Alexandria-based Mandiant responds to hundreds of cybersecurity attacks on companies every year, and most of them are never mentioned beyond the victim company’s walls.
But when it was recently revealed that hackers infiltrated the computer systems at several of the nation’s top newspapers, including the Wall Street Journal, the New York Times, and Capital Business’s parent, The Washington Post, the company’s cyber sleuthing made headlines.
Founded in 2004, Mandiant will scour a company’s network for breaches and systematically dispel attackers. It then keeps a running catalog of the attacks and develops responses to head off future ones.
“By responding to every breach that matters, you can offer better security to your customers,” founder and chief executive Kevin Mandia said. “You’re more current. You’re more aware of what the threats are doing.”
Media companies are hardly the first victims of cyber attacks. Mandia began his career in the Air Force providing cyber defense for the military in the 1990s. Federal agencies were also early targets, he said, followed by financial institutions.
He started Mandiant because he expected attacks on private industry to pick up as the Internet became faster and more pervasive. Nowadays, attacks can be waged by governments, sophisticated hacker groups or just smart, unruly youngsters with an Internet connection.
“I kind of knew the private sector didn’t stand a chance,” Mandia said. “[I thought] let’s help the private sector be armed and prepared for these incidents when they occurred, but I didn’t realize it would be as bad as it got.”
Just last week, the Obama administration issued an executive order calling for the government and private industry to share more information about cyber attacks. The reports will remain anonymous to protect victims’ identities, but allow others to better secure their networks from similar attacks, the order said.
“This voluntary information sharing program will provide classified cyber threat and technical information from the government to eligible critical infrastructure companies or commercial service providers that offer security services to critical infrastructure,” the order states.
Mandia groups companies into three categories: Those whose business model calls for cybersecurity protections, those that have them to appease regulators and those that don’t have them or think they’re necessary.
Mandiant focuses most of its business on the first two categories, he said. They keep the company busy enough that it doesn’t need to chase those that don’t see cybersecurity as a priority.
The company’s revenue surpassed $100 million last year, a 76 percent increase from 2011. Mandiant also added 150 employees to its payrolls last year, bringing the company’s staff to 333 at last count.
Mandia said the firm was largely self-funded at the start, but then took a small cash infusion from a college friend. In 2011, the firm collected $70 million from One Equity Partners and Kleiner Perkins Caufield & Byers.
But Mandiant continues to expand its revenue streams, building on the knowledge it acquires each time the company responds to another attack.
In 2009, the firm introduced a managed services business that monitors a company’s computer networks and scrubs them clean of any malware or cybersecurity vulnerabilities. Though not part of the company’s initial business plan, Mandia said the services now count about 70 clients.
“We see rapid attitude changes and capabilities changes when we respond to incidents,” he said. “It’s usually a very transformative time for the customer.”