A Q&A with Ashar Aziz, Founder, CEO & CTO, FireEye

Ashar Aziz, FireEye
Ashar Aziz, FireEye

Eleanor Dallaway: It was 2004 when you founded FireEye. How did that idea come about?

Ashar Aziz: I was looking to identify the next big, interesting problem that we’re all going to face. My previous start up was in a different area - virtualised cloud computing. We didn’t use those words then, but that’s what that company was about. It was acquired in 2002 by Sun Microsystems.

ED: How did you determine what the next big problem was?

AA: I looked at 400-500 research and academic papers, as well as the US Department of Defence studies on the evolution of malware. As I thought about it as a technology challenge as well as a business opportunity, it became clear that the kind of malware that existed in 2004 had the blueprint to become a much more sophisticated form of malware in the future.

ED: How malicious was malware in 2004?

AA: Malware in that time period didn’t do very much – it just self-propagated. But it had a payload, and that payload could steal data. It could steal information that it could monetize. Malware could become a tool for crime, a tool for espionage, and use the computers that control critical infrastructure as a tool for warfare. If and when this malware were to evolve, it was obvious [in 2004] that all the incumbent techniques would fall apart in the face of this evolved threat.

We are so reliant on these digital systems that we have an extreme set of vulnerabilities that exist in this society
Ashar Aziz

 ED: So what was needed? What was missing?

AA: The ability to pick a needle out of the haystack, and never pick out a piece of hay and call it a needle, and not miss the needles that are all in the haystack trying to look like pieces of hay - we knew this was needed and that it would require a new blueprint, rethinking how a detection engine works. The technology we came up with, which is the platform that we have today, looks for interesting and unusual activities on the wire, and has a very aggressive means of identifying them, which means we cast a very wide net in terms of what we are looking for. We’re picking out lots of pieces of hay that even remotely resemble a needle, and then asking whether it’s really a needle.
We’re looking at gigabytes of network traffic, using virtual machine introspection as the analysis mechanism, not pattern-matching (which is what everybody else is doing).

ED: How long did it take to go from idea to market, and how easy was it to get funding in the highly competitive Silicon Valley?

AA: It took three years to get the product to be of sufficient quality and detection efficiency that we could take it to a large enterprise customer, and show them the value of the product. 2009 was a bad year for the world, but a good, record year for FireEye. Getting funding was not a walk in the park. People could not envision the threat landscape back in 2004. They couldn’t imagine the President of the United States of America conducting a malware strike; or that China would direct malware activities at the United States.
It was clear to us that this was – and is - one of the most important problems of the 21st century. Society and civilisation is built on this digital foundation, and if that shakes, civilisation itself will be impacted. We’ve seen the evidence of that in the attack on Iran, in the attack on the SCADA control systems, but what if that kind of attack was launched on the grid here? Imagine the implications to the national economy of the United States or the UK, or any industrialized country. We are so reliant on these digital systems that we have an extreme set of vulnerabilities that exist in this society. We are mostly ignorant of it, because the exploitation of these vulnerabilities is happening at a level that the common public does not see.

ED: What role does FireEye play in this?

AA: Our goal is to bolster the security and the key infrastructure that is pervasive across financial, government and credit card infrastructure to protect from these three very important threats: crime, espionage and warfare. If money is in cyberspace, then crime will be in cyberspace; if information is in cyberspace, then espionage will be in cyberspace; and if our society’s infrastructure is supported by digital apparatus, then warfare will have a dimension in cyberspace. So that’s our motivation, that was the appealing gap in the marketplace, and that’s why I stepped up eight years ago to try and solve this problem.

ED: What, specifically, caught the eye of your investors?

AA: An opportunity for a new approach to security. They could imagine a future where there could be an organised crime syndicate, or maybe even a nation-state entity. These are not one-off failures in say Google or Juniper or Adobe, it’s a systemic fault in enterprise security architecture, and that is the real observation. The reality is, everybody can go down at any point in time, and the majority are. That’s the unwritten headline.

