CEO Kevin Mandia: FireEye Has A 90 Percent Success Rate Cracking Corporate Networks

"The only unvarnished truth any Chief Information Security Officer can really get is can someone break into my network from the internet and get to the CEO's email or get to business-critical applications," said FireEye CEO Kevin Mandia.

Mandia Takes Center Stage

FireEye CEO Kevin Mandia Monday told 2019 Best of Breed (BoB) conference attendees that the company’s elite cyberattack testing team has a 90 percent hit rate when it's hired to test the defenses of corporate networks.

“We do these break-ins, and we get in over 90 percent of the time, and we make the [intended] consequence happen about 75 percent of the time,” said Mandia in a question-and-answer session at the BoB thought leadership conference, hosted by CRN parent The Channel Company.

"The only unvarnished truth any Chief Information Security Officer can really get is can someone break into my network from the internet and get to the CEO's email or get to business-critical applications because that test stands the test of time," he said.

In the on-stage interview with CRN Editor, News Steven Burke, Mandia also talked about the biggest security threats facing the next U.S. presidential election, how he would fight cyberterrorism if he was in the White House, and why no single security vendor can do it all. An excerpt of the conversation follows.

Why is it so difficult to go to one vendor and get an end-to-end security suite?

People like a simple message, yet it's not a simple answer. All we really want in security is an agile offense. Whatever technology gets bought has to be able to learn.

We do about 400 red teams [a year]. And red teaming [is where we put] on our attacker hat and firms hire us to break in, but not just break into a network—break in and do something of consequence. Like get to an industrial control system or get to customer data or get to the CEO's email. We do these break-ins, and we get in over 90 percent of the time, and we make the [intended] consequence happen about 75 percent of the time. We always stop short. We don't shut down a utility, and I'm not convinced we could.

But when you look at that, and you do that test, no one company stops our red team, but what does stop a red team every once in a while is software that didn't stop it today yet somehow three days later, it does [because it learned from the previous attack.] And the majority of security software is monolithic. … We have to have software that thinks and learns, it learns what's normal, and it also learns what's bad. We're just entering a generation of software with the AI and analytics and machine-learning models. But really all we have right now is machine-learning models to find malware. … Bottom line: Very few companies right now cover all of the different things you need for security.

What's your vision of how to become that end-to-end security provider?

It's hard to be the best [vendor] of everything. I'm probably being overly simplistic, but any time you run a company, you have to pick what you want to be the best at [and] just go do that—and if that's important and valuable, then you'll be important and valuable, but it's got to be within your core competence. Right now, our goal is to be the best in threat detection, and we are, and we go do that across email, endpoint and network.

And then we want to be the best one at security validation, which is an emerging thing: I liken it to a live fire drill, where we run real attacks against your infrastructure. These are attacks that we're seeing in the wild, and then we say, ‘Here's how well you did.’ You stop the attacks, thumbs up. If you didn't stop them, did you detect them? If you didn't stop them or detect them, did you even make any log entries somewhere in your security program that now you can create a new signature for?

That speaks to the Verodin acquisition. That felt like it was a seminal moment for FireEye. How has it changed the go-to-market strategy for FireEye and its partners?

It does because security validation is what I call that market. We do the real attacks. And what I always get a kick out of is a lot of companies go, ‘I don't want real attacks running on my network.’ And I say, ‘Oh, they are running on your network. It's called the internet. People are already launching them. You may want to launch the bullets yourself and control the thing.’ It is something the military has always called ‘live fireworks.’ Everybody said the best plans last about one second in combat. That's the same in cybersecurity. And I believe in winning drills, meaning you tell people about it: ‘Listen, we're going to red team your network from Wednesday to Friday. That means we're going on offense, we're going to emulate some of the common attacks [going on] your industry, and it's the best training you can do. You launch the attacks. Here's the reality: If they work, do something about it.’

I think it's the only way to get the unvarnished truth in security. It's not the huge compliance chart that is not necessarily accurate. The only unvarnished truth any chief information security officer can really get is can someone break into my network from the internet and get to the CEO's email or get to business-critical applications? ... You should feel good if the best hackers in the world can't break into your network. Otherwise, you're operating without the knowledge of how good your security program is.

