Have you heard about this thing with DirectDefense? If not, the short version is that DirectDefense put up a blog post alleging that competitor CarbonBlack, among other things, is “…the world’s largest pay-for-play data exfiltration botnet.”
They say that because they reported that they discovered a “nearly impossible to stop” vulnerability whereby CB would exfiltrate files that it didn’t recognize outside of the organization. So that’s a true statement… sort of. At least in that CB does sometimes send out files. However, it turns out that: 1) it’s an optional, non-default feature, 2) users are warned about it (unambiguously and sternly) when they turn it on, and 3) nobody – either at the customers who were inadvertent case studies for this or at CarbonBlack – was notified about the issue before they read about it in the news.
CB responded to that in what I think is a fairly measured and reasonable way via their blog. Essentially, they lay out that it’s a feature, explain why it’s there, and discuss the warnings and stern opprobrium the user receives should they enable it. There has been a bit of a subsequent brouhaha about the disclosure side of this: that DD didn’t notify CB ahead of time, that they took liberties with the folks who were case studies, etc. etc. I won’t comment on the disclosure issue because I feel like, if anybody was on the fence about why responsible disclosure was a good idea, they can look to this situation to see why. Specifically, had DD alerted CB to the posting and given them a chance to review the issue ahead of time, CB would have politely told them “it’s a feature” and saved everybody a lot of pain and headache. Not to mention saving DD the “egg on the face” with relatively little downside to them. So I feel like rehashing that is covering ground we already knew.
But there’s another issue here that I think that is maybe also useful. The ISMG piece tells us:
[DirectDefense CEO] Broome acknowledged to me in a phone interview that the blog post was a stretch. He says DirectDefense has been trying to raise attention around data leaks related to the broad sharing of potentially malicious files. But it hadn’t gotten much attention. “That didn’t get a lot of play, so we decided to go with a more sensational title,” he says. The blog post is titled “Harvesting Cb Response Data Leaks for Fun and Profit.” When queried further about his company’s assertion that the situation would be “nearly impossible” to fix, Broome says: “Honestly, that would be a bit of sensationalism.”
My first response when I read this was to say, “look at the trouble you can get into when execs are fed tone-deaf lines from marketing.” Because that happens… No shame in it really – if you’re listening to a CEO talk in depth about threat analysis, chances are good that’s coming from somewhere else. Because really, aren’t CEO’s supposed to be out CEO’ing — smoking cigars on a yacht or whatever else it is they do — instead of being in the lab analyzing and doing research? But then I looked up Jim Broome: prof-services guy at ISS, VP at NT Objectives, Director at Accuvant. Which means I’m really not able to tell if this was a marketing gaffe, if he went there on purpose, or if it was something else entirely.
The upshot is that it’s a useful case study about reigning in marketing hype. In the case of DirectDefense, it probably won’t matter that much long term. Had they been venture-funded, they might have lost their CEO over this. But they’re not (as far as I can tell… they’re private and pretty closed-lipped about how they’re funded). But in the meantime, they lost some industry cred. And in the very short term, it might be harder to sell the message of (from their mission statement), “…delivering customized services with honesty and integrity—every time.”