Comment Text:
FireEye appreciates the opportunity to provide comments on the Commodity Futures Trading Commission’s (CFTC) notice on proposed rulemaking on system safeguards testing requirements. Our response pertains to question 7 in the Proposed Rule 80 FR 80139 / 17 CFR Parts 37, 38, and 49 System Safeguards Testing Requirements – whether the Commission should consider requiring other types of cybersecurity and system safeguards testing not included in the Proposal.
FireEye recommends that CFTC consider adding a requirement that organizations regularly hunt within their environment for indicators of compromise to determine whether the organization is already breached. While the proposed testing requirements and safeguards will provide organizations with insight into whether a cyber threat is able to exploit a vulnerability or otherwise breach their environments, they do not provide an organization with insight into whether attackers have already penetrated their defenses and are currently operating within their environments. By proactively hunting for cyber threats in their environments, organizations can detect and prevent attackers from propagating malicious activity, moving laterally in an organization, and compromising, manipulating and/or stealing data. This emerging best practice is already considered part of a comprehensive cybersecurity strategy at several USG agencies and Fortune 500 companies.
Over the past year, FireEye has observed that sophisticated cyber actors are rapidly improving their trade craft and have improved their counter-forensics, making their detection more difficult through traditional testing methods. Accordingly, cybersecurity testing techniques and safeguards must evolve to keep pace with the growing sophistication of threat actors. Based on FireEye experience, it is impossible to identify and eliminate all of the vulnerabilities and attack vectors by which an intruder can achieve unauthorized access. Furthermore, because not all flaws can be fixed, or fixed in a timely and scalable manner, intruders can penetrate organizations’ networks. In FireEye’s experience, advanced attackers often remain undetected on the system for a median of 205 days and 69 % of organizations learn of the breach from 3rd parties. (FireEye report M-trends 2015: A view from the front lines, https://www2.fireeye.com/rs/fireye/images/rpt-m-trends-2015.pdf). By proactively hunting within their environments, organizations can begin to shift this paradigm and begin to detect and contain breaches before an attacker has the opportunity to achieve their objectives.
This recommendation stems from FireEye’s experience on the front lines of the cyber battlefield responding to critical security incidents at hundreds of organizations a year and protecting over 3,700 customers across 67 countries, including over 675 of the Forbes Global 2000 on a daily basis. Being close to the breach provides FireEye with unique insight into how attackers’ motives and tactics are changing over time and allows us to track the evolution of over 100 advanced nation-state sponsored Advanced Persistent Threat (APT) actors. With experts focusing on security program development, incident response, computer forensic, threat assessment, threat detection, network security, and application security, our mission is to protect both large and small organizations by stopping advanced cyber threats, data breaches, and zero-day attacks.
We appreciate the opportunity to comment. Please do not hesitate to contact us should you have any questions.
