From: Tommy Thomas
Sent: Tuesday, January 7, 2014 2:52 PM
To: ‘dan.mclane@coeurgroup.com’
Subject: FW: FireEye Evaluation is Up: Quotes Attached
Importance: High
We evaluated a FireEye Appliance this past year. It was shot down which I expected. It is a very impressive piece of equipment but expensive.
Thank-you,
Tommy Thomas MCP, Network+, Security+, C|EH, MCSA, MCSE
Network Systems Administrator City of Ocala IT Division
110 SE Watula Ave.
Ocala, FL 34471
352.401.3928
From: Tommy Thomas
Sent: Friday, September 27, 2013 2:05 PM
To: Shawn Hoff; Winsome Jacobs; Kenneth Jamerson
Subject: FireEye Evaluation is Up: Quotes Attached
Importance: High
Winsome and Shawn,
As you both know, we have been evaluating the FireEye Appliance, which I am really impressed with:
“FireEye is a leader in stopping the new generation of cyber-attacks, such as advanced malware, that easily bypass traditional signature-based defenses and compromise over 95 percent of enterprise networks*. FireEye has invented a purpose-built, virtual machine-based platform that provides real-time threat protection to organizations across all major threat vectors and each stage of an attack life cycle.”
“Traditional protections, like traditional and next-generation firewalls, intrusion prevention systems (IPS), anti-virus (AV) and Web gateways, only scan for the first move, the inbound attack. These systems rely heavily on signatures and known patterns of misbehavior to identify and block threats. This leaves a gaping hole in network defenses that remain vulnerable to zero-day and targeted advanced persistent threat (APT) attacks. For example, consider the time lag in signature development due to the need for vulnerability disclosure and/or the mass spread of an attack to catch the attention of researchers. Malicious code is identified over the course of a few days as it spreads. However, polymorphic code tactics counter-balance the effects of signature-based removal. Signatures represent a reactive mechanism against known threats. However, if attacks remain below the radar, the malware is completely missed, and the network remains vulnerable especially to zero-day, targeted advanced persistent threats. No matter how malicious the code is, if signature-based tools haven’t seen it before, they let it through.” http://www.fireeye.com/
In the three week we have had this device, we were able to identify several malware vulnerabilities that got through our defenses. I will say that I was VERY impressed to know that our defenses are protecting us very well, but we did have some items get through. One malware item alone was from a PDF; this item changed more than 12,160 files and more than 180 registry keys on the target PC. It also performed Data Theft, by attacking the auto-complete passwords from the installed browser and attempted to send those out. If a user was saving their credentials in their web browser for EDEN, or the Intranet or any other of our web applications, this user’s credentials could have been stolen.
Another Malware item we caught delivered a rootkit and made more than 170 file and registry changes to that target PC. This was a ZERO DAY malware, as when we went to do research on it, only one anti-virus company had it listed and they listed it about 15 minutes before we witnessed it on one of our PCs. The next day, ALL of the anti-virus companies had it listed. This is the best example of successfully finding and mitigating a ZERODay threat on our network.
One of the more severe Malwares we found just yesterday called Exploit.Kit.Darkleech. There has been a recent rise in drive-by attacks from the Darkleech attack campaign that’s been using compromised servers and malicious Apache modules to launch drive-by attacks that target known browser vulnerabilities. They use JavaScript to attack anyone browsing the website. If the attack is successful, the malware redirects the browser to another malicious website, where a crimeware toolkit attempts to further compromise the PC. This can be from legitimate websites if they are compromised.
These two PCs that were infected with Darkleech. These malware infected PCs, could have sat for weeks or months on our network before we truly realized what was happening because we just would have never known.
Using the data from the FireEye on the items that got through, we were able to tweak our firewall further to help protect us against them in the future. The FireEye would effectively block any outbound traffic if setup inline, where malware would not be able to communicate with their command and control servers.
I feel it’s imperative that we implement this tool in order to protect ourselves from malware and other events that traditional signature-based security just won’t protect you from, especially ZERO DAY attacks.
Attached are 3 quotes for the device and one for a lease option.
Thank-you,
Tommy Thomas MCP, Network+, Security+, C|EH, MCSA, MCSE
Network Systems Administrator
City of Ocala IT Division
110 SE Watula Ave.
Ocala, FL 34471
352.401.3928
<EXTRA INFORMATION ADDED ABOUT THE RECENT TARGET HACK AND FIREEYE>
From: Tommy Thomas
Sent: Friday, March 14, 2014 8:25 AM
To: Winsome Jacobs; Shawn Hoff; Grant Booth; William Rios; Kenneth Jamerson; Kelly Vann; Douglas Day
Subject: Target Hack – FireEye was installed but they ignored it …
This is a great article about the recent Target hack. Apparently they had more than a million dollars worth of FireEye equipment installed and it actually caught the malware but the network security folks ignored the threats… they also did not have FireEye set to auto-delete or lock down ip addresses where malware was using command and control.
Thank-you,
Tommy Thomas MCP, Network+, Security+, C|EH, MCSA, MCSE
Network Systems Administrator City of Ocala IT Division
110 SE Watula Ave.
Ocala, FL 34471
352.401.3928
From: Miranda Dinkelspiel [mailto:miranda.dinkelspiel@FireEye.com]
Sent: Thursday, March 13, 2014 3:38 PM
To: Tommy Thomas
Subject: Sharing is caring:)
http://www.businessweek.com/videos/2014-03-13/hacking-timeline-what-did-target-know-and-when
” Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It”
Miranda Dinkelspiel
Account Manager (State/Local/Education) – Southeast US