Sunday, September 27, 2015

Cyphort vs. FireEye – FireWhy? The Breach Detection, Advanced Persistent Threat Battle

Cyphort is taking a different tact versus the others in the breach detection, Advanced Persistent Threat (APT) market with their Cyphort Advanced Threat Protection solution (claim: complete 360º APT defense!)   Cyphort positions the company as both superior to FireEye and  able to  coexist with FireEye. Getting their nose under the tent for when renewals coming up? Shortening the review cycle when renewals come up?  Coverage for areas of a company where there aren’t FireEye appliances?  Cyphort didn’t participate in the NSS Labs Breach Detection study.
 FireEye is the 800-pound gorilla with respect to market revenue and visibility.  The David vs. Goliath analogy won’t work since FireEye’s CEO’s first name is Dave! Cyphort’s 2014 revenue was around $14 million. FireEye’s was $426 million (this includes revenue from the Mandiant acquisition).

Cyphort claims that their solution delivers malware lateral movement detection. They define this as "the ability to combine advanced targeted attacks and Advanced Persistent Threats (APT) detection with lateral movement." They say that their product provides a  picture of the attack as it happens and the potential spread within an organization, in real-time.

The Cyphort solution is delivered as software that can be installed on general-purpose hardware, virtual machines and cloud environments. The solution consists of four core components:

Collector:  Software-based probes deployed at strategic network locations (Internet egress points, data centers, etc.)   to collect suspect objects and communication.

Core:   This is the centralized detection component of Cyphort’s solution; Cyphort Core analyzes the collected suspicious network objects and associated metadata from the Collectors 

Manager: This is a  web-based,  administrative Interface.  It enables someone to manage the distributed deployment and provides access to reports

Threat Network: This cloud service feeds global threat intelligence to the Cyphort Core for enhanced detection of current threats. It aggregates threat information across all Cyphort installations

At RSA earlier this year,  Cyphort's co-founder and Chief Strategy Officer Fengmin Gong  said, "Today, solutions must look at every stage of the cyber kill chain."  

It’s always good to have more competition. Based on press, one would think that the APT market is the exclusive domain FireEye and the other seven companies that are part of the most recent NSS Breach Detection Systems (BDS) test!

 Is FireEye Cyphort’s Friend or Foe?

On the Cyphort site at   there are pair of threads prospects can go down.  

For those who already have FireEye, Cyphort claims that their Cyphort Advanced Threat Protection solution can be used to address gaps in the FireEye solution.  Their pitch is that they enhance protection.

Enterprise-wide Coverage: Unprotected sites and data centers can be covered with a single global license

Enterprise-wide Deployment: Deployment in days using the virtual machine approach

No appliance proliferation:  Cyphort claims that they cover & correlate email/web/file traffic across multiple operating systems, all in one solution

The second thread is for those considering FireEye.  Cyphort claims that they are   “the clear alternative”.  They have a nice (of course, it’s selective) grid containing points of differentiation (FireEye in ( ) :

Detection: Sandbox evasion detection, Data exfiltration detection, Multi-part threat detection, Golden image sandbox for contextual detection.  (no for all four )

Coverage: Distributed/Decoupled Design for Global Deployment using collectors (Monolithic) , Hardware/Software/VM deployment  (hardware only), Integrated Web/Email threat detection for Windows and Mac OSX threats (multiple appliances needed)

Action: Risk-based Threat Prioritization , Containment Using Existing Firewall, Web Gateway and IPS Devices, Endpoint Infection Verification (no for all three)

Scale and Flexibility: Scalability, clustered design to support any load (limited by highest appliance capacity for FireEye );  IT ecosystem Integration, open API (limited); Licensing is enterprise wide by bandwidth (per appliance for FireEye)

The Radicati Group has a  APT market share and  2015-2019 APT forecast  report available for purchase ($3000)  Radicati APT-Protection-Market-2015-2019-Brochure.pdf

For those wanting another company’s view of Cyphort’s and FireEye’s offerings, LastLine has performed  their own analyses:

Products in the Breach Detection Systems (BDS) Security Value Map™ 2015

In the August NSS Breach Detection Systems Test,  Cisco had the highest detection rate, Blue Coat the lowest TCO.  FireEye - lower left in the grid.  As mentioned earlier, Cyphort was not in this study.

Five of the eight received a recommended rating (Those on the upper right corner of the value map). Some of the companies tested have the individual reports available on their web site.  To purchase reports, see below.  For the BDS Security Value Map Graphic:
Participants in the NSS Breach Detection Systems  Study:
 Studies are available on the NSS site. Some are available for free on the participant's site.

No comments: