StillSecure

The latest battle between eEye's Ross Brown and StillSecure's Alan Shimel got me thinking about a bigger topic. How can/should we use data to make our security defenses stronger and to improve our posture?

To provide some context, I covered Ross' announcement of a free Blink! endpoint security product for home use (here). Alan responded about the fact that although the product is free, eEye gathers data about the products usage and uses that for security research purposes (here). Ross responded about the horrors of offering free stuff (here), and does a good job of walking through the decision process that got eEye to where they are.

Here is my response to Alan's post (as a comment on his blog):

Correctamundo, Sr. Shimel. I figure given you are in FLA, you are getting quite familiar with Spanish. :-) You are correct in mentioning that eEye will be collecting data, but this is neither unique, nor in my opinion an issue. Microsoft, Symantec, McAfee and every other security vendor systematically gathers data from their customers (usually with their agreement, sometimes not) and no one I've EVER spoken to has an issue with this. As long as the data is anonymized and just used for aggregation and summary statistics, it's cool.

I get that you are trying to take the high road, but maybe you should revisit the data you "aren't" gathering because perhaps it can make StrataGuard more effective at blocking attacks, or at least your own internal folks more effective at knowing what's going on out there.

But this topic is bigger than just whether it's cool to gather data from possibly unsuspecting customers. Data is necessary. Data is important. Without data, the good guys have precious few ways to figure out what the bad guys are up to. So the vendors MUST gather data, the question is what is the best way to do that?

I spent some time in the anti-spam business, and that is all about data. You need to gather good message (ham) and bad messages (spam) and you need to use that data to fine tune your filters and settings and to test new techniques. Now that data is aggregated and correlated to provide a sender "reputation," which can help to prevent spam from undesired parties.

Every customer was willing to share anonymized information about their message traffic because they knew it would make their email defenses better. It was never an issue.

Is there any doubt that Microsoft gathers a ton of data about how you use Windows? They do. Are the privacy mongers all up in arms about it? NO. Maybe they don't realize. Symantec and McAfee do as well. They've gotten a bit more sophisticated and they ask whether you want to participate in their "network," but by default you do. Most people don't care.

Is it a privacy risk? I guess. But everything is. As I mentioned this AM, my head hurts from thinking about all the potential privacy risks that are out there. So I don't. Maybe I'm playing my own ostrich game, but I'm more focused on helping people protect themselves from real attacks that are happening today, and not potential breaches that may happen tomorrow. I could be wrong, but that's my opinion today.

Thus I don't have an issue with eEye gathering data. Firstly, they are offering the product at no cost to the consumer. Last time I checked there was no free lunch, so I think sharing data is a reasonable trade. And even if I was paying for the product, I'd still share my data - anonymized and summarized of course.

Why? Because I know that it makes the products that I use better. And ultimately security practitioners are paid to protect things, not get religious about the use of data. So stand down Alan, you are barking up the wrong tree on this one.