The news Tuesday of FireEye’s breach reminds us that all people and companies are vulnerable. I've no doubt that FireEye takes security and its reputation very seriously, but every company faces the same reality: compromise is inevitable.
As details emerge, we’ll probably find that the Russians needed significant effort to achieve this breach. It’s likely FireEye put tremendous effort and execution into the protection of sensitive tools and accesses, and that the Russians put stunning effort into a breach. Once the case evolves, we can learn from the details and reassess our risk management strategies.
All this to say: this news isn't surprising. Security organizations are a top adversarial target, and I would expect a nation-state like Russia would go to great lengths to impede FireEye’s ability to protect its customers. FireEye has trusted relationships with many enterprise organizations, which makes them a juicy target for espionage. It’s also likely that Russia actively targeted FireEye because FireEye regularly participates in the disruption of Russian cyber activities.
For the rank-and-file CISO, this means Russia now has access to malware red-teaming tools previously only used by FireEye, but this doesn’t necessarily mean the risk has increased dramatically. Russia already had tools commensurate to those taken from FireEye. And I would say this breach presents far less risk than the prior release of the NSA tools.
The exploits released from the NSA were remarkable and immediately useful for adversaries to use, and those exploits were responsible for temporarily increased risk the industry experienced after the Shadow Brokers hack – it wasn’t the rootkits and malware, which were what was stolen at FireEye. In the FireEye case, since it appears there were no zero days or exploits taken, I don’t expect this breach to cause significant shockwaves. Now, if exploits had been stolen, the risk would increase – but only for a short time – because I expect FireEye would actively participate in the remediation (aka they'd patch the zero days asap).
What security teams need to do
Security pros should take this event to reflect on their reliance on the security solutions they have in place. Ask the question: “What happens when my MSSP or security vendor gets compromised?” Companies can’t rely on a single tool because everything fails at one time or another. They need to assume that FireEye and every other security vendor will eventually get compromised. When failures happen, security teams will need to know if the remainder of their security programs are sufficient and if the organization can stay resilient.
So if a company depends on FireEye as its primary security platform, then it’s dependent on FireEye auditing itself and top management at the company has to sign off on that. If FireEye sits as a component of a larger security program, companies need to ask: “What access does FireEye have, and does the sum of my security program measure up to an acceptable level of risk?”
There are no perfect products or vendors. Security teams will need to have controls layered on top of each other. Run through “what if?” scenarios and, if the company relies on just a couple of security products, it might have a problem. Often, organizations purchase a single security product to cover multiple functions, like their VPN, firewall, monitoring solution, and network segmentation device. The problem with purchasing one security product for everything: There’s a single point of failure, and if the box stops working, everything fails.
It’s critical to think in terms of probability and likelihood and put controls in place to prevent accidental changes to baseline security. Security teams need to make least privilege the default, and lots of segmenting should prevent rapid lateral motion. Monitoring and alerting should trigger responses, and if any wild deviations occur, the fail safes should activate.
FireEye got hacked, but that doesn’t change my opinion of them. Instead, I’m going to assess the event based on how many hoops Russia had to jump through to get at these tools (that Russia already effectively had). Bottom line: I think we’ll find that FireEye runs a robust security program.
David “Moose” Wolpoff, co-founder and CTO, Randori