Are InfoSec vendors ‘sowing confusion’ and selling ‘useless’ products?

As a journalist, you know the drill at media briefings. Hosted and paid-for by a vendor, and with speakers from the company – as well as (usually) an end-user or an academic, the idea is to bring journalists together with the experts to discuss the prominent matters in the industry. And if those issues and industry challenges can be resolved with one of the vendor’s solutions then everyone’s a winner.

The vendor gets the business, the press coverage and the thought leadership, while the journalist gets the story, the contacts and the free lunch. The speakers get some media air-time. It’s no surprise then, that these are usually enjoyable, if tame, affairs.

Except, on this occasion, one of the experts wasn’t following the script. Discussing mobile security, a then-consultant and now-CISO went against the grain, revealing how most enterprises could manage their devices in-house with Microsoft’s old – and not very sexy – ActiveSync. He went on to accuse the vendor community of selling ‘snake oil’ and spreading FUD (fear, uncertainty and doubt). “Vendors are part of the problem,” he said.

It was blunt, but it was interesting because it raised some pertinent questions: How much are vendors doing to make the world a safer place – and is it in their interests to do so anyway?

Are security solutions even fit to face the threat?

Almost all vendor offerings in the InfoSec space are built on fear and risk management. After all, if no one was concerned about data loss, why would anyone bother with security software?

Subsequently, millions of consumers and businesses worldwide today buy or download anti-malware tools, often in the assumption that they’ve ticked the box and made themselves secure.

Yet this ‘security’ is never guaranteed, especially in an evolving threat landscape where cybercrime-as-a-service and nation-state hackers are considered a reality. This has led some experts, including some credible if controversial names, to question if today’s security tools – like antivirus, anti-malware and DLP, are fit for purpose.

Speaking to CSO Online this week, McAfee co-founder John McAfee questioned if today’s security solutions are up to the job.

“The vendor community is largely operating under an old, reactive paradigm that no longer works. The old paradigm looks for damaging code, suspicious file transfers and malicious activities that can only be detected after a hacker first “sniffed” the system they were intending to hack. At this point, it is generally too late to avoid damage.

“Few vendors are providing proactive systems that are able to shut down the hacker within a few minutes of the hacker’s first sniff of the network. Very few vendors are addressing the rapidly growing problem of internal hacks.

“Unless we adopt, universally, a newer paradigm that recognizes that our threat vectors have migrated into a new universe, hacking will continue to escalate to the point that our entire financial and industrial complex will be threatened to extinction.”

He added that vendors “continue to delude customers by urging continued sales of useless products” and are “sowing confusion and creating much harm.”

Dudu Mimran, CTO of Deutsche Telekom Innovation Laboratories (also of the Cyber Security Research Center at Israel’s Ben-Gurion University), said there’s also an oversupply of solutions, which confuses CSOs.

“The current situation with security vendors vs customers is tricky. There is an oversupply where there are dozens of startups and companies providing different solutions based on different concepts for the same problems, which makes the CSOs very confused as for how to build their security stack and concept.

“There is no blueprint approach for enterprise security yet, and that keeps the market stuck. The main security problems that exist do not have yet complete solutions and each vendor in a way solves only 60 to 80% of each problem. This makes it more difficult for CSOs to become confident about their vendor selection strategy.”

The big money industry

Despite this, information security is emerging as a hot area for VCs. Analysts say it was a $75 billion market in 2015 (and expected to grow to $170 billion in 2020), while companies like FireEye, Kaspersky and Symantec have long emerged as household names.

IDC reports that security analytics/SIEM, threat intelligence, mobile security and cloud security are the new areas of interest for investors and this booming market, fueled by a record number of data breaches, has resulted in more security companies going public.

Last June, Rapid7 saw its shares rise 67 percent on the first day of trading on the NASDAQ, while UK-based Sophos raised $125 million on a valuation of $1.6 billion when it went public a month later. At the end of 2015, email security firm Mimecast launched its initial public offering (IPO).

Amar Singh, former CISO at News International and SABMiller

Dell SecureWorks has since joined the NASDAQ, while the Bain Capital-backed Blue Coat was to do the same before selling to Symantec for $4.6 billion.

LogRhythm, Bit9 & Carbon Black are all expected to follow suit in going public, and you can expect many more to come in a thriving market.

Good work behind the scenes

Security providers often get a bad name, for reasons we’ll go into, but the vast majority are doing an enormous amount of good.

Aside their products being used to protect millions of consumers and businesses, vendors help law enforcement by sharing threat intelligence, and taking down criminal infrastructure (like botnets). Research teams give fresh insight on new and old malware through publications like these, and their own blogs.

They provide free tech, like free decryption tools against ransomware, and have researchers disclosing vulnerabilities responsibly. They provide world-class training through bodies like SANS and ISC2, or contribute to OWASP.

Jennifer Stephens is CEO at security consultancy IoActive, which has developed a fine reputation for disclosing vulnerabilities, especially with connected cars. She stresses the importance of corporate responsibility.

“One hundred percent of our revenue is from the security services we deliver, but we also conduct thousands of hours of research a year that we do entirely on our own dime.

“The output of our research alerts consumers to security risks and provides vendors information that enables them to make their products more secure, whether they choose to work with us to do so or not.” She added that the firm’s Advisory Services practice provides strategic guidance on how to continually improve the organization’s security posture “long after our engagement is done.”

