美国时间2013年8月5日,利用沙箱技术监测APT的领导厂商FireEye向美国证监会提交的S-1表格,开启了IPO的大幕,打算募资1.75亿美元。
根据这份材料显示,fireeye现有900员工,2012年收入是8300万美元,而2013年上半年收入就已经达到6200万美元。
材料明确指出Fireeye产品出口目前收美国政府管制,Our products are subject to U.S. export controls, specifically the Export Administration Regulations and economic sanctions enforced bythe Office of Foreign Assets Control.
里面还有很多颇有价值的信息。
Industry Background
Organizations Are Spending Billions On Legacy Signature-Based Security Technologies
Organizations today are embracing a confluence of technologies to enhance the productivity of their employees, generate new revenuesources and improve their operating efficiency. These technologies include cloud services, mobile computing and online services and social networking sites, such as LinkedIn, Facebook and Twitter. This greater reliance on information technology hassignificantly increased the attack surface within these organizations that is vulnerable to potential security attacks and has resulted in significant investments in IT security to help protect against a myriad of potential threats. According toIDC, a global market research firm, 2013 worldwide IT security spending will be approximately $17.9 billion, including investments in traditional security technologies such as firewalls, intrusion prevention systems and endpoint security software.
To date, organizations have deployed IT securityproducts to defend against earlier generations of security threats by utilizing legacy signature-based threat protection technology. The signature model works by forensically examining the code base of known malware and, if no match is found,subsequently developing a signature that network security devices can match against future incoming traffic. These signatures are gathered by IT security companies and distributed periodically to organizations that subscribe to the company’supdate service. This signature-based approach is the principal foundation of existing IT threat protection technologies.
The Threat Landscape Has Evolved: Organizations Face A New Generation Of ThreatActors
The historical threat landscapewas defined by amateur hackers who launched attacks principally for fame or mischief. While these hackers garnered a lot of press, they caused relatively little damage, and signature-based security solutions were effective at detecting andpreventing them. Today’s organizations face an advanced malware pandemic of unprecedented severity led by “advanced persistent threat actors,” such as cyber-criminal organizations, nation-states and hacktivists, who are utilizinghighly sophisticated next-generation threats to circumvent traditional IT defenses at an alarming rate. Cybercriminals are expending significant resources to exfiltrate sensitive intellectual property and personal data, causing financial andreputational damage; nation-states are pursuing cyber espionage and warfare targeting critical infrastructure, such as power grids and highly sensitive information that can threaten national security; andhacktivists, who are ideologically driven, are defacing Websites, stealing information and launching denial of service attacks.
Today’s security attacks are being conducted byincreasingly sophisticated threat actors
Today’s organizations face an advanced malware pandemic of unprecedented severity led by “advanced persistent threatactors,” such as cybercriminals, nation-states and hacktivists. Cybercriminals are expending significant resources to exfiltrate sensitive intellectual property and personal data from organizations, causing financial and reputational damage;nation-states are pursuing cyber espionage and warfare targeting critical infrastructure, such as power grids, and highly sensitive information that can threaten national security; and hacktivists, who are driven by political ideologies, aredefacing Websites, stealing information and launching denial of service attacks. These threat actors are utilizing highly sophisticated next-generation threats to circumvent traditional IT defenses at an alarming rate. Given their significantresources, nation-states and organized cyber criminals are now employing automated, constantly changing threats known as “polymorphic attacks” to penetrate mission critical systems. These sophisticated groups are constantly evolving theircapabilities to penetrate IT infrastructure, steal sensitive information, and conduct espionage and cyber warfare. They have the human and financial resources to continuously modify and improve attacks to identify and exploit network vulnerabilitiesthat will allow them to breach a target’s network. A 2011 Ponemon Institute study estimated a 44% increase in successful cyber attacks from the prior year. According to Gartner, Inc., a global market research firm, the federal governmentestimates that there is some $5 trillion of IP in the U.S., most of it commercially owned, with more than $300 billion of IP stolen each year from all U.S. networks.2 Contributing to this trend is a rise in state sponsored cyber-espionage with many countries armed for cyber warfare.The problem has become so severe that the United States Department of Defense recently elevated cyberspace in the 2010 Quadrennial Defense Report to be a domain on the same level of importance as land, sea, air and space. In addition, cyber attacksare listed as a top national security threat in the 2013 Worldwide Threat Assessment of the US Intelligence Community.
