eEye

The latest battle between eEye's Ross Brown and StillSecure's Alan Shimel got me thinking about a bigger topic. How can/should we use data to make our security defenses stronger and to improve our posture?

To provide some context, I covered Ross' announcement of a free Blink! endpoint security product for home use (here). Alan responded about the fact that although the product is free, eEye gathers data about the products usage and uses that for security research purposes (here). Ross responded about the horrors of offering free stuff (here), and does a good job of walking through the decision process that got eEye to where they are.

Here is my response to Alan's post (as a comment on his blog):

Correctamundo, Sr. Shimel. I figure given you are in FLA, you are getting quite familiar with Spanish. :-) You are correct in mentioning that eEye will be collecting data, but this is neither unique, nor in my opinion an issue. Microsoft, Symantec, McAfee and every other security vendor systematically gathers data from their customers (usually with their agreement, sometimes not) and no one I've EVER spoken to has an issue with this. As long as the data is anonymized and just used for aggregation and summary statistics, it's cool.

I get that you are trying to take the high road, but maybe you should revisit the data you "aren't" gathering because perhaps it can make StrataGuard more effective at blocking attacks, or at least your own internal folks more effective at knowing what's going on out there.

But this topic is bigger than just whether it's cool to gather data from possibly unsuspecting customers. Data is necessary. Data is important. Without data, the good guys have precious few ways to figure out what the bad guys are up to. So the vendors MUST gather data, the question is what is the best way to do that?

I spent some time in the anti-spam business, and that is all about data. You need to gather good message (ham) and bad messages (spam) and you need to use that data to fine tune your filters and settings and to test new techniques. Now that data is aggregated and correlated to provide a sender "reputation," which can help to prevent spam from undesired parties.

Every customer was willing to share anonymized information about their message traffic because they knew it would make their email defenses better. It was never an issue.

Is there any doubt that Microsoft gathers a ton of data about how you use Windows? They do. Are the privacy mongers all up in arms about it? NO. Maybe they don't realize. Symantec and McAfee do as well. They've gotten a bit more sophisticated and they ask whether you want to participate in their "network," but by default you do. Most people don't care.

Is it a privacy risk? I guess. But everything is. As I mentioned this AM, my head hurts from thinking about all the potential privacy risks that are out there. So I don't. Maybe I'm playing my own ostrich game, but I'm more focused on helping people protect themselves from real attacks that are happening today, and not potential breaches that may happen tomorrow. I could be wrong, but that's my opinion today.

Thus I don't have an issue with eEye gathering data. Firstly, they are offering the product at no cost to the consumer. Last time I checked there was no free lunch, so I think sharing data is a reasonable trade. And even if I was paying for the product, I'd still share my data - anonymized and summarized of course.

Why? Because I know that it makes the products that I use better. And ultimately security practitioners are paid to protect things, not get religious about the use of data. So stand down Alan, you are barking up the wrong tree on this one.

 

In today's TDI, I mentioned a different perspective - offered by Dave Goldsmith of Matasano - showing a positive view of the Symantec study of Vista's network attack surface (link here). Sure enough Dave's colleague Thomas weighed in to clarify some stuff. It because a pretty interesting interchange between the two of us and one that warrants a deeper discussion. Since many of you don't get access to the comments via RSS, I thought I'd cut and paste a bit to keep you clued in. I did edit Thomas' comments a bit because this is a family blog. HA!

The Symantec Study

Submitted by Thomas Ptacek (not verified) on Thu, 2006-07-20 10:15.

The mistake you're making with the Symantec report is believing that the work was driven by top-down strategy inside the company. It isn't.

I've known Oliver Friedrichs, the manager of what SYMC calls "Advanced Threat Research", since 1995. I worked directly alongside him at Secure Networks, where he co-founded the industry's first professional vulnerability research lab, along with Tim Newsham, Dave Sacerdote, and Ivan Arce.