The reality is, everybody can go down at any point in time, and the majority are. That’s the unwritten headline.
Ashar Aziz

ED: In a crowded market place, how can FireEye stand out amongst its bigger, more well- known competitors?

AA: I struggled on that front for a long time. I could get a few people to take the meeting, the ‘lean-forward’ people who were willing to understand and be informed of what else is out there. There were a lot of people with their head in the sand, and that still is true today. What really changed, Eleanor, is the ongoing drumbeat of high-profile attacks. When Google got attacked, people said ‘they all have McAfee software don’t they? How were they so easily breached?’ That’s when people started scratching their heads and [looking for] solutions out there to meet this problem, and they knew it was not from the large, incumbent, dominant providers, because if they had [solutions], they would have known about them. So they went hunting for that company that’s not so well-known, a company like FireEye that was solving that problem and doing it better than everybody else. As a little company I could not change the market dynamic, but the offensive actors did that very successfully.
The innovator’s dilemma is the unholy accidental (I call it accidental because I don’t believe there’s an actual conspiracy) between the incumbent security vendors and the offensive actor. Neither have an incentive to inform the customer that they had problem, because the incumbent security manager telling their customer that they have a problem would mean their products are not protecting them, right? So now you’re admitting fault, or some kind of blame. The offensive actor is robbing the customer, so he’s not inclined to tell the customer either. So how is the customer to know that he has a problem?

ED: It is often argued in the information security industry that there is a skills gap in the industry with a lack of professionals with both technical and business skills. As the inventor of the FireEye technology, and a successful CEO and CTO, what would you say to that?

AA: I think the general consensus is probably correct, that it’s rare for an individual to have both organizational management skills as well as the technical innovation/inventor skill set, it’s kind of rare to do that and have that. I’ve been fortunate that I was able to build a company to this stage by being very candid with myself as to what skills I lacked, and by recruiting in the right people at the right time to make up for that skill gap.
There is a problem in the industry that often industry professionals are failing to make CICOs or board members understand security risks because they’re speaking in a technical language. I think bridging that gap is something very important.

it’s rare for an individual to have both organizational management skills as well as the technical innovation/inventor skill set
Ashar Aziz

ED: How do you recruit the best talent when there is so much competition in Silicon Valley?

AA: Talent - and high-quality talent, by definition - is rare. You have to go, identify them, source them, and then you have to recruit them. I was so blessed when I started FireEye because I recruited the team from my previous start up, so I seeded this company with a technical team that I knew. As we have grown, we have the good fortune of attracting talent, because people know we are doing the new novel things in security versus the legacy thing - success breeds more success.

ED: You sold your first company to Sun Microsystems. When you built FireEye, did you have the same objective?

No, I never build a company to sell. If there is a path to a sustainable, viable business, my inclination will always be to build a sustainable viable business.

ED: What qualities do you look for when you’re recruiting?

AA: Fire, passion, the desire to make a difference, and not being satisfied with the status quo.

ED: Where would you like FireEye to be five years from now?

AA: We’re going to expand threat protection functions across the enterprise, and we’re going to create this truly enterprise-wide threat visibility and control, above and beyond what any existing mechanisms and products do today. We want to be there in every network, large and small. That’s a pretty big ambition.

ED: What advice would you give to anyone looking to start an information security company today?

AA: Before you even have an idea, think about how you construct it, and construct it backwards from the problem. Identify the problem and reverse engineer the solution. Once you have identified it, validate it with a customer, a conversation. It should not be something that is an incremental change to an existing product. It has to be something that is somewhat out of the box, and it is uniquely addressing it in ways that make the solution value proposition significantly better than anything that the incumbent market has. Once you have those litmus tests and the market validation, you have to go and get some investors. Raising the money is getting a ticket to the game, but figuring out how to win the game is the most important thing.
You need to have courage, because when things go wrong, not only will you need to look in the mirror and motivate yourself, you’re going to go out there and have to motivate your employees too.


What’s hot on Infosecurity Magazine?