Euro Security Watch with Mathew J. Schwartz

Forensics , Next-Generation Technologies & Secure Development , Security Operations

FireEye: Ransomware Up, But Revenue Comes Up Short

Blaming Revenue Shortfall on Fewer APT Attacks Doesn't Add Up
FireEye: Ransomware Up, But Revenue Comes Up Short

Reporting lower than expected quarterly revenue, cybersecurity heavyweight FireEye (FEYE) has blamed a well-known villain: ransomware gangs. But many of the firm's assertions don't appear to hold up.

See Also: Live Webinar | Navigating Identity Threats: Detection & Response Strategies for Modern Security Challenges

Last week, FireEye reported $175 million in second quarter 2016 revenue, which fell short of its previous projection of $178 million to $185 million.

FireEye CEO Kevin Mandia blamed the shortfall on attackers increasingly favoring extortion-style attacks, rather than more traditional advanced persistent threats, such as those practiced by cyber espionage groups.

"The biggest difference with the incidents we are responding to, and I think FireEye had a big influence in this factor, is the scale and scope went from hundreds of compromised machines by attackers who wanted to maintain and keep access, to more of the ransomware-type attacks and extortion attacks that are simply easier to remediate at times," Mandia said on an Aug. 4 earnings call.

"As the current threat environment shifts to smaller scoped breaches, some organizations may be opting for 'good enough' over 'best of breed' detection," he also said.

In June, FireEye released a report saying that it had seen a dramatic decline in Chinese cyber espionage attacks targeting U.S. firms (see U.S., China Advance Infosec Cooperation).

Mandia also became FireEye's CEO in June, taking over from David DeWalt, who moved to the role of executive chairman. Mandia came to FireEye via its nearly $1 billion acquisition of cybersecurity firm Mandiant in 2014, after which he was reportedly groomed to take the helm of FireEye, first serving as its COO and then president.

How Ransomware Gangs Really Operate

But Mandia's recent assertions overlook several key points. First of all, ransomware is often an attacker's coup de grace. The Gameover Zeus gang, for example, typically deployed keystroke-stealing malware designed to help them drain organizations' and individuals' bank accounts, then deployed Cryptolocker ransomware to lock PCs and further monetize their attacks.

Even with the Gameover Zeus gang behind bars, many attackers still emulate that model, especially in attacks against healthcare organizations, Ondrej Krehel, CEO of New York-based digital forensic investigation firm LIFARS, tells me. "What we've seen in the healthcare [sector] is, the ransomware is the last component ... it really happens after the data has been exfiltrated and taken to the black market," he says. "For the bad guys, it's just a beautiful way to get another dinner ticket."

On the cyber espionage front, meanwhile, if Chinese operators were less frequently attacking U.S. organizations - as FireEye claims - that would be great news. But not all security experts are convinced that's even the case. "It's hard to prove, but I haven't seen evidence that the Chinese are targeting us less frequently," Lawrence Orans, a research vice president at Gartner who covers network security, tells me.

Sandbox Competition Heats Up

Rather than the rise of ransomware and a decline in APT - and cyber espionage - attacks hitting FireEye's revenue, the more likely explanation is increased competition for sandboxing technologies, which use virtual environments to analyze files and identify malware. "The flagship solution for FireEye is their sandbox or sandboxes, and there's more competition for those flagship products," Orans says.

Many other firewall and secure web gateway vendors - including Palo Alto Networks, Check Point, Bluecoat, Websense and Zscaler, amongst others - now offer such technology, Orans says.

FireEye's lower-than-expected revenue "did not catch me totally by surprise - they grew very quickly," Orans says. That included acquiring threat-intelligence firm iSight Partners in January (see Why FireEye Snapped Up iSight Partners).

Furthermore, the company's second quarter 2016 revenue still represent an increase of 19 percent from the second quarter of 2015. "The company is still growing, it's just that the market dynamics have changed, and now they face more competition," Orans says. "And it's being reflected in the stock price."

FireEye Announces Layoffs

FireEye's stock price has declined about 14 percent in value since Aug. 4, when it released its second-quarter 2016 financial results - with revenue and billings that were lower than it had predicted - and announced layoffs. "Unfortunately we do expect this to probably affect 300 employees to 400 employees," Michael J. Berry, FireEye's CFO and COO, said on the earnings call. "It's a reduction of about 9 percent of our, call it, controllable costs. We will try to go after as much as we can non-head count, but ... we do expect it to probably be about that level."

Mandia says the need to restructure is a consequence of the company's growth. "We always knew somewhere around 2016, we'd have to change this company as we got scale," he tells financial site Marketwatch. "I want to balance growth with profitability, and we're serious about that path to profitability."



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.