Sunday, September 27, 2015

Cyphort vs. FireEye – FireWhy? The Breach Detection, Advanced Persistent Threat Battle

Cyphort is taking a different tact versus the others in the breach detection, Advanced Persistent Threat (APT) market with their Cyphort Advanced Threat Protection solution (claim: complete 360ยบ APT defense!)   Cyphort positions the company as both superior to FireEye and  able to  coexist with FireEye. Getting their nose under the tent for when renewals coming up? Shortening the review cycle when renewals come up?  Coverage for areas of a company where there aren’t FireEye appliances?  Cyphort didn’t participate in the NSS Labs Breach Detection study.
 FireEye is the 800-pound gorilla with respect to market revenue and visibility.  The David vs. Goliath analogy won’t work since FireEye’s CEO’s first name is Dave! Cyphort’s 2014 revenue was around $14 million. FireEye’s was $426 million (this includes revenue from the Mandiant acquisition).

Cyphort claims that their solution delivers malware lateral movement detection. They define this as "the ability to combine advanced targeted attacks and Advanced Persistent Threats (APT) detection with lateral movement." They say that their product provides a  picture of the attack as it happens and the potential spread within an organization, in real-time.

The Cyphort solution is delivered as software that can be installed on general-purpose hardware, virtual machines and cloud environments. The solution consists of four core components:

Collector:  Software-based probes deployed at strategic network locations (Internet egress points, data centers, etc.)   to collect suspect objects and communication.

Core:   This is the centralized detection component of Cyphort’s solution; Cyphort Core analyzes the collected suspicious network objects and associated metadata from the Collectors 

Manager: This is a  web-based,  administrative Interface.  It enables someone to manage the distributed deployment and provides access to reports

Threat Network: This cloud service feeds global threat intelligence to the Cyphort Core for enhanced detection of current threats. It aggregates threat information across all Cyphort installations

At RSA earlier this year,  Cyphort's co-founder and Chief Strategy Officer Fengmin Gong  said, "Today, solutions must look at every stage of the cyber kill chain."  

It’s always good to have more competition. Based on press, one would think that the APT market is the exclusive domain FireEye and the other seven companies that are part of the most recent NSS Breach Detection Systems (BDS) test!

 Is FireEye Cyphort’s Friend or Foe?

On the Cyphort site at   there are pair of threads prospects can go down.  

For those who already have FireEye, Cyphort claims that their Cyphort Advanced Threat Protection solution can be used to address gaps in the FireEye solution.  Their pitch is that they enhance protection.

Enterprise-wide Coverage: Unprotected sites and data centers can be covered with a single global license

Enterprise-wide Deployment: Deployment in days using the virtual machine approach

No appliance proliferation:  Cyphort claims that they cover & correlate email/web/file traffic across multiple operating systems, all in one solution

The second thread is for those considering FireEye.  Cyphort claims that they are   “the clear alternative”.  They have a nice (of course, it’s selective) grid containing points of differentiation (FireEye in ( ) :

Detection: Sandbox evasion detection, Data exfiltration detection, Multi-part threat detection, Golden image sandbox for contextual detection.  (no for all four )

Coverage: Distributed/Decoupled Design for Global Deployment using collectors (Monolithic) , Hardware/Software/VM deployment  (hardware only), Integrated Web/Email threat detection for Windows and Mac OSX threats (multiple appliances needed)

Action: Risk-based Threat Prioritization , Containment Using Existing Firewall, Web Gateway and IPS Devices, Endpoint Infection Verification (no for all three)

Scale and Flexibility: Scalability, clustered design to support any load (limited by highest appliance capacity for FireEye );  IT ecosystem Integration, open API (limited); Licensing is enterprise wide by bandwidth (per appliance for FireEye)

The Radicati Group has a  APT market share and  2015-2019 APT forecast  report available for purchase ($3000)  Radicati APT-Protection-Market-2015-2019-Brochure.pdf

For those wanting another company’s view of Cyphort’s and FireEye’s offerings, LastLine has performed  their own analyses:

Products in the Breach Detection Systems (BDS) Security Value Map™ 2015

In the August NSS Breach Detection Systems Test,  Cisco had the highest detection rate, Blue Coat the lowest TCO.  FireEye - lower left in the grid.  As mentioned earlier, Cyphort was not in this study.

Five of the eight received a recommended rating (Those on the upper right corner of the value map). Some of the companies tested have the individual reports available on their web site.  To purchase reports, see below.  For the BDS Security Value Map Graphic:
Participants in the NSS Breach Detection Systems  Study:
 Studies are available on the NSS site. Some are available for free on the participant's site.

