A good chunk of the cybersecurity industry is “smoke and mirrors,” with companies hawking shiny products that aren’t needed to block most hacks, Tenable CEO Amit Yoran said in an interview with CyberScoop earlier this month
“It’s an industry that has fed and continues to feed, to a large extent, off of fearmongering,” Yoran said on the sidelines of the vendor-happy RSA Conference in San Francisco.
The RSA Conference is a feeding frenzy for companies pushing products on the trade-show floor. Vendors spend big on things like booths, parties, and hotel suites to woo potential clients. (Tenable had a booth demonstrating some of its technology.)
In a blunt interview, Yoran reflected on where the “hype-driven” side of the business, as he called it, had gotten the cybersecurity industry.
“The millions of dollars that people are spending, all the hype and the sexy marketing and the AI and the anomaly-behavioral…whatever buzzword you want to use, it’s a bunch of smoke and mirrors,” Yoran said. “And I won’t call it useless, but it’s on the periphery of the issue when people still aren’t doing the basics.”
As the great majority of breaches stem from known vulnerabilities, basic security practices rather than fancy patented technology are key to defending data, Yoran said. He pointed to a 2018 speech by David Hogue, a National Security Agency official, who said the NSA had not responded to an intrusion that exploited a zero-day vulnerability in over two years.
“To me, that’s like a ‘holy s–t’ moment,” Yoran said. But because the industry is “vendor-driven and hype-driven, you don’t hear people talk about that. But that’s the reality.”
With salespeople clamoring for the ears of company executives, separating signal from noise in the industry has arguably never been harder. But muting the noise and focusing on security basics can be effective, according to Yoran.
“What you do or don’t do directly translates into your probability of getting hacked or not,” he said.
Wrestling with attribution
Another trend in the industry is the increasing number of companies that are attributing breaches to hacking groups associated with nation-states. For Yoran, attribution is much more useful to governments than to network defenders.
“I think there is tremendous value in attribution for governments, for the establishment of norms of behavior [that can] eventually become part of international law,” he told CyberScoop. But for potential targets of cyber operations, Yoran added, “there’s very little value” in attribution.
After uncovering a hacking campaign, cybersecurity companies have to decide who to notify about the threat, and when to do it.
FireEye CEO Kevin Mandia told CyberScoop last year that his company typically gives the U.S. and its “Five Eye” allies a heads-up about threat intelligence reports it plans to publish. Some cybersecurity professionals took issue with that method, arguing for a country-agnostic approach to disclosing hacking threats.
Asked to weigh in on the issue, Yoran said the decision to go public with cyberthreats is not always cut-and-dry. Internet users around the world deserve to be protected, he said, but not all threats are created equal and warrant disclosure.
“If we stumble across an operation, are we morally obligated to report it or go public with it?” Yoran, whose over two-decade career in the field has included stops at Symantec, RSA Security, and the Department of Homeland Security, told CyberScoop. “I think it has to be a case-by-case [decision].”
In other words, a global issue like WannaCry is a no-brainer – warnings about it should be shouted from the rooftops. However, reporting on a cyber-espionage campaign that supports a counter-terrorism mission, for example, is an entirely “different set of morality,” Yoran said.
That situation is not merely a hypothetical. In March 2018, researchers from Kaspersky Lab exposed a sensitive U.S. intelligence-gathering operation against ISIS and al-Qaeda operatives.
It is not uncommon for researchers in the industry to come across intelligence operations like that, Yoran said.
“I know multiple researchers [in the industry] who have stumbled across intelligence operations and because of their belief in democracy or Western way of life, or whatever you want to call it, have chosen to disclose it to [an] intelligence agency and not gone public with it,” he added.