Next-Generation Threats Exhibit A Unique Set Of Challenges
Next-generation threats, utilized by advanced persistent threat actors, are fundamentally different fromearlier generation threats, with a unique set of characteristics that create a new set of detection and prevention challenges. One of the most dangerous characteristics of next-generation threats is their ability to take advantage of a previouslyunknown vulnerability in widely used software programs, creating what is known as “zero day” threats. By exploiting this vulnerability, significant damage can be done because it can take days before signature-based software vendorsdiscover the vulnerability and patch it, and an even longer period of time for traditional security products to update their signature databases accordingly. Next-generation threats are stealthy by design and are significantly harder to detect.Further compounding the problem, next-generation threats are dynamic, or polymorphic, meaning they are designed to mutate quickly and retain their function while changing their code, making it almost impossible for traditional signature technologiesthat rely on pattern matching to detect them. These threats are also targeted, which enables them to present specific individuals within organizations’ networks with customized messages or content that maximizes the likelihood of the individualbecoming an unwitting accomplice to the attack. Next-generation threats are also persistent and can perform malicious activity over a significantly longer period of time by remaining in the network and spreading undetected across devices for aspecific period of time before conducting their activity, thereby resulting in higher damage potential. An additional level of complexity created by these threats is that they can target all primary entry points of a network by launching advancedmalware attacks at the organization through Web, email and file vectors. These attacks may also include “blended attacks” that target multiple vectors simultaneously to gain entry to an organization’s IT environment.
Next-generation threats are significantly more complex in theway they carry out their attacks. The threats formulate over multiple steps, and they are difficult to detect via legacy security technologies at each step. The typical next-generation attack lifecycle contains the following five steps:
【下一代攻击的5个典型步骤】
1. | Initial Exploit: An exploit is typically a small amount of seemingly harmless content, often just a few hundred bytes in size, that when inserted into vulnerablesoftware can make the software execute code it was not programmed to run. The initial exploit phase is critical and occurs when cyber attackers take advantage of inherent vulnerabilities in widely used software and applications, such as AdobeAcrobat, Flash and Internet Explorer, to initially penetrate a victim system. The exploit is stealthy and its code can enter an organization even when a user does nothing more than visit a Web page that has been compromised. Importantly, this entireprocess happens within the compromised system’s random access memory and does not involve writing any files to the hard drive, making it almost impossible to detect with legacy security solutions that are focused on examining files andexecutables once they are written to the hard drive on a host computer. |
2. | Malware Download: Once the initial exploit is successful in penetrating a victim’s system, a larger malware program in the form of a filecan be downloaded onto the hard drive of the compromised system. Because the download is initiated by seemingly innocuous software from inside the |
organization and the malware file can be obfuscated to seem harmless, legacy security systems cannot detect the threat. As an example, the file can be presented as a .jpg (a picture) instead ofan .exe (executable) file and therefore avoid detection by legacy security technologies designed to look for executables. In addition, the malware program is encrypted and the key to decrypt the file is only available in the exploit code. Therefore,only if a security product detects the initial exploit code, can it collect the key to decrypt, detect and block the larger malware program. |
3. | Callback and Establish Control: After the larger malware download is successful, it will initiate an outbound connection to an external command and controlserver operated by a threat actor. Once the program has successfully made a connection, the cyber attacker has full control over the compromised host. Many legacy security solutions do not analyze outbound traffic for malicious transmissions anddestinations. Other solutions that attempt to detect malicious outbound transmissions can only find transmissions to known destination IP addresses of servers, and are not able to identify malicious transmissions to unknown destinations. |
4. | Data Exfiltration: Having established a secure connection with the command and control server, the malware will proceed to take control of the host computer aswell as transfer sensitive data, such as intellectual property, credit card information, user credentials, and sensitive file content. Because legacy security solutions cannot detect any of the previous three steps―exploit, malware download andcallback―they are unable to detect and block the outbound transfer of data. |
5. | Lateral Movement: At any point after the malware is downloaded, the malware may conduct reconnaissance across the network to locate other vulnerable systems, andthen spread laterally to file shares located deep within the organization’s network to search for additional data that is valuable to exfiltrate. As the lateral movement is conducted within the enterprise, firewalls and other perimeter securitysolutions focused on blocking malicious traffic from entering an organization are not able to detect the movement of malware within the organization. |
Existing Security Solutions Are Not Architected ToProtect Against Next-Generation Threats
The evolving threat landscape has rendered traditional defenses incapable of protecting organizations against next-generation threats.This includes traditional and next-generation firewalls, which provide the ability to manage policies for network and application traffic but are not fundamentally designed to detect advanced cyber attacks in a granular and scalable fashion. Inaddition, although products like intrusion prevention systems, or IPS, anti-virus, or AV, whitelisting and Web filtering technologies were designed with the intent of detecting the full spectrum of cyber attacks, their signature-based approacheshave left them increasingly unsuccessful in detecting and blocking next-generation threats.