Friday, September 18, 2015

Carly Fiorina and Her Record at HP

Presidential candidate Carly Fiorina has been taking a lot of heat and defending her record while at Hewlett-Packard ten years ago. Below are a couple of charts summarizing HP’s stock performance during those years. You can draw your own conclusions. Suffice it to say that many employees were glad that Carly Fiorina  was removed from Hewlett-Packard. Unfortunately, by the time she was gone, the “HP Way” had all but disappeared.

And in another chart:

 The sources and crisper images are below. You can also click on the images to expand them.  The analyses point out that the economy was not great during those years. Neither article gives Fiorina  an "A" for her performance, though. 

Wednesday, September 16, 2015

AV-Comparatives Mobile Security Review – August 2015

Austria based AV-Comparatives has released their Mobile Security Review -  August 2015.  This is quite an extensive document, providing a comprehensive review of sixteen security packages running on Android.  The document runs  seventy pages. Ten of the sixteen products are free.  Almost 2400 malicious applications were used in the test.

Mobile security is crucial for both home users (who are constantly checking their mobile) as well as businesses. The BYOD camel has entered its nose into the intranet tent and it’s not going to be removed.  Mobile devices are a major weak spot for network access, as well as a place where data can be accessed. Data stored on the phone can be stolen, as well.    The Global BYOD market is expected to grow at a CAGR of 25.32% from 2014 to 2019 according to a   new market research report published on September 15. market research report  . These devices need to be protected.

AV-Comparatives, while giving each of the products an approved rating, nonetheless found that the there was overall a “significant overall improvement” in the standard of the products.

Four of the  products provided 100% protection:   Trend Micro with no false alarms, BitDefender,   G Data (both with three  false alarms) and Antiy (with five) rounded out the top four.

AVG Technologies  offering trailed all products tested with 98.4% protection and 4 false alarms. Just above AVG Technologies was Sophos with 99.2% protection and 0 false alarms. 

For those who are interested in a tabular deep dive comparison, the first table compares which of 75 permissions are in each of the products. No product had all of them.

The Feature List table compares the products on over forty attributes, broken down into categories including Anti-Malware, Anti-Theft, Anti-Spam, Parental Control, Authentication, Additional Features, and Support. McAfee Mobile Security lacked the fewest, missing only three.  This product drained the mobile battery a bit more than the others did.

A great deal of work went into this document. The Mobile Security Review can be found free (!) at
http: //  .  Complete copyright and disclaimer information is contained in the document and more information about test procedures is on the website.

AVC UnDroid Analyser

AV-Comparatives ( has also introduced a slick malware analysis tool, the UnDroid Analyser that is free to users. It’s a static system for detecting suspected Android malware and adware and generating some statistics about it. Check it out at  .


 View AV-Comparatives September Malware Removal Test at

Malware Removal Test - September 2015

Sunday, September 13, 2015

Black Eye for FireEye - Hitting Researchers with Injunctions

Sometimes security companies can be a little too heavy handed. Or their lawyers have too much time on their hands. FireEye cleared this hurdle, recently.

Felix Wilhelm, a security researcher working for  Germany based ERNW, was going to present his findings on some vulnerabilities he had found with FireEye’s software.  He was going to present at the 44CON Cyber Security Conference ( ) during the week of September 9.  The flaws had been fixed, by the way.

The two parties had a series of discussions regarding what could go into the report (FireEye was concerned about not exposing information on their product’s IP).  To be brief, the parties supposedly agreed on a final report around August 5.  FireEye then sent Wilhelm a cease and desist letter on August 6, obtained a court injunction on August 13 and delivered it to Wilhelm on September 2, a week before the 44Con conference.  Ultimately, Wilhelm did present his findings with some material redacted.

FireEye has a procedure for researchers   to “disclose and inform us of potential security issues”. In this case, FireEye was extremely heavy handed . Their action does little to encourage researchers to share (stifle?) at security conferences.  This comes across as “attacking the messenger”. They also attacked the messenger with  NSS Labs a couple of years ago when FireEye e came in last in a multi-company Breach Detection Systems Test. 

FireEye came in last again in a NSS Break Detection Systems Test (BDS) earlier this year. Eight companies were in the test:   Blue Coat, Check Point, Cisco, Fidelis, FireEye, Fortinet, Lastline, and Trend Micro. The test measured security effectiveness, performance, and total cost of ownership.

To obtain a copy of the Value Map:  NSS Security Value Map Graphic

To read the complete Forbes article “FireEye Scolded For Injunction Stopping Security Researcher Revealing Source Code”: Forbes - FireEye Scolded