When a significant data breach hits the news, a firestorm of emails and articles inevitably follows. Some stick to sharing the facts. Others attempt to capitalize on the fear, uncertainty, doubt, and damaged trust to sell more products. Most of this noise does nothing to contribute to improving the security of their customers.
We respect the challenge FireEye faces in responding to this breach and feel that the security community needs to be supportive of their effort to disclose and contain the risks.
ExtraHop has received many inquiries, and expects many more, about whether we can protect our customers in the wake of this breach. The purpose of this post is to acknowledge that when a breach happens it changes the risk landscape for everyone, and it reinforces the need for a layered security approach that emphasizes post-compromise visibility and response.
What We're Doing Now
ExtraHop is closely tracking the situation and providing advice to our customers on any actions that need to be taken. ExtraHop's network detection and response solution provides our customers with the ability to detect the tactics represented in the FireEye Red Team tools that are now in the wild.
In particular, ExtraHop has strong detection capabilities for beaconing, data exfiltration, and other command and control techniques used in the FireEye Red Team tools. We are working with our customers on an individual basis to address specific concerns and ensure they have the coverage they need. For customers who would like direct support for any questions, please contact your ExtraHop representative.
More broadly, this breach is a reminder we live in a post-compromise world: APTs have already bypassed the firewalls and preventative controls and are inside the enterprise. It is vital to have an internal and trustworthy viewpoint to detect and investigate suspicious behaviors, as well as provide a forensics trail if a breach happens.
As Rob Joyce, former leader of the NSA's Tailored Access Operations said back in 2016, "[An attacker's nightmare is] an 'out-of-band network tap'—a device that monitors network activity and produces logs that can record anomalous activity—plus a smart system administrator who actually reads the logs and pays attention to what they say."
If the situation warrants any further public comment from ExtraHop, we will cross that bridge when we come to it.