【数落别人的不足】
• | Traditional firewall. Firewalls regulate incoming and outgoing network traffic by limiting which internal and external systems can communicatewith each other, and which ports and protocols can be used for those communications. Most attacks and subsequent malware communications tunnel over widely used port and protocol configurations, such as port 80 and HTTP, which organizations mustallow through the firewall. Traditional firewalls were not designed to inspect the communications of the traffic itself, making them blind to the potentially malicious content being carried through network traffic that they are allowing into theorganization. Also, since firewalls operate at the network perimeter, they are unable to block threats that have bypassed the perimeter and spread onto internal file shares or that have attempted to enter through a different vector of attack, suchas through the email gateway. |
• | Next-generation firewall. Next-generation firewalls, or NGFWs, have recently been adopted by organizations to improve upon the capabilities oftraditional firewalls. NGFWs add layers of policy rules based on users and applications. This allows administrators to selectively enable the use of certain applications and represents a major improvement in policy-oriented challenges faced byorganizations. However, this approach does not address the inability of the firewall itself to intelligently process and inspect traffic to detect potentially malicious content. |
• | Intrusion prevention system. Intrusion prevention systems, or IPS, were developed to address the firewall’s visibility and granularitylimitations. IPS products utilize a signature database of known threats and network vulnerabilities to scan for potentially malicious traffic, making them reactive and unable to look for exploits targeting unknown vulnerabilities. Furthermore, IPSofferings were originally built to detect and analyze network services-based attacks, rather than the client-side application attacks that have become the more popular target for cyber attackers. Everyday client applications being used byindividuals, such as browsers, PDF readers and Flash plug-ins, rather than server applications, are the primary targets for advanced malware attacks. Because cyber attackers can disguise these client-side application attacks within multiple layersof application and network protocols, it is nearly impossible for IPS products, to examine the contents of the applications with any granularity. |
• | Endpoint security. Endpoint security products, like anti-virus, are commonplace in IT environments. As endpoint products rely purely onsignatures, they are incapable of detecting next-generation threats |
that exploit new vulnerabilities in commercial software. The endpoint approach forces organizations to wait as long as a few months before known attacks are forensically examined and theappropriate signatures are propagated through the distribution network. In addition, even if endpoint providers are technically able to prepare signatures quickly, they will often delay the dissemination of signature updates to avoid creatingliability for themselves if their signature is faulty and inadvertently causes damage to an organization. Furthermore, whitelisting approaches, which are used to tag trusted applications, are vulnerable because approved applications or serversrunning on whitelisted IP addresses can be infiltrated by threat actors and become conduits for next-generation threats. |
• | Web filters. These appliances provide Web filtering and Web browsing security, but rely on a constantly updated database of bad Websiteaddresses when filtering traffic. Given the pace of change of domains and URLs and the transient nature of the Web, these signatures have become outdated and less relevant for organizations. |
Protecting Today’s IT Infrastructure Requires A Fundamentally Different Approach To Security
A solution to protect against next-generation threats needs to be built from the ground up and have the following key capabilities:
【防御下一代攻击的关键能力】
• | detection and protection capability that overcomes the limitations of signature-based approaches; |
• | the ability to protect the organization’s infrastructure across multiple threat vectors; |
• | visibility into each stage of the attack life cycle and particularly the ability to detect and block attacks at the exploit phase; |
• | negligible false-positive rate, thereby allowing the organization’s IT infrastructure to be secure without hindering business productivity; |
• | the ability to scan all relevant traffic without noticeable degradation of network performance; |
• | the ability to dynamically leverage knowledge gained by prior threat analysis; and |
• | rapid deployment and streamlined management capabilities. |
Our Solution