Oliver Friedrichs is not f***ing [MSR edit] around. SYMC has the resources and the talent to build a top-calibre security research team. If there's any top-down decision-making at SYMC, I'm sure it's simply to go do that. "Oliver, kick Cisco and ISS's ass and seize the mindshare around research that Symantec has ceded over the past 6 years".

Once you get to that point, the Vista study is pretty obvious. You've got access to some of the best vulnerability research talent in the industry. What are you going to aim it at? I don't think the board, John Thompson, or even Oliver's immediate manager had to be involved in the decision to spend some resources poking the Vista TCP/IP stack.

I don't mind the accusation that you're leveling at Symantec. They're in business to win and they're not all nice people. But I don't think you make yourself look more credible when you cast Oliver's group in this light; people who know vuln research will scratch their heads at your assertion.

Thanks for noticing us, though! =)

For a change, the Matasano guys adding value to the discussion. Here is my response:

How much they publicize it is a corporate decision

Submitted by Mike Rothman on Thu, 2006-07-20 10:26.

Thomas,
I hear your point and that's more good perspective. But I also don't think that Oliver was out there humping his work in the press this week. That would be uncharacteristic given what I know about "most" vulnerability researchers. It's plausible that Oliver has free reign over what gets researched, but I highly doubt he has much to say about what Symantec's PR machine decides to push.

If their objective is to regain lost ground on the research side, your friend Oliver is going to find himself a pawn in a very high profile game. Maybe he knows this, maybe he doesn't. Since I don't know him I can't say. But when his group finds something of interest (like they did this week), the Big Yellow PR machine will try to bend it to their own devices.

I'm not doubting that the research was genuine. But I'm very comfortable in my assessment of what their PR aims were.

And this is where it gets interesting. Clearly there is something here and now we need to figure it out. Thomas weighs in a final time:

SYMC's Vulnerability Strategy

Submitted by Thomas Ptacek (not verified) on Thu, 2006-07-20 10:59.

You say, "If their objective is to regain lost ground on the research side, your friend Oliver is going to find himself a pawn in a very high profile game". I say, THAT's the interesting discussion to have about this.

Write something explaining the point you're making; I want to hear more about it. What's the "high profile game" around vulnerability research?

Your point about PR vs. research calendar is well taken. I can split the difference. Oliver's group owns their calendar, bottom-up. SYMC PR is probably top-down.

So let's dig a bit deeper here. What is the value of vulnerability research? Clearly in the early stages it was mostly for PR purposes. Folks like RipTech (which was subsequently bought by Symantec) had reams of data and they did some interesting analysis on it. Their real innovation was packaging it up in a report and starting the media frenzy about the increasing vulnerability landscape. They got very broad media coverage for the report and it really put RipTech on the map.

But now it seems that every vendor has it's own version of the report. Every big one anyway. ISS and VRSN have gotten their research groups a lot of ink driven by these quarterly reports. So it's not really differentiating anymore, is it?

At the same time, you see security vendors being attacked and vulnerabilities in their code being disclosed pretty regularly. Some patch things and forget to tell folks (ahem, McAfee) and it seems every month or so you hear about Symantec and Cisco patching things as well. So now the cottage industry seems to be finding the holes in other folks stuff.

This is both a PR strategy - pioneered very effectively by eEye (3rd party patching anyone) and new entrants like Mu Security that have boxes that are designed to find holes - as well as a competitive lever. Security is about credibility at the end of the day. If you have really smart guys that can find stuff broken in other people's software - then they must do a good job of protecting their own, no?

Well, not exactly. But close enough - especially to a customer that is looking at 3 products that are totally undifferentiated. I'm talking about pretty much every security market, by the way. Who do they pick? Maybe the one from the guys that seem the smartest. That's one plausible scenario anyway.

But, back to the topic. As Thomas speculates above, it's unlikely that anyone in Symantec specifically told their vulnerability research team to go find something broken in Vista. It could have happened, but I agree with Thomas - it's more likely bottoms-up. But once they found that data, I believe the Big Yellow PR team smelled a big opportunity to poke Microsoft in the eye. And they took it. And many of us bit. At least I can say I questioned their motives, as opposed to questioning their findings. Again, kudos to Dave G for doing the derivative analysis.