What kind of threats do you think we'll see in the 2020 elections?

If I'm an American citizen, I'm feeling very comfortable. No one's going to change the tallies of the elections directly. Let's put it this way: Worst-case scenario, somebody does attack the election infrastructure directly, we're going to have a 100 percent packet recall. We're going to see it happen. We'll probably have attribution. We'll know who it is. And quite frankly, that's going to be the last tool that a foreign entity would use.

What's more frustrating in the elections now is what we call influence operations. In 2016, my company found over 150 fake Facebook [pages]. We just happened to have someone analyze them, and they came to me—I didn't even know what to do with the information at the time. I was uncertain because somebody came to me and said, ‘We believe this is a Russian intelligence operation to influence the election.’ A lot of the news was fake. A lot of it was, 'Let's get the 5 percent of the right inflamed; let's get the 5 percent on the left inflamed,' and using anonymous media that everybody gets the news from. I think it's the influence operations that we saw in 2016. We found Iranian ones in 2018. That made the press, where Google, Facebook and Twitter did take all those [pages] and fake sites down. … I would be more concerned about how all of us are being influenced by people that are anonymous. Quite frankly, they could be representing the agenda of foreign nations. And that will happen, by the way, so we have to be careful that, in general, an anonymous source of information should be trusted about as much as spray paint [on a wall] at a rest area off of Route 95. We shouldn't necessarily give credibility to anonymity.

If you were president of the United States, what would you do to solve cyberterrorism?

First thing you have to do, if I were sitting in the White House today, I would tell whoever held the office, the No. 1 thing you've got to make sure of if you are ever reading about a breach is you turn to your intel community and say, ‘Who did it?’ And if they can't answer, we've got a problem, because you can't impose risks or repercussions and proportionately respond to anything unless you know who did it. And that's going to require technical assets. It's going to require human assets, and it's going to require international cooperation. So that would be question No. 1.: You've got to make sure you get attribution right. And, quite frankly, sovereign nations have that figured out.

With the private sector, we don't have the visibility to always know "that attack that shut down a utility was that person." No offense to Ted Koppel—he wrote a book called ‘Lights Out.’ I don't think we're going to have a ‘lights out’ moment, especially in the big cities. And we will see failure before we see success when somebody attacks our utilities. And the good news on that—there is, it turns out, a deterrent outside of cyberspace, if you know who did it. It's called drone strikes. But the bottom line, that's what I'd say, ‘Protect utilities, and you've got to get your attribution right.’

What are the big security threats coming in 2020? Ransomware?

Ransomware is frustrating. Ransomware is usually an indiscriminate attack. It’s somebody running software to compromise a network to encrypt every single computer they can access and then charge you to decrypt that. They usually do decrypt that if you pay, and you’ll pay with Bitcoin. In fact, you get a discount if you pay with an electronic digital currency than if you pay with a credit card number. But in reality, you can pay with credit cards. Ransomware is usually a ‘drive-by shooting.’ What’s more annoying and harder to deal with is when you’re targeted, somebody breaks in and they extort you. They say they have the general counsel's email—and they usually do—and they want to post data to embarrass the company or expose the company. It’s a frustration because reporters will write on it regardless of where the data comes from, even if it’s stolen. A report will make content for an article. That kind of extortion is happening almost every single day. … Those are here to stay. They are here, period. If you can be compromised, you will be compromised. If somebody can make money off that, they’ll try to monetize it.

Do you foresee any security surprises in 2020?

Here’s the reality, I’ve never been good at explaining this but I’m going to try anyway. It’s the asymmetry between offense and defense. It is so much easier for someone to walk in this room right now and instead of saying, 'Hey, defend networks of millions of people,' say instead “Hey, attack networks with millions of people.” Our chance of success defending is really, really low. Our chance of success attacking: Double thumbs up, we’re going to be successful in doing that.

