Opportunities At The Cusps: FireEye CEO Ashar Aziz (Part 7)

SM: Tell me how you solved that problem.

AA: The ultimate solution was actually quite simple. The simplicity comes from the fact that there are approaches which were around in industry and academia that pretended to be whole products while they were actually subsystems. They were heuristic-based solutions which were looking at for anomalies. When you leave the signature realm there are hundreds of anomaly-based systems. They do not work that well because of a fundamental problem with these kinds of systems. When you are building a detector, you have to be good with both false positives and false negatives. If you are building an alarm system you do not want the motion detector to go off when there is a fly in the room, but you do want it to go off when there is a thief in the room. The problem is that a thief can be very stealthy. If the thief starts to look like a fly or moves very slowly, how do you catch that thief?

The only way to do that is to have a very sensitive detector. The problem with a detector like that is it will trip constantly. We applied that principle as a subsystem in our product. We built the detector as a front end capture system. It is not the entire system. We intentionally built it to be an ultra-sensitive detector. If there is a fly, it will capture the fly and give it to another system to detect what that fly is.

The goal of the front end is to not miss. Traditional heuristic systems try to minimize false alerts, we minimize missed attacks. We take all of the captures from the front end, which will include a lot of false alerts, and pass them to a set of virtual machines. They act as virtual victim machines. They pretend to be like the real system. The captures from the front end, which could be bullets on the wire, are transparently shot at the VMs. If the VM gets infected then we know it is a bullet. It is almost like a food tester. That is the phase where we get rid of all the false alerts.

SM: That is elegant and simple. I love that aspect of it.

AA: I can describe it in two minutes to a CIO. There was a lot of hard work from the team that went and put all of this technology together. These VMs need to be pulled up on the fly. The implementation and efficiency of managing the system is what we have focused on for the past three years.

The web is the most prolific source of malware today. One of the things that happened is the infection vector of malware shifted over the course of a year or two I was building this technology. Over the past year and a half we have figured out that it was not coming in over vulnerabilities on the operating system, it was coming in over the web. We shifted and adapted our platform to work with malware as it was coming in over a malicious webpage and affecting your browser as opposed to coming in and affecting the operating system through RPC.

That product is now on the market. I just deployed it this week at two or three of the largest companies in the Bay area. Almost as soon as we deployed them, alerts started lighting up and it was looking like a Christmas tree.

SM: Are corporations now feeling the pain? Is it real?

AA: The evasive nature of the problem is part of my marketing challenge. Old noisy malware rang a lot of bells, but did not do much damage. Today, malware does not ring many bells but it does a lot of damage. They are thieves. They are trying to be as quite as possible.

This segment is part 7 in the series : Opportunities At The Cusps: FireEye CEO Ashar Aziz
1 2 3 4 5 6 7 8