So what? Basically, I figure we are going to see vulnerability researchers let loose on competitor's security software. The Symantec-Microsoft deal may have been bottoms-up, but in a market this competitive, with folks looking for literally ANY advantage - it's just a matter of time before this becomes a big part of competitive analysis moving forward. And the PR teams will be orchestrating, on one hand working to seem on the up and up - just doing a service to the community - don't cha know. But on the other hand trying to stick it to the competition when they can. That's a high wire act for sure.

But it puts the researcher in the precarious position of trying to do the right thing, but more often than not becoming the finger poking some competitor. As I mentioned in my response, some will be cool with that and others...not so much. Interesting times to be a vulnerability researcher, that's for sure.

eEye has found a pretty serious vulnerability in Symantec's AV software. You've probably already read about it (Stiennon covered it - http://blogs.zdnet.com/threatchaos/?p=334 and here is the AP link). The fact that the vulnerability exists is not what's interesting.

It's that eEye has disclosed that it found the vulnerability this week, notified Symantec and is not telling anyone any specifics until the patch is released. It kind of turns the public relations aspect of vulnerability hunting on its ear.

Clearly not satisfied with getting credit at the bottom of the security alert, eEye disclosed the vulnerability to get full credit now and also to make the public point that their host intrusion protection product protects against the flaw. That leads me to believe that most HIPS products will stop the attack.

Of course, this attack is already a non-issue because once Symantec patches the hole, the updates will be automagically distributed to all of the vulnerable software. So everyone is getting worked up about an exposure that will be patched before any real details come to light. 

I'm not sure I'm cool with this "I found something but I'm not telling you about it" approach. It is clearly better than fully and publicly disclosing the issue (and how to exploit it) with no warning. Since this is a PR strategy for eEye, they couldn't have waited until the patch was out,  then their ability to say that their HIPS product stops the attack is gone.

So I guess we'll need to get used to this. Vulnerabilities will be found and sort of disclosed, but without enough information to cause damage. And PR folks will stay very busy working the media up into a frenzy for an attack that will never amount to anything.

 

I just read a blog post by Larry Greenemeier that set me off (http://www.informationweek.com/blog/main/archives/2006/03/microsoft_secur.html) in that he wonders aloud whether there is actually a market for 3rd party patches. Some European dude and now eEye have gotten a lot of PR because they issued patches and now this is a market.

WRONG! This is not a market, this is a PR exercise. I'm sure the researchers have the best intentions for why they are issuing these patches. They probably even believe they are helping out the community, and maybe they are. But let's be clear on this one, this is a way for each organization to increase their visibility with the express goal of selling more of their product.

eEye does not invest in their own research group because they are trying to help the community. That may be a fortunate byproduct, but rather it increases their visibility and enhances their credibility in the security circles that buy their product. IT IS PUBLIC RELATIONS.

But the question still remains whether there is a business there. I say a resounding no. Why? Because over the past 5 years that Microsoft has been serious about their patching process, this is the 2nd situation that they've been dreadfully late and caused others to take action. And dreadfully late is a matter of opinion. If eEye didn't issue the patch, would this be as big a deal?

Maybe I'm being naive and the world really has changed because folks are using these exploits to create zombies that can then be monetized later. So, if the patch is wildly successful we'll still have another 150,000 new zombies today. I guess that's better than 250,000, but how much better? 

Also, how long do you think that each product is applicable for? The answer is until Microsoft fixes the problem. What, a week or two? You can't build a business on waiting for Microsoft to screw up and then issuing a patch until they get their act together. Maybe you can build a hobby, but definitely not a business. 

As I mentioned in the 3rd party patching perspectives blog post (here), defense in depth helps you to be insulated against one exploit that Microsoft hasn't fixed yet. I must admit that all this 3rd party patching stuff is starting to annoy me. I hope Microsoft rolls something next week (not waiting until the 11th) and shuts everybody up.

Then we can finally get back to sharing our angst about data privacy and xenophobia. It is angst that makes the world go around after all.