Back to sbisbee.com

This is an archived copy. View the original at https://www.threatstack.com/blog/an-open-letter-to-security-vendors-predatory-use-of-public-breaches

An Open Letter to Security Vendors' Predatory Use of Public Breaches
December 11, 2020
Sam Bisbee

Disclaimer: This post discusses a breach that is reportedly under active investigation. I have not spoken with the FireEye team about this incident, and I have no internal information about what did or did not happen. This post is based off of publicly available information and FireEye’s statements, and none of that includes the technical details of what happened.

It’s not new for members of the security community to throw rocks at companies who get breached. When a company goes through one of its most difficult times in its history, a significant percentage of the community — who you’d expect to empathize with fellow defenders the most — instead takes joy in kicking that company when they’re down. FireEye is this week’s example.

What I find to be more disturbing are the security vendors who view a company’s misfortune as a marketing opportunity. It does not take long after a public breach for consumers to begin getting emails proclaiming, “Did you hear about X getting breached? We could have prevented that!” At best these vendors should know better (maybe a rogue sales professional making the vendor look foolish), and at worst it should be considered unethical ambulance chasing.

For the past six-and-a-half years, one of the core principles we have instilled in our sales and marketing professionals at Threat Stack is to never offer commentary on breaches because "those who know do not speak." Instead we offer everyone access to our security experts to discuss what is being talked about in the news and our perspectives on key learnings. If you have ever received an email which appears to be “ambulance-chasing” from one of our team members, then I invite you to reach out to me directly so that I can follow up.

These ambulance-chasing security vendors are playing a dangerous game. Security companies are not exempt from the breach adage “when, not if.” In this case it’s particularly discouraging and unprofessional behavior when technical details of FireEye’s breach have not even been disclosed, so offering to share your “current perspective on the FireEye breach” is simply misinformation. From what we can tell, FireEye has met or exceeded the responsible breach disclosure standard that we all talk about and hope we never need to meet.

FireEye detected a breach that they claim was performed by a nation state actor (no easy feat if true). Responsibly, they understood that the theft of their red team’s toolkit could negatively impact their customers and the broader market, and included capabilities in their disclosure to help defend against their own stolen tools. It is cowardly for a vendor to selfishly exploit this misfortune for their own short term benefits, using mass email campaigns to make their false claims instead of stating them publicly, and it should bring into question their level of professionalism and empathy.

As members of the security community, we must remember that we get the vendors that we deserve. When we reward vendors for capitalizing on the misfortune of others it only encourages a vicious cycle of pettiness and FUD (fear, uncertainty and doubt); a recipe for disaster at exactly the wrong time when corporations, their security teams, and the broader security community are expected to act in a civil defense capacity.

Time will tell whether FireEye should have reasonably prevented the breach, whether they continue to handle the breach with grace while supporting the security community, and answers to other unknowns. It is always unsettling when a security vendor is breached because of the pedestal they’re put on, but we must accept that pedestals do not prevent breaches. Those who are satisfied merely by chopping at pedestals to knock others down instead of striving to attain their own success should remember that “what goes around, comes around.”

Vendors must respect the responsibility they hold as experts and security industry leaders. Vendors must take the high road to help instead of throwing rocks in a glass house for their own selfish benefits. It is important to hold our peers accountable when they actively make our industry worse by trying to sell fear.

Security takes a village.