I’ll leave you with this analogy because it’s very true. Right now, our cyberdefenders, if they’re going up against some of the threat actors we respond to, it’s like playing goalie and Wayne Gretzky is on a penalty shot. Sooner or later, he’s going to get the puck in the net. I know that sounds unfortunate, but that’s the state of it right now. The good news is, most of the Gretzkys in cyberspace aren’t trying to compromise your customers. That’s the good news.

We’ve seen many MSPs being breached via remote access tools. What percentage of MSPs out there do you think have been breached without even knowing it?

I don’t have a magic wand to know the answer. Most of the threat actors have breached so many networks that they don’t always interact with the networks that they’ve broken into, and that’s for the unprofessionalized groups. Right now, one of the things we’ve done since 2004 is every time we respond to a breach, with great rigor and discipline we record the trace evidence—so [we have] the digital fingerprints of every breach we respond to. We have key addresses using the attack, the malware, the characteristics of the malware. In fact, we have over 650 criteria, and we have literally right now over 400 folks responding to security breaches who are filing away all this data.

Over time, the data gets attribution. There’s an operational security blunder by the attacker and we go, ‘Wait, this is PLA Unit 6139E. And they compromised dot-military, dot-gov and some of the defense industries.’ In 2010, I had 40 different groups. Hundreds of breaches that we had responded to, every time we finished cataloging the digital evidence [it was one of] 40 different groups doing it. Today, we’re up to over 1,900 and about 50 percent of the time, we have what we called an uncategorized group that we’re responding to. We simply don’t know them other than they natively speak Chinese or Russian, or wherever they might be in the world. That shows the tremendous proliferation of it. Of those groups, the majority of the ones we respond to are professionalized. So you’ll know if they’re on your network.

How is that different from ransomware attacks?

The ransomware attacks, you know them right away. It’s kind of like blunt force trauma, you know it when it hits you—you will know a ransomware attack. Usually those things are immediate. Most of the attacks we respond to are not immediate. There’s a dwell time, meaning from the moment the attackers broke in to the moment they’re detected has been around 90 days. But we have a bias to that stat in that people don’t hire us to respond to a breach that they’re five minutes behind. We get hired to respond to breaches when it’s a scale and scope where they need help. So there’s a bias. I believe that over time, almost all of your customers will have a compromise of a system—that is normal. We’ve had them in my company over time and every company has them. The question just becomes, how do you manage it so it’s not an impact or consequence [and] it doesn’t interrupt your business. That becomes the goal.

What’s the No. 1 thing solution providers can do from a practical business perspective to stop it?

Well the No. 1 way that attackers are breaking in is spear phishing. I would tell your customers, ‘You can train people all day long, but ultimately you want to have a technology or two that are exceptional on protecting from spear phishing. Spear phishing is basically somebody targeting you by doing all the internet research, ‘I know your favorite baseball team. I know the name of your dog. I know the movie you saw on Saturday.’ And we have a whole generation growing up in this faceless internet. You can dupe people into opening an attachment or clicking on a link in an email. That’s the No. 1 way folks are breaking in right now.

The second most frequent way attackers break into networks, this is even harder to figure out, is valid credentials in the first place. For example, over the years LinkedIn was compromised. Over the years, other public providers of different services have been compromised. [Some] of those compromises were posted. If they still work, people would have used them and that’s very frustrating. Or there’s supply chain compromise, where your company works with maybe 50 or 100 other companies and any one of them gets compromised—there’s dual credential use in your network. Bottom line, what do I recommend? Shut the front door with a small internet presence. The second thing, protect against spear phishing.

Why don't you talk a little bit about the FireEye channel? You built a real Delta Force channel. Deep expertise. Where are they doing a good job? And where do you think they could do better?

I'm a product guy, so I always tell our channel team the most important thing for us is to tell the channel, ‘Hey, we can protect your customers. We can give them the peace of mind they deserve in cyberspace.’ How do we do that? We want to be able to go to market, saying, ‘Every single attack, we're aware of.’ And as I'm sitting here, we're responding to several dozen. We've codified every attack we're aware of, we know how to stop [them], and our red teams can't break into our system when it's deployed. That's what we want to be able to give the channel.

