FireEye adds machine learning as the fourth engine in Endpoint Security solution

FireEye has spent the last two years developing its own machine learning engine, which now complements signature, behaviour-based and intelligence-based engines in their endpoint offering.

Cybersecurity vendor FireEye has announced the addition of a new engine – the fourth – to their FireEye Endpoint security solution. MalwareGuard, a new machine learning based detection and prevention engine, is designed specifically to detect and block never-before-seen threats. It is available now for existing FireEye customers at no additional cost in the new 4.5 release of FireEye Endpoint Security. It is also available as a free trial for prospects.

FireEye is a relative latecomer to machine learning in its endpoint solution, but the company says the wait will have been worth it. A key reason for the delay is that the company decided to build its own machine learning capability, rather than buy it.

“This is the result of a two-year effort by our endpoint security team to build the best machine learning capabilities,” said Phil Montgomery, FireEye’s VP of Product Marketing.

While FireEye had no formal machine learning engine previously, they have had their behavior-based ExploitGuard engine and an intelligence-based engine that shows Indications of Compromise, as well as a signature-based engine.

“The four of these together provide a very strong layered defense,” Montgomery said.

FireEye is emphasizing that their machine learning data is gathered from over 15 million endpoint agents. They acknowledge that other endpoint security vendors also have many millions of users, but say there is a qualitative difference between their data and the data of many others.

“Any machine learning model is only as good as the data set that you treat it with,” Montgomery said. “Public malware feeds are one source of malware. A lot of people train their engines using only the public malware feed. We have considerably more than that. Because we have a consulting arm and a global intelligence group, we often see malware for the first time.  We have detected more zero-day attacks than everyone else combined, and what we see in the field immediately goes into the engine. The important issue today is how good your engine is at detecting zero days and stuff that hasn’t  been seen before. We have a better model because we have a better data set.”

Along with the new machine learning capabilities, FireEye Endpoint Security has received some improvements to its Policy Manager, its Workflow updates and its Cloud Identity and Access Management capabilities.

“What these all have in common is an increase in the flexibility and the granularity of the policies” Montgomery said. “With Policy Manager, we have the enhanced policy engine to make more granular possible policies across the organization, and facilitate more flexibility in the level of policy, around things like whitelisting and blacklisting and Active Directory GPOs.” Similarly, the Alert Workflow Update now provides more flexibility in setting alert policies, and Cloud Identity and Access Management now enables higher levels of authentication for cloud-based deployments.

Montgomery said that these enhanced capabilities give FireEye channel partners things that they had been asking for.

“The channel repeats what their customers see as the most important things, and they wanted the machine learning,” he stated. “They also like the other enhancements. While they are not major ones, they do provide for greater flexibility of deployment and policy management, and customers and partners both want that. Our Endpoint Security now provides four engines, with everything in one single agent managed through the cloud, on- prem or hybrid, and that means a lot of flexibility for the partner as well.”