Major information security warnings these days - from the newest banking Trojan or ransomware variant to the latest group of Chinese hackers or Russian cybercriminals - are often slickly marketed, with the announcements carefully timed.
Take the news this spring of the Heartbleed flaw, which arrived with its own logo. In 2013, the release on the allegedly state-sponsored Chinese hacking group APT1 from Mandiant was timed to coincide with the annual RSA security conference. Earlier this year, Crowdstrike released a report on China's "Putter Panda" group, in the wake of the U.S. indicting five Chinese army officers on hacking charges. And this week, when the Black Hat and final Def Con conferences are running in Las Vegas, Hold Security drops the bombshell that one team of Russian hackers, which it dubbed CyberVor, has amassed 1.2 billion stolen credentials.
Beyond the fear, uncertainty and doubt these warnings provoke, so many vendors are looking for new customers to sign on the dotted line. Among other products and services, Mandiant and Crowdstrike sell intelligence services designed to attribute attacks to attackers. Hold Security, meanwhile, plans to run a paid, subscription-based service for websites and consumers to see if hackers have stolen their personal credentials.
The timing of so many of these announcements, which may reveal ongoing attacks or unresolved vulnerabilities in products and websites, hasn't gone unnoticed by members of the information security community. "It does seem to be raising [questions] in terms of where people are going with vulnerabilities - whether it's [for] selling them, using them for marketing advances, publicity or other reasons that aren't necessarily for the greater good," says Bruce Murphy, a partner in the enterprise risk services group at Deloitte & Touche.
Warnings Foster Competition
Still, many security experts say that just because dire security warnings are timed for maximum effect - never mind the slick infographics and PDFs - doesn't invalidate what's being said. "I agree the info on breaches is packaged and self-serving, but it's not a bad thing in this day and age - it fosters competition among security researchers and companies as they try to find a big enough scoop to grab media attention," says Avivah Litan, an analyst at Gartner Research, who, by the way, sees the Russian hacking operation detailed by Hold Security as being worse than the Target breach.
"I personally prefer less packaging, but in the end it serves its purpose," she says.
Finnish anti-virus firm F-Secure's chief research officer, Mikko Hypponen, likewise says just because Hold Security timed the release of its findings for maximum effect doesn't invalidate the quality of the data. "I find that these announcements always happen on the Black Hat or RSA week, just like it happened again," he says. "So, of course, it's marketing as well, but this company behind it has done good work before, and I have no doubt that this database wouldn't exist at all. I'm sure it exists."
When dire warnings do arrive, beware shooting the messenger, warns Craig Carpenter, chief cybersecurity strategist for digital forensics and e-discovery firm AccessData. "I used to work for one of the integrated firewall companies years ago, and people used to accuse us of writing viruses, because it was good for business," he says. "And the sad truth is, we don't need to, right? There's plenty of stuff going on out there."
Behind the Marketing
Research results aside, analyzing how information security firms market their findings can reveal a lot about executives' long-term business goals. "Security reports are marketing opportunities that literally could be worth millions of dollars depending on who picks up the story," says Jeffrey Carr, CEO of security firm Taia Global and author of Inside Cyber Warfare: Mapping the Cyber Underworld. "If, like Mandiant, your report corresponds with a breach that they've investigated and that breach was against The New York Times and your report documents the alleged actions of the Chinese military, you get to be acquired months later for $1 billion," he says, referring to Mandiant's late-2013 acquisition by FireEye.
Carr has regularly criticized information security firms for making claims while failing to document their evidence. "There's no doubt that these reports serve a marketing purpose, first and foremost, which puts into question all of its content. That's why verification of data by other researchers is so important, and why this latest 1 billion e-mail scare is so obnoxious," he says. "Unfortunately, there are no formal ethical standards that govern security reporting but this industry really needs some."
In the interim, Jose Nazario, chief scientist of information security vendor Invincea's research and development lab, recommends people stay skeptical of any and all claims, especially if they debut during high-profile information security events.
Some security vendors, however, may wish to withhold their evidence, so as to not tip off the criminals or intelligence agencies they've managed to track. "There is a significant incentive - in many cases - to keep the information confidential, to keep conducting an investigation without tipping [off] the bad guys," says attorney Francoise Gilbert, founder and managing director of the IT Law Group.
Big Packaging Trade-Offs
But waiting to release findings - to generate maximum impact - can have downsides for attack victims. "The main advantage to be gained from not waiting for the big package is that the crimes could be stopped earlier, provided people and law enforcement cared enough and paid attention accordingly," says Gartner's Litan. "This rarely happens these days, unfortunately."
Craig Carpenter discusses how security research gets marketed.
On the other hand, making a big splash often overcomes any ongoing apathy, by highlighting a problem that needs to be fixed and potentially shaming offending businesses into making that happen. "I think it's helpful, because right or wrong, people tend to be motivated by shame, and people tend to be motivated by being outed," AccessData's Carpenter says. Such urgency can also help CISOs get the budget they require to make a problem go away.
But Carpenter is careful to note that his company doesn't practice this type of marketing, in part because it doesn't want to anger customers. "The other reason we don't do it is because that's not how we like to engage with customers," he says. "We want to have a trusted relationship where we bring our perspective and our intelligence and our thought leadership to the party, instead of just trying to market to them ... because it's harder to build a customer relationship for life when you interact in that way."
(Eric Chabrow and Jeffrey Roman contributed to this story.)