Cybersecurity vendors as foot soldiers

This report is a little unsettling if not surprising:

CyberScoop recently reported that FireEye had drawn a red line around exposing certain activities by so-called “friendlies.”

Ronald Prins, who founded Dutch security firm FoxIT, told Mashable in 2014 that his company chose not to publish details about a malware variant known as “Regin” because it might “interfere with NSA/GCHQ operations.”

A former U.S. intelligence official told CyberScoop that these types of “informal and unique” information sharing partnerships with the cybersecurity industry have proved invaluable in the past. The source said these arrangements are usually driven through “personal, one-on-one relationships” rather than a broad based agreement of some sort.

Microsoft, at the recently concluded Aspen Security Forum, also took an overtly political stance on Russian hacking. While its detection capabilities have dramatically improved since the acquisition of Hexadite and Aorato, the company has generally remained neutral on the geopolitics of attribution. Even its staid APT naming-convention is devoid of the usual marketing glimmer.

FireEye’s CEO, too, went to the extent of calling the American malware “more restrained“.  These overtures, lacking nuance, have the potential of balkanising the global IT security industry, already rife with conspiracies and co-optation. I’ve written extensively about this in the past.

Indeed, the counterintelligence efforts of the private sector even outclassed that of the U.S. government in the run-up to the Russian electoral intervention. But it’s time to tone down the rhetoric a bit.

Countries like India, which may so easily get caught in the crossfire, must understand that all global developments in this industry adhere to the paradigm that cyber offence is still an extension of the declaratory dimension of power.

Cyber insecurity stems from power and power alone [Geer]. All cyberweapons, in essence, are tools of power projection [Aitel]. Offence has remained structurally dominant in cyber because nation states shape the course of international diplomacy to perpetuate that. The powers that be have exercised more curbs over the declaratory matrix of cyber capabilities than even nuclear. All defensive problems are completely political. We are weakened by the choices being offered to us – controlling what you know has been the sole mantle of cyber superiority.

— From an upcoming book of mine.

India simply doesn’t have the wherewithal to replace or provide an alternative to the commercial cybersecurity architecture. It may also be an overkill.

If you expect vendors to detect anything except crimeware then your priorities are misplaced. If you’re an organisation which fears being targeted by state actors then you need a homegrown instrumentation layer that augments the proprietary interfaces.

Automated response/tailored automation is the glue that binds vendor products within an enterprise. It’s what scares an attacker, according to Dave Aitel. You need to liberate the organisational state-space – the overhead would be around 5-15%. There are a couple of ways to begin with:

Defending the Cloud: Lessons from Intrusion Detection in SharePoint Online, Matt Swann, Microsoft, BlueHat IL 2017: https://www.youtube.com/watch?v=aZxtCKHhAUE.

Approaches to achieving real time ingestion & analysis of security events, Sagar Gaikwad, Capital One, Data Works Summit 2017: https://www.youtube.com/watch?v=lrWPA5N2Wqg.