Help AG Leverages FireEye Forensic Capabilities
By Tech Channel MEA
Specialist security resellers like Help AG are building consulting opportunities and longer term engagements with end users around next generation vendors like FireEye.
Next generation security solutions adopt a different approach from traditional security solutions, which are usually signature and activity pattern based. Today’s modern malicious malwares have developed ways to avoid detection by next generation firewalls, IPS and web security gateways, and can usually only be picked up by more innovative security technologies. While FireEye was set up in 2004 by founder Ashar Aziz, now Vice Chairman of the Board, Chief Technology Officer and Chief Strategy Officer, its approach of virtual dynamic sandboxing continues to successfully combat the latest modern malwares and persistent morphing attacks. Aziz took a disruptive approach from conventional IT security practices at that time, believing that to continuously feed a database with signatures and to profile every possible attack is so laborious it will finally be ineffective. He believed for new generation attacks, end users would need new generation tools, architecture, methodologies.
“Today, what is deployed in the market is either signature, reputation, or a heuristic based approach, which does not really give you 100% detection of new generation attacks. New generation attacks are polymorphic and dynamic in nature and change and mutate their original signature assigned to the attack,” says FireEye’s Ray Kafity, Regional Sales Director, Middle East, Turkey and Africa. FireEye uses its built in virtualisation server to load desktop applications into a virtualised environment tricking modern malicious malware into initiating compromising attacks. Since the client environment has been virtually simulated, zero day attacks amongst others can be forensically studied, isolated and blocked without affecting an enterprise’s every day IT infrastructure.
“We take a copy of those applications and run them live inside the virtual execution engines. When a threat comes in, it actually exploits and infects our virtual execution engine and not the desktop. Once we apply forensic tools we will find out if it has a malicious intent or malicious behaviour, without the network being exposed to it,” elaborates Kafity on the virtual simulation process. 99% of the available applications that run on desktops are available for simulation inside FireEye’s virtual engines. And those that are not available can be manually loaded into the FireEye virtual environment. But Kafity remarks that he has yet to encounter such an add on requirement inside any end user ecosystem. “It is all Windows based, typical applications.” FireEye entered the Middle East region in late 2010 with a team of two; today it has a headcount of over 25.
“As Help AG we brought FireEye to the Middle East,” reflects Stephan Berner, Managing Director, Help AG. At that time Berner and Kafity, were mapping the functionalities of FireEye solutions to the demand requirements that Help AG was experiencing from the market. “At the end it was pretty clear, mainly because of the technical aspects, that FireEye is a solution we need to have in our portfolio.”
As a legacy, IT security solutions started with firewalls and antivirus. While there have been significant enhancements to these solutions over time, most of them are still signature based solutions, with limited capability to prevent entry of advanced persistent threats and zero day attacks. “Finally even if you have two, four, six, eight… firewall and intrusion prevention systems implemented, if somebody is going to hit you with targeted attacks, these are not going to prevent it and most probably data will be taken out of the organisation. This is what FireEye is all about,” says Berner.
While virtual machine sandboxing has existed since 2004, it has only recently become more visible driven by major global and regional incidents in the last two years
However while FireEye’s product portfolio may be significantly differentiated from other security vendors, its unique technology approach also implies significant learning and lead time for both end users and other VARs intending to play the same role as Help AG. End users need to be educated on how legacy security solutions may not adequately combat modern malicious malwares. This learning is accelerated if the end user’s IT security protection or data has at any stage or in any way been recently compromised. Under such circumstances budgetary spending for next generation security solutions like FireEye are more readily available and are approved to work in complementary fashion with existing IT security infrastructure. “While virtual machine sandboxing has existed since 2004, it has only recently become more visible driven by major global and regional incidents in the last two years,” says Berner. And because it has only recently moved to centre stage, some end users still find it difficult to understand FireEye’s unique approach of virtual dynamic sandboxing and virtual execution images.
Kafity also explains, “The FireEye solution is not a drop it and leave it approach. Before the drop, there is a lot of effort to educate and make the requirements relevant.” That elevates the product to a nice to have position, which is still not good enough for Kafity since end users continue to believe they are immune from next generation attacks. Lack of awareness of the capabilities of modern malicious malware restricts the solution from being elevated to a must to have position. “Our job as partner vendor is to change this from nice to have to a must to have.” Another aspect of the education process is to work closely with other IT security vendors ensuring FireEye works in complementary fashion with their solutions.
