email and data storage. Mobile has recently been rolled out, and cloud versions of the virtual machines also are being built out. "You're seeing the porting and scaling of our platform architecture of virtual machines to every egress point that every virus sits today," DeWalt said.

Advanced Malware Detection Lies In Virtual Sandbox

The sole functionality of FireEye's technology is its core virtual machine, which studies deviant behaviors of applications, web pages and files, and various types of content, DeWalt said, calling the platform extremely portable and scalable. The virtual machine can sit in any port or protocol, at the perimeter, in the data center, in the cloud and on the endpoint. The appliances work together to share behavioral analysis for detecting and blocking threats across the entire customer base, he said.

"This is a powerful mechanism to create network intelligence across virtual machines that can sit anywhere in the architecture," DeWalt said. "A single virtual machine sitting in a single customer in Korea can help notify every virtual machine in every part of the world within minutes."

Oculus: Adding Intelligence To FireEye Platform

FireEye is busy adding intelligence, service and support capabilities to the platform, DeWalt said. The company introduced Oculus, which relies on the FireEye Dynamic Threat Intelligence (DTI) cloud to deliver intelligence on zero-day threats and custom malware used in targeted attacks. DeWalt said Oculus combines its platforms with actionable threat intelligence, and support and services.

The platform could help provide data for predictive analytics to address weaknesses before they are attacked by cybercriminals, DeWalt said. "The predictive element of our capability is very powerful and we're going after it," DeWalt said. "Even if the customer hasn't seen a problem, we can anticipate that it will see a problem."

Targeted Acquisitions Ahead

FireEye doesn't necessarily need acquisitions to leverage the scale and capabilities of the platform it built, but with $300 million in cash on hand to invest in a long-term strategy, DeWalt said he is not ruling out acquisitions. "Small, tuck-in acquisitions" could add talent and security capabilities into the platform, he said. The company also is growing its development arm in India.

A big, core part of what FireEye is trying to do is to automate response, DeWalt said. The platform already does more than threat detection. It is an in-line and blocking product, he said. Blocking is based on policy and the threat profile placed on suspicious files. The virtual machines are not only detecting blocking what is coming in, but they're detecting and blocking what is going out, DeWalt said.

DeWalt: Firewall, IPS Sandboxing Competitors Limited

Firewall and intrusion prevention system vendors add sandboxing capabilities using virtual machine sandboxes, but they miss important communications protocols widely used by attackers, DeWalt said. An appliance that specializes on one protocol often can't read network traffic on another protocol. Attackers take advantage of this by sending multiprotocol attacks. Spearphishing attacks via an email message and malicious web link have been wildly successful and at the core of many data breaches, say security experts. DeWalt said FireEye can cut across protocols. "I see this technology commoditizing the last generation of detection engines," DeWalt said. "Virtual machines, especially hardened hypervisors, are the next-generation engines that are commoditizing the previous versions."