Our technology platform, built on our proprietary MVX engine, is able to identify and protect against known andunknown threats without relying on existing signature-based technologies employed by legacy IT security vendors and best-of-breed point solution vendors. The key benefits of our platform include:
• | Proprietary MVX engine to enable dynamic, real-time protection against next-generation threats. Our virtual execution technologydetonates Web objects and suspicious attachments within purpose-built virtual machine environments in order to detect and block the full array of next-generation threats. Our solution does not require a pre-existing signature of the threat toidentify it. |
• | Defense across primary vectors of attack. Our broad product portfolio includes our Malware Protection System, or MPS, to protect againstWeb and email threat vectors as well as malware resident on file shares. We can also coordinate threat intelligence across all three vectors to further enhance our overall efficacy rates and protect against blended attacks. |
• | Visibility of each stage of the attack life cycle and particularly the ability to detect and block attacks at the exploit phase. Ourplatform enables a comprehensive, stage-by-stage analysis of next-generation threats, from initial system exploitation to data exfiltration and lateral movement. Furthermore, because we can watch the execution path of the initial exploit with a highdegree of granularity, we have high detection accuracy at the exploit level. |
• | High efficacy next-generation threat detection. We can address hundreds of permutations of software versions targeted by advanced malwareattacks by concurrently deploying thousands of virtual machines across an organization’s network, allowing us to monitor attempted exploits of multiple operating system and application versions and hundreds of object types at line speed. Thisapproach allows for high detection efficacy with negligible false-positive rates, resulting in minimal disruption to the business and IT organization. |
• | Real-time detection of all network traffic with negligible performance degradation. Our high-performance virtual machinetechnology, working in concert with our DTI cloud and advanced heuristic algorithms, enables us to deliver industry-leading protection against next-generation threats. Our appliances are capable of operating in-line, providing comprehensive andhighly accurate detection and protection without slowing down the network. |
• | Global cloud-based data sharing within and across organizations. Our Central Management System, or CMS, correlates threat informationthat is being generated by our software-based appliances and facilitates rapid sharing of information at a local implementation level and also across the organization. In addition, by sharing anonymous real-time global threat data through our DTIcloud, our customers have access to a system that leverages the network effects of a globally distributed, automated threat analysis network. |
• | Rapid deployment and streamlined management capabilities. Our solution is generally deployed in a few hours and most often findsexisting next-generation threats immediately after deployment. Our CMS appliances offer rich management capabilities, such as coordinating software upgrades, automating the configuration of multiple appliances and presenting security data in anintuitive interface to facilitate reporting and auditing. |
Our Market Opportunity
According to IDC, worldwide IT security spending in 2013 will be approximately $17.9 billion across firewalls, virtual private networking, Web security, unified threat management, intrusion detection and
prevention, messaging security and corporate endpoint security. While this spending is focused principally on traditional IT security products, we believe the rise in next-generation threats iscreating significant new demand from organizations for products that offer advanced protection against this new threat paradigm. Gartner, Inc., a global market research firm, estimates that by 2020, 75% of enterprises’ information securitybudgets will be allocated for rapid detection and response approaches, up from less than 10% in 2012.1 We believe our platform is essential to protect these organizations against next-generation threats. As organizations seek new defenses against next-generation threats, we believe that ourvirtualization-based approach, which represents a paradigm shift from how IT security has been conducted in the past, will take an increasing share of IT security spending from the traditional enterprise IT security markets. Specifically, we believethis approach can be applied to initially supplement, and ultimately replace, any threat protection technology that utilizes a traditional signature-based approach. These markets consist of Web security ($2.4 billion), messaging security ($2.9billion), intrusion detection and prevention ($2.1 billion) and corporate endpoint security ($4.2 billion), and aggregate to a total projected spending of $11.6 billion in 2013, in each case according to IDC.
