FireEye Stories Blog

What Is Needed for Threat Intelligence Leadership?

On March 23, Forrester published The Forrester Wave™: External Threat Intelligence Services (ETIS), Q1 2021 with FireEye recognized as a leader. Out of all the providers covered in the report, FireEye received the highest scores in the current offering and strategy categories, and received the maximum rating in 18 of the 26 evaluation criteria.

So what about FireEye is convincing customers to entrust our Mandiant Threat Intelligence services to protect business continuity, close security gaps and reduce risk? What makes our threat intelligence stand out above the rest?

Ingredient 1: Human Expertise

In our opinion, the 18 current offering criteria evaluated by Forrester in the Q1 2021 ETIS report can’t be delivered by just buying computational power, analytic tools and tons of raw data. Instead, we believe that most of the evaluation criteria—like intelligence analysis, requests for information, and vulnerability intelligence capabilities—require trained experts who can engage with customer stakeholders and thoroughly analyze gathered data. It’s not enough to just have data; providing real decision advantage to customers requires the ability to understand both the threat environment and the context of our customer’s decision-making needs.

The Mandiant Threat Intelligence team has invested heavily in human expert capability, with over 260 researchers and analysts on staff, present in over 24 countries, speaking more than 30 languages. This group produces thousands of reports annually and curates the graph database driving our real-time intelligence delivery through Mandiant Advantage.

Building this capability doesn’t happen overnight. Our team has over 10 years of experience in how to best develop threat intelligence. When new analysts join our team, they pair with a more senior analyst to learn on the job, and their produced intelligence is continuously reviewed by multiple peers. Later on, analysts specialize in specific threat groups, threat types, or customer environments to better understand adversarial evolution and keep our customers informed. It takes years to train an analyst to Mandiant’s high standard of senior proficiency.

Given our investment in expertise, we are not surprised that we were named a Leader and we believe we are placed well for future evaluations.

Ingredient 2: Analysis Focused on Customer Needs

The ability to collect and analyze data doesn’t necessarily mean the results will be useful to customers. Intelligence that isn’t meaningful is just more noise. Because of this, we have focused on creating robust methods to understand what our customers need and deliver intelligence that hits the mark. Forrester captured these capabilities under the categories of intelligence requirements, dissemination, and customer & stakeholder feedback.

Understanding intelligence requirements—the questions that organizations need to answer to best protect themselves—is foundational to delivering useful intelligence. When we onboard customers, we work with them to define their organizations’ needs. We regularly review customer intelligence RFIs (Requests For Information) to understand changing interests. As our customers organizational needs change, we also deliver intelligence capability development services that enable organizations to mature their intelligence capabilities.

In addition to the pure intelligence requirement focus, we have spent a lot of time over the last few years talking with customers and prospects to understand intelligence in the context of their organization. We’ve asked hundreds of organizations how they think about intelligence. We asked about their business objectives. We asked what success looks like for their intelligence and security functions. We asked how we could improve the intelligence support we provide. The answers to this ongoing process guides our continuing efforts to raise standards in threat intelligence.

One key outcome of this process was our change to give intelligence customers a front row seat to our process of tracking threat actors as our understanding develops, not only at the end when we write a finished intelligence report. This coverage, which we deliver through Mandiant Advantage, gives security teams a clear view of the threats they are facing. Mandiant’s APT and FIN groups are well-known in the cyber security industry as sophisticated intrusion actors. When we first see these actors, we start tracking them as uncategorized activity clusters (“UNC groups”) that we investigate and develop over time. We’re now delivering insight into these groups through Mandiant Advantage so that our customers can better understand emerging threats. These activity sets are often later merged with other existing groups or developed into more refined actor groups such as TEMP, FIN or APT groups as further details are is discovered. Mandiant offers actor insights that are consumable by different personas in the security team. For instance, vulnerability management teams can find out which exploits are being used by specific actors, detection engineering teams can download YARA detection rules, and incident responders can review behavior of actors in our MITRE ATT&CK explorer.

Ingredient 3: Continuous Innovation in Intelligence Data Collection

Attackers are constantly looking for ways to evade or defeat security measures. They regularly adapt when they are discovered or when their tactics stop working. This means that intelligence collection has to continuously look for new malicious tools and tactics, as well as develop new ways to track actors’ evolving operations.

At Mandiant, we have a unique view into the threat landscape. Our breach intelligence gives us firsthand knowledge of how the most impactful intrusions happen. Our adversary intelligence collection continuously tracks malicious actors, whether we are currently investigating a related breach or not. Our machine intelligence gives us a wide-angle view of threat activity as it happens around the globe. The operational intelligence from our Managed Defense team gives us real-time insight into threat activity as it develops.

These different lenses on the adversary help us track threats throughout their lifecycle. We believe Forrester’s evaluation of FireEye in the criteria of raw intelligence collection and supporting products and services highlight our strengths in this area. Our collection is more resilient and provides better resolution because we are not dependent on collecting against a specific point in the threat lifecycle.

We know exactly what today’s most significant threats can do, have done and are doing, and our mission is to convey that intelligence in meaningful and useful ways to our customers.

The SUNBURST campaign involving UNC2452 is a recent case that demonstrated the importance of strong intelligence collection combined with investigative expertise. We discovered a software supply-chain compromise whose operators have gone to significant lengths to observe and blend into normal network activity.

In our view, the recognition of FireEye’s as a Leader by Forrester reflects our continuous investment in experts, our focus on our customers, and our ability to collect intelligence from many types of sources. Keeping our customers ahead of the adversary is a challenge we are excited to continue tackling for years to come.

Register today for a free subscription to Mandiant Advantage to access comprehensive threat data and intelligence into current, past and possible future threat activity.