We have a common pricing—we call it internally ‘Hermes’—a subscription pricing for our email security, endpoint security and network security. It's ‘Shields up’ for your customers, and we're just going to keep making it simpler and simpler to buy, simpler and simpler to try, so you can pass it on to your customers. And that's a ‘Star Trek’ reference, by the way, I can't help it. ‘Shields up.’

Otherwise, you have to go to five different vendors, and you can do that. I'm going to take endpoint for this customer, network security for this customer, another network security product for this customer, do all this defense in-depth and integrate it. But over time, FireEye's goal is to give the channel simple pricing: It's a subscription based on the number of users you're protecting. And they can download the software and get up and running quickly. So we're on that journey. We already have the prices for it, we already have the capability, and we're doing what I call ‘SaaS-ify.’ We have form factors that are in the cloud now as well as on-prem, and I just want easier deployment.

Google research recently uncovered a two-year attempt to hack a large number of iPhones. How safe are our phones?

The best attackers in the world are genuinely and are usually focused on the most influential 5,000 people, most wealthy, the elected officials. There are always intrusions of proximity based on Bluetooth protocols, where someone in proximity to you can do a lot more than somebody trying to get to you across the internet when it comes to your phones.

So the bottom line is if you're wealthy, famous and influential, there could be an attack on your privacy. I can see what the best attackers can do. I think that when the best attackers on the planet are targeting certain companies or people, they have the advantage. You just have to be very cautious.

By the way, for all of you, personal security, clearing your email on that iOS device is a good thing. It's just a nice, clean way to not get spear-phished. So when we sit with CEOs that are targeted that you lock down the email and only give to a specific device and nothing else. And iOS allows that, a little bit more control than Android, because it's a closed ecosystem. And then Windows just got a whole lot better. So Windows right now, the latest version of the OS is going to be good for you. But I think the way you get compromised is you hack yourself by accident, clicking on a link or opening an attachment, thinking it's from somebody that it's not.

What’s easier to secure for channel partners, the cloud or the on-premises network?

Any company that’s starting today, the biggest companies of tomorrow, are all getting on the cloud right now. If I’m starting a company today, there’s no way I’m hiring an email security guy and an email server team—everybody is going to the cloud. So the folks that are starting companies now are depending on cloud-based services. Fast forward 20 years, that is what’s going to be here.

For the companies that have been around for the last 100 years, some of them are migrating to the cloud better or easier than others. When it comes to security, first off, it’s on you to secure your assets—whether your assets are in the cloud or on-premise, but the nice thing about the cloud providers like AWS, Azure or Oracle or HPE or IBM or wherever you go to—they have to secure that infrastructure that all their cloud resources ride on top of. So it allows you to have greater visibility. … Long story short, no matter what my answer is, you will have customers that are going to the cloud because it’s cheaper and, in many ways, it’s better. You can provision better, scale better, you don’t have to worry about having your own IT resources doing a bunch of things. Cloud is coming. Period. The quickest answer is, for most companies, the cloud will be more secure.

What’s the biggest lesson you’ve learned from incident response, and how can the channel take that forward to do a better job and make money?

Lessons learned from the breaches. We talk about this all the time, but lesson No. 1—if you’re on the internet unarmed and unprepared, you’ll get compromised. That’s probably it. It’s so frustrating but it’s a reality that there’s a whole bunch of automated attacks spraying and [attacking] every single machine that touches the internet, including even those few moments where you personally might be on the internet. It’s rare, but you may actually have a routable IP address and every five minutes or more everybody is getting real attacks on the internet. So it’s that frustration of, if you’re not patching, if you don’t have the security safeguards, you’ll be what I call a ‘drive-by-shooting on the information highway’. That’s first and foremost.

What’s another valuable lesson you’ve learned from incident response?

