Can FireEye up the cyber security ante through Microsoft partnership?
- 23 November, 2016 11:08
FireEye has recently struck a deal Microsoft, designed to place the security vendor's iSIGHT Intelligence into Windows Defender, an inbuilt Windows security offering.
According to both parties, the partnership is built around a licensing agreement of FireEye's iSIGHT Intelligence.
Sources close to ARN however claim that the terms of the deal could see FireEye gain access to telemetry from every device running Windows 10, serving up access to almost 22 per cent of the total desktop market, alongside laptops and Windows mobile phones.
"The nature of the deal between Microsoft and FireEye is to license threat intelligence content from FireEye iSIGHT Intelligence," a Microsoft spokesperson told ARN.
"This additional layer of intelligence includes indicators and reports of past attacks collected and edited by FireEye and enhances detection capabilities of Windows Defender Advanced Threat Protection (WDATP). The deal does not include the sharing of Microsoft telemetry."
Despite the flat denial from Microsoft, the agreement offers many plus points for FireEye, with Redmond previously intending to have one billion devices running Windows 10 by 2019.
While the vendor has since backtracked on this statement - stating that the process would take longer than originally predicted - the direction of travel is clear.
Windows users are able to use the Windows Defender service in a free trial before purchasing a subscription to Windows Defender Advanced Threat Protection (WDATP).
The partnership has benefits to Microsoft as well by offering credibility to its Windows Defender product through partnership with a well known cyber security vendor such as FireEye.
In addition, it also pits the software giant against the incumbent players in the already highly competitive endpoint security market.
WDATP customers have access to intelligence technical indicators, which will enable the program to highlight when such indicators are found on end-user computers or networks, before displaying a profile of the involved attacker.
This profile includes information such as the motivation of the attacker, tools used, sectors targeted and geographies, alongside a description of the attacker.
Despite denials, ARN sources believe security teams are also able to access the telemetry via a subscription billing model.
“FireEye has invested in nation-state grade intelligence and we are strategically partnering with industry leaders to operationalise this high-quality intel," FireEye senior vice president of corporate development, Ken Gonzalez, added.
By working with Microsoft, Gonzalez said FireEye is now able to offer "differentiated intelligence" within WDATP and together help make organisations more secure.
"With the Windows 10 Anniversary Update, we added this new layer of defence with WDATP - a new built-in OS sensor combined with powerful cloud-powered behavioural detection analytics - in order to help enterprises, detect, investigate and respond to targeted attacks and data breaches on their endpoints quicker and easier,” added, Windows Cyber Defence, general manager, Moti Gindi.
"As two security leaders working together, the combined Microsoft and FireEye adversary-based security intelligence ensures WDATP detections can provide the right context needed to prepare for and simplify response to attacks."
IBRS cyber security advisor, James Turner, told ARN that the deal brings wide-ranging benefits to both vendors.
"There are benefits here for both Microsoft and FireEye," he said.
"Microsoft are seen to be playing with a big brand name in the security space and FireEye potentially get access to a much broader distribution of endpoints than it would otherwise have."
While the partnership may be seen as a boon for FireEye, extending the vendors threat detection network to compete with major endpoint players such as Symantec and Kaspersky Lab, Turner warned that access to telemetry alone will not necessarily give the vendor an edge over its rivals.
"It’s a classic case of FOMO [fear of missing out]," he explained. "Everyone thinks that everyone else has got better intelligence than they do so everyone has a fear of missing out.
"So everyone talks about intelligence sharing but the most valuable threat intelligence is that which is made directly applicable to you and can take action on.
"When you start looking at this particular offering, it has to be fairly generic because there is no customisation - as far as I can tell - around this. It is literally going to be a case of seeing something out there and identifying it as bad.
“It is going to be very hard for this to be customised to any specific client."
Turner added that there could be exceptions to this rule including searching for pre-defined keywords but said it is going to depend on the actual mechanism around it.
“If it is a way of helping to commoditise more advanced, threat centric security for the endpoint, then that is a plus," he said. "But ultimately, I think anybody who is expecting a silver bullet will be disappointed.
“Obviously we need to see the proof of the pudding in the eating, but there is a definite potential here to help do a capable shift in the way things are going.”