“Finally, many members of our team are prolific speakers, writers, bloggers and advisers that give free talks around the country, participate in or lead security chapters or projects within their communities or associations.”

Marcin Kleczynski, co-founder and CEO of Malwarebytes, said in an email to CSO that its focus is beyond just technology.

“Our entire company is dedicated to protecting consumers and businesses from the most dangerous cyber threats, but effective protection against these threats often necessitates far more than technology solutions.

“So, our Malwarebytes Labs team works hard to discover and educate the public on the latest dangerous exploits and attack methods, documenting them on our blog with advice for how consumers and businesses can best navigate the threat landscape. We have even gone as far as working with law enforcement to shut down some tech support scammers and cyber criminals using our labs research.”

The increased collaboration with law enforcement is becoming more commonplace; in July, the Dutch National Police, Europol, Intel Security and Kaspersky Lab joined forces to launch an initiative called No More Ransom, to spread the word about the threat of ransomware, while May saw Europol and F-Secure sign an memorandum of understanding to share cyber-crime information.

Late last year FBI, Interpol, Microsoft and ESET partnered to take down the infrastructure behind the Dorkbot botnet which infected 1 million computers with malware.

Do some vendors spread FUD and sell ‘snake oil’?

For all its notable efforts, the vendor community does often receive criticism for spreading fear around the security threat in the hope of selling more products.

It’s not unusual for journalists to receive press releases warning of cyber-warfare, ‘cyber armageddon’ or a critical infrastructure attack (note: research currently suggests pesky squirrels are more likely to take down your local power grid, rather than China’s PLA Unit 61398).

Some vendors are also quick to latch onto breaking vulnerabilities or attacks, and will happily over-play the threat. Others have been accused of making hyped-up boasts about “unbreakable” or uncrackable products.

There is an argument that this fear factor is required, but many argue it has an adverse effect – pushing the customer away, while also highlighting the futility of the very security products they are trying to sell.

Amar Singh, former CISO at News International and SABMiller, says some vendors are better than others.

“I would say there are good apples and bad apples; some vendors are into doing right thing, but no doubt some vendors are…only focused on sales and pedalling their products. They make extraordinary promises.

“Yet, I know some vendors who say ‘No, this isn’t product what you are looking for’.”

Malwarebytes’ Kleczynski admits it’s hard for vendors to educate end users “not as ingrained in the space as we are” on the security threat, but downplayed suggestions of vendors “overstating the threat”.

“I don’t think that by painting a clear picture of the nature and consequences of cyber threats is “overstating the threat.” It’s important to use examples of very real consequences of cyber-attacks to educate consumers and businesses and give them an opportunity to learn that the threat of cyber-attacks is real and can have very real consequences.”

Stephens, though, suggested FUD is an age-old problem.

“Selling FUD is an unfortunate legacy and reality in the industry. It’s rooted in the fact that the need for security hasn’t always been the recognized and acknowledged organizational priority that it’s become almost universally today. So selling FUD was how you “made it important” to decision makers. That’s no longer the case.

“But because it is such a high priority issue now, the use of FUD to appeal to a far more security-conscious society seems to be enduring and even proliferating as a selling tactic. It’s especially distressing when there are so many legitimate security threats now and they’re often difficult to filter or distinguish amongst all the FUD noise.”

But does FUD help to drive awareness?

In moderation, FUD does have its place, in particular in justifying security measures and budgets to management.

Mimran says this will continue: “The main go-to-market strategy for security vendors has always been FUD, and although it does not sound right versus showing the real value of products and services, still we are in the field of security.

“The field of security and the focus on threats is based on risk management and the natural emotions involved in risk management are naturally fear and uncertainty.

“Until the cyber-security industry will mature, FUD will still be the main root message behind marketing of cyber-companies. There are early signs of maturity in different companies but still the vast majority is still focused on actual threats and their damage which is basically FUD.

Singh agreed, but added that customers are “partly to blame”.

“The problem is, as consumers always look for panacea to a problem, and the problem with cyber is it is not binary. It’s not black and white. Humans have a problem with the concept of a grey area.

“Vendors are fighting a losing battle because if they say ‘my product may protect you’, many consumers may not buy product. So have to go overboard and make a promise not fully true. It’s an education issue definitely.”

He added customers don’t spend time on understanding who will use the products, or what they are trying to protect.

“Part of the problem in IT is customers have no idea what they want – they get promised the world, but they don’t understand the terminology. It’s a similar thing with cyber.”

What more can be done?

There is hope though that more can be done on both sides to improve security maturity.

Mimran added: “The market should go through some consolidation to ramp up the solutions and the vendors should work much more closely with customers toward tailoring solutions which eventually once they fill the gap can turn into products.”

Singh says: “I think the good vendors will invest in educating the customer, or potential customer, on what limits of particular tech set, not necessary their products.”

Kleczynski added: “The bottom line is that the cyber threat landscape is constantly evolving and we all need to work together, share ideas, and try to stay one step ahead of criminals.

“Collaboration, research and coordinating with government agencies are all great steps towards making not just the web, but the world a safer place. There have certainly been instances where we’ve approached a company to collaborate and because of our “competitive” nature, we were turned down. Differences must be set aside.”