Our Competitive Strengths
We have developed the following key competitive advantagesthat we believe will allow us to maintain and extend our leadership position:
• | Leader in protecting organizations against the new breed of cyber attacks. We invented a purpose-built, virtual machine-based securitysolution that provides real-time protection against next-generation threats, and we believe we are a leader in the market. |
• | Platform built from the ground up to address next-generation threats. We were founded with the sole purpose of developing a platform todefend and block next-generation threats. Therefore, we developed a proprietary hypervisor (i.e., software that creates and runs virtual machines) and MVX engine to meet the specific challenges associated with high throughput processing ofnext-generation threats. Our MVX engine is designed to be undetectable by these new threats. We can run hundreds of permutations of files, operating systems, software versions, languages and applications to mimic desktop operating environments andforce malicious software to reveal itself. In addition, our platform is scalable and can run over 1,000 concurrent virtual execution tasks on a single appliance to simultaneously detect multiple threats. |
• | Network effects from our customer base and DTI cloud. Our global customer base of over 1,100end-customers can share threat data via our DTI cloud. This relationship between customers and differentiated threat intelligence drives a network effect around our company, leading additional customers to beincreasingly attracted to the depth and breadth of our capabilities and intelligence. |
• | Strong management team with significant IT security expertise. We have a highly knowledgeable management team with extensive IT securityexpertise. Our team includes experts with a strong track record of developing the fundamental new technologies behind advanced malware detection. |
• | Comprehensive platform that enables modular deployment options. Our customers typically initially deploy our solution to provide eitherWeb, email or file protection and in conjunction with existing security solutions. Once deployed, our customers can then deploy additional appliances to protect the first threat vector, as well as expand their level of protection to additionalvectors to achieve end-to-end protection for the primary vectors for next-generation threats to enter. |
• | Significant technology lead. Our technology is recognized as innovative and is protected by, among other things, a combination ofcopyright, trademark and trade secret laws; confidentiality procedures and contractual provisions; and a patent portfolio including five issued and 43 pending U.S. patents. |
1 | See note (1) in “Market and Industry Data.” |
Our Strategy
Our objective is to be the global leader in virtualmachine-based security solutions for the entire IT security market. The key elements of our growth strategy include:
• | Invest in research and development efforts to extend our technology leadership. We plan to build upon our current performance and currenttechnology leadership to enhance our product capabilities, such as protecting new threat vectors and providing focused solutions for certain markets, such as small and medium-sized enterprises and service providers. |
• | Expand our sales organization to acquire new customers. We intend to continue to invest in our sales organization around the globe as wepursue larger enterprise and government opportunities outside of the United States. |
• | Expand our channel relationship and develop our partner ecosystem. We have established a distribution channel program that, as ofJune 30, 2013, had approximately 400 channel partners worldwide. We intend to continue adding distributors and resellers and incentivizing them to drive greater sales to enable us to further leverage our internal sales organization. |
• | Drive greater penetration into our customer base. Typically, customers initially deploy our platform to protect a portion of their ITinfrastructure against one type of security threat, such as Web-based threats. We see a significant opportunity to upsell and cross sell additional products, subscriptions and services as our customers realize the increasing value of our platform. |
• | Leverage our innovative virtual machine technology in additional product markets. We intend to apply our purpose-built virtual machinesecurity engine to any threat protection technology that utilizes a traditional signature-based approach, such as intrusion prevention, corporate endpoint security and related mobile security markets. |
Risks Associated With Our Business
Our business is subject to numerous risks and uncertainties,including those highlighted in the section entitled “Risk Factors” immediately following this prospectus summary. These risks include, among others, the following:
• | if the IT security market does not continue to adopt our virtual machine-based security platform, our sales will not grow as quickly as anticipated, orat all, and our business, results of operations and financial condition would be harmed; |
• | our limited operating history makes it difficult to evaluate our current business and prospects and may increase the risks associated with yourinvestment; |
• | if we do not effectively expand and train our direct sales force, we may be unable to add new customers or increase sales to our existing customers,and our business will be adversely affected; |
• | if we fail to effectively manage our growth, our business, financial condition and results of operations would be harmed; |
• | fluctuating economic conditions make it difficult to predict revenue for a particular period, and a shortfall in revenue may harm our operatingresults; |
• | our results of operations are likely to vary significantly from period to period, which could cause the trading price of our common stock to decline;and |
• | our directors, executive officers and each of our stockholders who owns greater than 5% of our outstanding common stock, in the aggregate, willbeneficially own approximately % of the outstanding shares of our common stock after the completion of this offering, which could limit your ability to influence the outcome of key transactions, including a change of control. |