You may have seen positive tweets about FireEye’s response to their breach. I’ve also seen a lot of criticism. For those who might not be familiar with what goes on behind the scenes after a breach, I want to share my perspective on why their actions have been commendable. 1/18
Disclaimer: I’ve been gone from FireEye for 8 months, and know nothing more about this incident than what I’ve read publicly. Also IANAL, so any of my definitive statements below can be taken with a grain of salt. 2/18
Anyone who has worked for—or consulted with—a company after a breach knows there’s often debate among legal/PR/finance/execs on if & what to report externally. We can look at the SEC filing ( https://investors.fireeye.com/sec-filings/sec-filing/8-k/0001370880-20-000037) for clues as to whether they had an obligation to report. 3/18
0001370880-20-000037 | 8-K | FireEye

The Investor Relations website contains information about FireEye's business for stockholders, potential investors, and financial analysts.

https://investors.fireeye.com/sec-filings/sec-filing/8-k/0001370880-20-000037
Remember, companies can spin and rationalize in a press release or a statement to a reporter, but there are real consequences if a company misleads in a filing. So we can generally accept these documents as representing the facts. 4/18
Reading the filing, we learn that no customer data was taken, thus no customer PII or financial information. The attackers were “tailored .... disciplined and focused.” These words have a lot of meaning in this context, and I think it’s safe to assume that the attackers... 5/18
did not waste time on FireEye corporate systems that house employee data. The loss of customer or employee data is the most common trigger for external reporting of a breach, and it does not sound like this trigger was met. 6/18
Also, when a company has to report a significant breach to customers, they’ll usually also file a form 8-K with the SEC to notify investors about the risk—since they want to avoid a Reg FD issue, where some investors know information that others don’t. 7/18
Another trigger for SEC reporting would be if a company expects a breach to have material financial impact to their business. “Red team tools” may sound like a big deal, and I’m sure the team is devastated to see their work in the hands of the adversary... 8/18
But in terms of business competitiveness, this breach would have had (if undisclosed) no impact on FireEye’s ability to win Red Team deals. That team is among the best in the industry. They will rebuild their toolset and not miss a beat. 9/18
I think it would be justifiable to say that this breach—if never made public—would not have met the threshold for reporting due to adverse financial impact. 10/18
Finally, every public co in the US publishes risk factors (10-Q/K), and they keep these updated. If a co suddenly saw they were being targeted by a nation state, they’d file an 8-K to update risks. FEYE already had this in their Q/K though, so that's not a motivation. 11/18
In summary, this was not a typically breached company where reporting was obviously mandatory, or where the company issued a brief statement to check the box. FireEye might have been able to follow the strict letter of the law and justify saying nothing... 12/18
—or issued a brief statement to say “an externally-facing server was compromised, no customer or employee data was breached, nothing to see here.” Instead, they’ve issued a detailed SEC filing, blogged about it, provided detection sigs, and cooperated with the media. 13/18
A cynic might say, "well, it was going to leak, so they did this to get ahead of it.” I’d say that co's with this intent do the bare minimum, tend to dissemble about the impact, and certainly don’t engage with reporters ... 14/18
(I’m just assuming FireEye has been cooperating with the press—I see quotes in various articles, and don’t see the typical “the company did not respond to requests” statements). 15/18
I believe that FireEye did this because their leadership team, starting with Kevin, is ethical in their DNA—and they care more about customers and the community more than they care about short-term impact to the stock price. 16/18
I believe that customers will continue to trust Mandiant/FireEye for the integrity of their response, and expect that investors will get over this soon when they realize how (financially) non-impactful this is in the long run. Yeah it’s a big deal in the our community... 17/18
…but if there’s one area that Kevin has been consistent in the many years I’ve known him, it’s the understanding that breaches are inevitable. It’s the response that matters. /end
You can follow @GradyS.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
Those who think consciousness raising & movement building are disconnected, or even a distraction from electoral politics have not paid attention to the history of social change.In this thread, we
Read more
The 2020s will be known as the Remote Work decadeA few predictions of what is likely to emerge[ a thread ] Third Space: Office and Working from Home will
Read more
1/29: Have you ever had a concept explained to you that helps frame complex issues you’ve been wrestling with and opens your eyes to new possibilities? A concept that I
Read more
By continuing to use the site, you are consenting to the use of cookies as explained in our Cookie Policy to improve your experience.