The second thing is, and it will sound ridiculous, but there are literally no risks and repercussions—or very few risks and repercussions—for hacking companies. So because of that, if you’re supporting a company that is a target for some of the best hackers in the world—right now Russia, Iran, China, North Korea are all safe harbors for hackers to launch attacks with impunity, compromise the network, encrypt everything, extort for several million dollars—you have this perfect storm. We have a perfect storm of vulnerable systems because humans are vulnerable, you can dupe them into hacking themselves really with spear phishing. And at the same time, we have anonymous currency. I am neutral on anonymous currencies, I don’t really study them, but when it comes to cybersecurity, an anonymous currency is probably a bad thing because it just allows attackers to monetize the breaches that they have far more simply than let’s say 10 years ago. So first and foremost, if you can be hacked you will be, that’s totally frustrating. It doesn’t mean it’s a breach of consequence or compromise or have an impact and you may never know it, and that’s OK if you’re a small company and the attack really hits you to hit somebody else. The second thing is these attacks aren’t going away because there’s just no risk or repercussion.

What was the biggest takeaway on security from FireEye’s recent Cyber Defense Summit?

I got to meet a lot of CISOs and top of mind for them, obviously they’re going to the cloud and they want to know, ‘Hey, what does that mean?’ They have a mantra that the CEOs are always like, ‘How do I cut costs to get more?’ How do you do more every day with less? The big thing is cloud. It’s very rare in our history that you have something that costs less and is actually more effective. … But how do we get to the cloud and get to the cloud securely is top of mind.

Second big concern is, a lot of folks over the years—especially enterprises, the big global 2,000—they spent a ton of money on security over the last few decades, especially between 2008 and now. In the last 10 years, breaches started making headlines. There are liabilities. If you’re hacked and you know it, there’s a lot of liabilities that come with that. A lot of CISOs are wondering, ‘How secure are we?’ Tangent to that question is, ‘How good are my people and how good is my security program?’ Because there’s a whole bunch of security programs out there that all they do is benchmark against standard legislation of regulations and then they show like a four-dimension pie chart to their management team saying, ‘We’re good. We’re compliant. We have 118 controls. Twenty-eight people assigned to them. Everything is in the green—you’re good to go.’ What I’ve learned over time, a real challenge is when you show that report to a board or to the CEO, if everything is in the green, the CEO doesn’t believe it. If everything is in the red, the CEO gets angry. If everything is in the yellow, they don’t know how to feel so they’re frustrated in the first place. So you can’t really win. … So it’s going to the cloud and trying to understand, ‘How good is my security program for real right now? I bought all this stuff.’

Other than cloud and security programs, what’s another big concern that’s top of mind for businesses?

There’s also an integration story. Everybody’s bought a ton of products at the large organizations and they want to know what’s working for them and what’s not. What do I need? What do I not need?’ What I learned from that is a lot of companies that I visit, all say, ‘We’ve bought about 65 different security products. We use about 15 to 20 of them. And of that 15 to 20 we use, we’re using 50 percent of their capability or less.’ That’s the enterprise. Then you leave that area and go to the small medium businesses, it’s totally different. It’s, ‘I want to go to one or two places and just have peace of mind. I don’t want to have to hire five people. I’m not going to find anybody who can help me anywhere. I just want to be able to go somewhere and get the outcome piece of mind that my email is secure, my desktops are secure and I’m compliant.’ So two different tales. One, the enterprise is doing it alone with their resource. Small to medium businesses are looking to do a transfer of a lot of the work to an outside provider.

Can you talk a little bit about your military service? What was that experience like?

So I started serving in 1993. I was stationed in the Pentagon. I was a second lieutenant. My first job ever was really four months after I entered the Pentagon, we started monitoring what's called TCP/IP traffic at the Pentagon. So I grew up, from 1993 until now, in cybersecurity. I don't know what we called it back then, but we started monitoring [for bad actors] back then. I would say at the time less than 5 percent of military traffic was TCP/IP, but obviously at this point it's probably the vast majority.

But that was really the beginning of security monitoring. And by 1993, the FBI started the National Computer Crime Squad in D.C. And where it really took off: By 1995. I'm responding to breaches as an investigator in the Air Force and almost every breach into our military would go back to Russia or China. And it still took me 18 years to realize most of the breaches I responded to were a reflection of geopolitical conditions.