While FireEye fits well into the Help AG product portfolio, Berner distinguishes between the twin objectives of selling vendor products versus Help AG’s own consulting and professional services. “For us it is not all about selling the most sophisticated vendor products. It is much more about providing the right services to the end user.” Once sold, Help AG therefore looks at vendor products as a stepping stone to integrate into much broader end user requirements. “For us FireEye is a product like any other else. But we see it as a tool set, with which we can address different kinds of requirements in end user organisations.” Help AG’s consulting and professional services portfolio for end users includes application code review, firewall audit, implementation services, IT security training, network security assessment, penetration testing, platform audit, product enhancement, residential engineer services, vulnerability assessment, web application audit, application audit, ISO audit services, and others.
For specialised security value added resellers like Help AG, leveraging FireEye into their portfolio of services is different from other security vendors. “It is an advanced sell and is therefore different from other vendors. If you look at FireEye it is the most complete solution addressing indepth forensics. Our value-add in the FireEye ecosystem would be consultancy services,” explains Berner. Once the FireEye solution has been implemented, end users need to be trained on how to correlate results, how to react to alerts and how to complete forensic analyses, amongst others. “It is in the interest of each and every customer to tune it and customise it,” and that is where Help AG plays the role of a consultant. As part of this role, Berner again distances himself from aligning too closely with any particular vendor. Help AG’s solution and services portfolio includes multiple vendors, each with their own distinct positioning and benefits for end users. “FireEye is a very important building block as part of an overall solution, but it cannot be the only product in the solution. We would typically use a multi vendor solution.”
FireEye’s differentiated technology approach also restricts its selection of the right security VAR partner. VARs in the pure play IT infrastructure business would not match FireEye’s partner enablement criteria. But channel partners selling active components of a network, or next generation firewalls, IPS or web security gateways, and wanting to expand their portfolio to include next generation security solutions would fit the bill. Skill levels of on boarded channel partners are critical in the final sale of the FireEye solution, which includes proof of concept as an intermediate stage in every end user lead or inquiry generated. So vital is the proof of concept stage that Kafity indicates this can make or break the sale. “To get the concept across we are almost cent per cent proof of concept driven. If the partner does not have the qualified skills to do the proof of concept, the sale will not go through.” Moreover the way proof of concept is set up and demonstrated by the channel partner can trigger yields of different levels.
FireEye is a very important building block as part of an overall solution, but it cannot be the only product in the solution. We would typically use a multi-vendor solution
In any region, FireEye defines its potential market as the ten-ten matrix. It identifies the top ten vertical market segments and the top ten performing businesses in those segments. Notwithstanding the above approach, FireEye’s tier one and early adopter customers typically come from a nation’s computer emergency response team CERT, military, intelligence, critical infrastructure, banks and other organisations overtly sensitive to IT security concerns. “They make up the top ranks,” says Kafity. FireEye is also establishing a team for incident response and supporting professional services under the name of FireEye Labs, based on expected demands from selected end users.
Kafity is also keen to draw the line between the benefits a security VAR and a VAD can bring to FireEye. FireEye is looking at enablement of about two to four security VARs per country, a number much smaller than what a value added distributor would like to work with. Moreover for specialised next generation security solutions from FireEye, most of the skills development would need to be done by the vendor itself. Finally Kafity is clear the end user relationship is being managed by the VAR and not by the VAD and the VAR would need to demonstrate sufficient skills capability and value add for such deals to go through. “Our aim is to have the value add in the partner and not the distributor. We are not going to spread ourselves too thin.”
FireEye channel partners will earn through price margins on sales of hardware appliances, annual maintenance support services and subscription licenses to the vendor’s cloud based dynamic threat intelligence support. FireEye’s value added distributors will continue to support on boarded VARs. Across the region FireEye is using distributors Starlink for GCC, EliteVad for Africa, Prolink for Turkey, Barikat for Turkey, Axiz for South Africa and CONFIG for North Africa.
While Kafity is targeting at bringing on board a handful of security VARs from each country, reaching those numbers by handpicking competent resellers can also be challenging. On one hand, FireEye aspires to work with specialised and competent partners like Help AG, leveraging their end user relationships to promote FireEye into the community. And on the other hand, finds lack of awareness of next generation security threats and solutions to be a significant inhibitor in finding right channel partners. The new language of IT forensics brought in recently through vendors like FireEye and others in the region is another stumbling block.
“The solution is outside their comfort area and they are afraid to pitch because they do not understand our positioning,” comments Kafity. This is leading to a significant disconnect between growing opportunities in the market to sell next generation security solutions versus the ability to execute. “They would much rather sell next generation firewalls, IPS and web security gateways, which they understand,” but which are no longer effective in combating modern malicious malwares. Reflecting on the journey so far, Kafity points out if FireEye is to reach its sales target by 2014, its channel partners would need to soon generate their own leads, engage with end users, and close deals without once calling in the vendor. Along with selling next generation security solutions, that promises to also be an ecosystem of next generation security channel partners.
To get the concept across we are almost cent per cent, proof of concept driven. If the partner does not have the qualified skills to do the proof of concept, the sale will not go through