{"id":548,"date":"2017-08-11T21:10:45","date_gmt":"2017-08-11T21:10:45","guid":{"rendered":"http:\/\/securitycurve.com\/?p=548"},"modified":"2017-08-11T21:10:45","modified_gmt":"2017-08-11T21:10:45","slug":"directdefense","status":"publish","type":"post","link":"https:\/\/securitycurve.com\/?p=548","title":{"rendered":"DirectDefense: marketing lesson"},"content":{"rendered":"<p><img decoding=\"async\" class=\"alignright size-medium lazyload\" data-src=\"https:\/\/media.giphy.com\/media\/FUqQ9P9Uqlqso\/giphy.gif\" width=\"400\" height=\"200\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 400px; --smush-placeholder-aspect-ratio: 400\/200;\" \/>Have you heard about <a href=\"http:\/\/www.bankinfosecurity.com\/blogs\/heres-how-ugly-infosec-marketing-get-p-2527\">this thing with DirectDefense<\/a>? \u00a0If not, the short version is that DirectDefense put up a <a href=\"https:\/\/www.directdefense.com\/harvesting-cb-response-data-leaks-fun-profit\/\">blog post<\/a> alleging that competitor CarbonBlack, among other things, is &#8220;&#8230;the world\u2019s largest pay-for-play data exfiltration botnet.&#8221;<\/p>\n<p>They say that because they reported that they discovered a &#8220;nearly impossible to stop&#8221; vulnerability whereby CB would exfiltrate files that it didn&#8217;t recognize outside of the organization. \u00a0So that&#8217;s a true statement&#8230; sort of. \u00a0At least in that CB does sometimes send out files. \u00a0However, it turns out that: 1) it&#8217;s an optional, non-default feature, 2) users are warned about it (unambiguously and sternly) when they turn it on, and 3) nobody &#8211; either at the customers who were inadvertent case studies for this or at CarbonBlack &#8211; was notified about the issue before they read about it in the news.<\/p>\n<p>CB <a href=\"https:\/\/www.carbonblack.com\/2017\/08\/09\/directdefense-incorrectly-asserts-architectural-flaw-in-cb-response\/\">responded to that\u00a0<\/a>in what I think is a fairly measured and reasonable way via their blog. Essentially, they lay out that it&#8217;s a feature, explain why it&#8217;s there, and discuss the warnings and stern opprobrium the user receives should they enable it. \u00a0There has been a bit of a subsequent brouhaha about the disclosure side of this: that DD didn&#8217;t notify CB ahead of time, that they took liberties with the folks who were case studies, etc. etc. \u00a0I won&#8217;t comment on the disclosure issue because I feel like, if anybody was on the fence about why responsible disclosure was a good idea, they can look to this situation to see why. \u00a0Specifically, had DD alerted CB to the posting and given them a chance to review the issue ahead of time, CB would have politely told them &#8220;it&#8217;s a feature&#8221; and saved everybody a lot of pain and headache. \u00a0Not to mention saving DD the &#8220;egg on the face&#8221; with relatively little downside to them. \u00a0So I feel like rehashing that is covering ground we already knew.<\/p>\n<p>But there&#8217;s another issue here that I think that is maybe also useful. \u00a0The ISMG piece tells us:<\/p>\n<blockquote><p>[DirectDefense CEO] Broome acknowledged to me in a phone interview that the blog post was a stretch. He says DirectDefense has been trying to raise attention around data leaks related to the broad sharing of potentially malicious files. But it hadn&#8217;t gotten much attention. \u00a0&#8220;That didn&#8217;t get a lot of play, so we decided to go with a more sensational title,&#8221; he says. The blog post is titled &#8220;Harvesting Cb Response Data Leaks for Fun and Profit.&#8221; When queried further about his company&#8217;s assertion that the situation would be &#8220;nearly impossible&#8221; to fix, Broome says: &#8220;Honestly, that would be a bit of sensationalism.&#8221;<\/p><\/blockquote>\n<p>My first response when I read this was to say, &#8220;look at the trouble you can get into when execs are fed tone-deaf lines from marketing.&#8221; \u00a0Because that happens&#8230; No shame in it really &#8211; if you&#8217;re listening to a CEO talk in depth about threat analysis, chances are good that&#8217;s coming from somewhere else. \u00a0Because really, aren&#8217;t CEO&#8217;s supposed to be out CEO&#8217;ing &#8212; \u00a0smoking cigars on a yacht or whatever else it is they do &#8212; instead of being in the lab analyzing and doing research? \u00a0But then I looked up Jim Broome: prof-services guy at ISS, VP at NT Objectives, Director at Accuvant. \u00a0Which means I&#8217;m really not able to tell if this was a marketing gaffe, if he went there on purpose, or if it was something else entirely.<\/p>\n<p>The upshot is that it&#8217;s a useful case study about reigning in marketing hype. \u00a0In the case of DirectDefense, it probably won&#8217;t matter that much long term. \u00a0Had they been venture-funded, they might have lost their CEO over this. \u00a0But they&#8217;re not (as far as I can tell&#8230; they&#8217;re private and pretty closed-lipped about how they&#8217;re funded). \u00a0But in the meantime, they lost some industry cred. \u00a0And in the very short term, it might be harder to sell the message of (from their <a href=\"https:\/\/www.glassdoor.com\/Overview\/Working-at-DirectDefense-EI_IE1413395.11,24.htm\">mission statement<\/a>), &#8220;&#8230;delivering customized services with honesty and integrity\u2014every time.&#8221;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Have you heard about this thing with DirectDefense? \u00a0If not, the short version is that DirectDefense put up a blog post alleging that competitor CarbonBlack, among other things, is &#8220;&#8230;the world\u2019s largest pay-for-play data exfiltration botnet.&#8221; They say that because they reported that they discovered a &#8220;nearly impossible to stop&#8221; vulnerability whereby CB would exfiltrate [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[4],"tags":[23,40,41],"class_list":["post-548","post","type-post","status-publish","format-standard","hentry","category-security","tag-carbonblack","tag-directdefense","tag-disclosure"],"_links":{"self":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/548","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=548"}],"version-history":[{"count":0,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/548\/revisions"}],"wp:attachment":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=548"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=548"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=548"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}