Two well-funded cybersecurity firms jumped into a public relations fight Wednesday after one alleged that the other had allowed third parties to profit off leaked sensitive customer data.
DirectDefense President Jim Broome wrote in a blog post published Wednesday that his firm had found evidence of improper conduct on the part of Carbon Black, a seller of endpoint security software products. DirectDefense, a managed and full service provider of security offerings, said it found an apparent flaw in the architecture of a popular Carbon Black product named Cb Response.
This flaw allegedly allowed for a leak of sensitive customer information onto multi-scanning services like VirusTotal, a popular malware repository. The inadvertently leaked data, according to Broome, could be resold by third parties.
“Files uploaded by Cb Response customers first go to Carbon Black (or their local Carbon Black server instance), but then are immediately forwarded to a cloud-based multiscanner, where they are dutifully spread to anyone that wants them and is willing to pay,” Broome’s post reads.
DirectDefense did not contact Carbon Black ahead of its controversial announcement Wednesday, according to a statement by Carbon Black co-founder Michael Viscuso, although they originally discovered the issue in mid-2016.
“Many Cb Response customers were sold on the benefits of using a cloud-based multiscanner. After all, why use one AV when you get 50? However, few customers were aware of the costs. The real cost here, beyond the enormous storage, compute, headcount, and performance cost, are in abused trust relationships,” said Bromme.
The allegations against Carbon Black specifically focus on Cb Response, which is designed to autonomously collect data about potentially malicious files stored on clients’ computers — known as endpoints. Although data originates from a client’s device, it runs through Carbon Black’s own servers and then into multi-scanner platforms; some of which are publicly accessible. This method helps analysts rapidly identify and catalogue malicious files while simultaneously leveraging past research. The capability relies on some customers submitting data, but participation isn’t required.
At least Carbon Black beats you over the head with "Whoa whoa, you may not want to click Share." This is the screen to opt-in from. pic.twitter.com/vB4nZpH9m6
— Brian Baskin (@bbaskin) August 9, 2017
Viscuso, who wrote a corresponding blog post Wednesday reacting to these allegations, told CyberScoop that DirectDefense misrepresented the facts by falsely describing a legitimate issue — that of customers voluntarily but unknowingly submitting sensitive material to an analysis process that includes some increased exposure — as a leak.
Broome described Carbon Black as “the world’s largest pay-for-play data exfiltration botnet.” Evidence to support this claim is lacking.
Carbon Black is far from the only security company to upload digital evidence from customer systems to multi-scanner platforms. Typically this data is scrubbed of identifiable submitter information, but occasionally mistakes occur or customers attach other details. The Cambridge, Mass.-based firm maintains it did nothing wrong regarding how it handles confidential customer data.
In addition, Viscuso said Carbon Black has never sold customer data to a third party.
Re. this hit piece, last I checked, any product VT integration (e.g. procexp) will upload binaries if you opt-in. https://t.co/UKHmpZsoKy
— Matt Graeber (@mattifestation) August 9, 2017
Carbon Black was founded in 2003 and merged with Bit9 in February 2014. The company is known for its endpoint detection and response product suite. Between 2005 and 2016, Carbon Black raised upwards of $190 million from private investors.
Cb Response users are provided with controls that can filter and exclude data collected as part of the analysis process. The sharing mechanism is a feature within CB Response, not an architectural flaw, said Viscuso. By default the feature is turned off; a warning notification was also added in 2014 to explain risk and other operational security considerations. Most customers have the feature turned on.
“A little more than half of our customers have opted in (with secondary confirmation to do so) and turned the sharing feature on,” Viscuso told CyberScoop.
There have been cases in the past, according to Viscuso, where Carbon Black called on VirusTotal to take down sensitive information that was accidentally uploaded from a client via Cb Response. This has happened a “handful” of times, but is not a systemic problem, Viscuso explained. Carbon Black provides guidance to customers on the type of information — beyond just binaries — that should be submitted.
After attracting criticism on social media, Broome seemingly doubled down on DirectDefense’s accusations in yet another blog post published later on Wednesday, stating: “Carbon Black’s response to our post is just more validation of our findings. In general, vendors need to be more careful with how they handle customer data, even if it is an optional feature … [the] messaging from Carbon Black’s professional services team during the course of installing the product is to turn this feature on to help accelerate the analysis of the file scans.”
Several cybersecurity experts have suggested on social media that DirectDefense may have been motivated to make these accusations due to an ongoing business relationship with Cylance, a direct competitor to Carbon Black.
Did DirectDefense carry out a reputation hit against CarbonBlack as a favor to Cylance? When did our industry get cutthroat? pic.twitter.com/vJ2evv1V1l
— Cyber Maui (@BelchSpeak) August 9, 2017
On Wednesday, several hours after the original DirectDefense blog post, Cylance capitalized on the publicity by publishing a blog post titled “Cylance Ensures Customer Security and Privacy.” While never mentioning Carbon Black by name, Renee Beckloff, vice president of global customer success, wrote “customers shouldn’t have to settle for a tradeoff between security and privacy, and Cylance ensures both to the highest degree possible.”
Two former Carbon Black employees, who spoke to CyberScoop on condition of anonymity to discuss what has already become a tempestuous debate, called DirectDefense’s announcement an “exaggerated hit piece” that “ignores basic details” and “well-known practices.”
The incident underscores the contentious and competitive marketing landscape surrounding the endpoint detection and response (EDR) market. Cylance dealt with its own controversy earlier this year, when news reports surfaced that the company was allegedly detecting bogus malware during sales demos of its products.