In the ultra-competitive information security market, vendors are known to sprinkle hyperbole among their claims and sling some mud.
But the strategy has backfired for Denver-based DirectDefense, which mistakenly cast endpoint protection vendor Carbon Black as a contributor to a "data exfiltration botnet." The result has been a widespread backlash against DirectDefense.
The blog post has been quickly picked apart by security experts for its inaccuracy and tone.
The tangle kicked off with a blog post published Wednesday by DirectDefense CEO Jim Broome. DirectDefense analysts found terabytes of data containing sensitive information that leaked because of how Carbon Black's endpoint protection platform, called Cb Response, is architected, he contended.
The leaks are "nearly impossible" to stop, and the situation amounted to what is the "world's largest pay-for-pay data exfiltration botnet," Broome wrote.
But the blog post - while raising valid security issues around cloud-based scanning of potential malware - has been quickly picked apart by security experts for its inaccuracy and tone.
It has also raised questions over DirectDefense's approach. The company went public with its concerns before notifying Carbon Black, even though the research had gone on for months. Such notifications are customary to allow organizations time to fix problems. That's also despite the fact that representatives of both companies were together recently at the Black Hat security conference.
"This, friends, is why responsible disclosure exists," writes Michael Veenstra, a security researcher, on Twitter. "DD's overeagerness to make headlines will cost them a great deal of industry respect."
Broome acknowledged to me in a phone interview that the blog post was a stretch. He says DirectDefense has been trying to raise attention around data leaks related to the broad sharing of potentially malicious files. But it hadn't gotten much attention.
"That didn't get a lot of play, so we decided to go with a more sensational title," he says. The blog post is titled "Harvesting Cb Response Data Leaks for Fun and Profit."
When queried further about his company's assertion that the situation would be "nearly impossible" to fix, Broome says: "Honestly, that would be a bit of sensationalism."
Adrian Sanabria, a former 451 analyst and founder of the consultancy Savage Security, is one of the DirectDefense blog post's harshest critics. He put it bluntly: "Is this bullshit? Short version? Yes."
Cloud-Base File Scanning
Understanding DirectDefense's contention requires an explanation of Carbon Black's approach to detecting malicious software on computers.
Carbon Black is one of many vendors that aim to catch malware quickly if it arrives on a computer. If someone downloads a new file, Carbon Black checks if it's a known malicious file. If Carbon Black doesn't know the answer from its own systems, it uploads the file to other third-party malware scanning services.
Critically, that sharing is only done if Carbon Black's customers have selected an option to share the file. That's because there's a security issue: if a binary is uploaded that contains sensitive information, it will be retained by the other cloud-scanning services, and other parties that have access to those services may be able to analyze the binary and download it. But the advantage of broader file sharing is that there's better chance of accurately figuring out if a file is harmful.
During a breach investigation last year, Broome writes, DirectDefense found that terabytes of potentially sensitive data had been uploaded to VirusTotal via Carbon Black. The files DirectDefense analyzed - mostly Java archives - contained AWS credentials, Slack API keys, Atlassian single sign-on credentials, Google Play keys and Apple Store IDs, according to Broome.
Carbon Black quickly rebuffed the charges in a Wednesday blog post. Michael Viscuso, Carbon Black's co-founder and CTO, wrote that the company's user interface clearly warns its customers that sharing full binaries with VirusTotal could be risky.
Further, that sharing option is turned off by default. "Cb Response ensures that the customer understands the risks," he writes.
The alleged leaked files belonged to three companies that were not named by DirectDefense. But it characterized them as a large streaming media company, a social media company and a financial services firm.
Cylance Jumps In
The three companies were notified last year of the leak, and the data has now been removed from VirusTotal. Broome says his company and another partner notified the companies, but he declined to name the partner.
Curiously, Broome mentioned Cylance in passing during the interview with me. DirectDefense is a Cylance reseller. Cylance, which is a competitor to Carbon Black, has been criticized for aggressive marketing tactics in the cut-throat endpoint detection market (see Anti-Virus Wars: Sophos vs. Cylance).
The same day as DirectDefense's and Carbon Black's dueling blog posts, Cylance published its own. The Cylance post appears to attempt to capitalize on the allegations against Carbon Black without mentioning the company by name.
But in a statement, Shaun Walsh, Cylance's senior vice president of marketing, says his company was not involved in DirectDefense's blog post or the research.
"The blog was the independent research, opinions and work of the DirectDefense team," Walsh writes. "They are a member of our reseller community, but Cylance did not participate in any manner with the blog they published."