Security Vendors: Despite Marketing Claims for Smart Software Knee Jerk Response Is the Name of the Game
December 16, 2020
Update 3, December 16, 2020 at 1005 am US Eastern, the White House has activate its cyber emergency response protocol. Source: “White House Quietly Activates Cyber Emergency Response” at Cyberscoop.com. The directive is located at this link and verified at 1009 am US Eastern as online.
Update 2, December 16, 2020 at 1002 am US Eastern. The Department of Treasury has been identified as a entity compromised by the SolarWinds’ misstep. Source: US “Treasury, Commerce Depts. Hacked through SolarWinds Compromise” at KrebsonSecurity.com
Update 1, December 16, 2020, at 950 am US Eastern. The SolarWinds’ security misstep may have taken place in 2018. Source: “SolarWinds Leaked FTP Credentials through a Public GitHub Repo “mib-importer” Since 2018” at SaveBreach.com
I talked about security theater in a short interview/conversation with a former CIA professional. The original video of that conversation is here. My use of the term security theater is intended to convey the showmanship that vendors of cyber security software have embraced for the last five years, maybe more. The claims of Dark Web threat intelligence, the efficacy of investigative software with automated data feeds, and Bayesian methods which inoculate a client from bad actors— maybe this is just Madison Avenue gone mad. On the other hand, maybe these products and services don’t work particularly well. Maybe these products and services are anchored in what bad actors did yesterday and are blind to the here and now of dudes and dudettes with clever names?
Evidence of this approach to a spectacular security failure is documented in the estimable Wall Street Journal (hello, Mr. Murdoch) and the former Ziff entity ZDNet. Numerous online publications have reported, commented, and opined about the issue. One outfit with a bit of first hand experience with security challenges (yes, I am thinking about Microsoft) reported “SolarWinds Says Hack Affected 18,000 Customers, Including Two Major Government Agencies.”
One point seems to be sidestepped in the coverage of this “concern.” The corrective measures kicked in after the bad actors had compromised and accessed what may be sensitive data. Just a mere 18,000 customers were affected. Who were these “customers”? The list seems to have been disappeared from the SolarWinds’ Web site and from the Google cache. But Newsweek, an online information service, posted this which may, of course, be horse feathers (sort of like security vendors’ security systems?):
Notice that the US Secret Service is on this list. How many other US government enforcement agencies were SolarWinds’ customers? That’s an interesting question?
Net net:
- Bad actors compromised a security vendor but only 18,000 customers were affected. Yes, that’s good news I suppose.
- Numerous companies jumped on video conference calls and figured out how to deal with the bad actors’ activities. These activities began exactly when? Yes, that’s another interesting question.
- Brightcove is pitching its security videos in the midst of this “only 18,000 customers” thing; for example, The Science of Cybersecurity: Digital Transformation in Retail
Courtney Radke Fortinet National Retail CISO and Theresa Lanowitz Director, AT&T Cybersecurity.
Security theater and its regularly scheduled programming is uninterrupted.
A final question: When will software systems be upfront about their true behaviors? Yep, another interesting question. But I know the answer to this one: Exactly never.
Stephen E Arnold, December 16, 2020
Comments
One Response to “Security Vendors: Despite Marketing Claims for Smart Software Knee Jerk Response Is the Name of the Game”
Excellent Post, It’s really helpful article