A good chunk of the cybersecurity industry is \u201csmoke and mirrors,\u201d with companies hawking shiny products that aren\u2019t needed to block most hacks, Tenable CEO Amit Yoran said in an interview with CyberScoop earlier this month<\/p>\n\n\n\n
\u201cIt\u2019s an industry that has fed and continues to feed, to a large extent, off of fearmongering,\u201d Yoran said on the sidelines of the vendor-happy RSA Conference in San Francisco.<\/p>\n\n\n\n
The RSA Conference is a feeding frenzy for companies pushing products on the trade-show floor. Vendors spend big on things like booths, parties, and hotel suites to woo potential clients. (Tenable had a booth demonstrating some of its technology.)<\/p>\n\n\n\n
In a blunt interview, Yoran reflected on where the \u201chype-driven\u201d side of the business, as he called it, had gotten the cybersecurity industry.<\/p>\n\n\n\n
\u201cThe millions of dollars that people are spending, all the hype and the sexy marketing and the AI and the anomaly-behavioral\u2026whatever buzzword you want to use, it\u2019s a bunch of smoke and mirrors,\u201d Yoran said. \u201cAnd I won\u2019t call it useless, but it\u2019s on the periphery of the issue when people still aren\u2019t doing the basics.\u201d<\/p>\n\n\n\n
As the great majority of breaches stem from known vulnerabilities, basic security practices rather than fancy patented technology are key to defending data, Yoran said. He pointed to a 2018 speech by David Hogue, a National Security Agency official, who said<\/a> the NSA had not responded to an intrusion that exploited a zero-day vulnerability in over two years.<\/p>\n\n\n\n \u201cTo me, that\u2019s like a \u2018holy s\u2013t\u2019 moment,\u201d Yoran said. But because the industry is \u201cvendor-driven and hype-driven, you don\u2019t hear people talk about that. But that\u2019s the reality.\u201d<\/p>\n\n\n\n With salespeople clamoring<\/a> for the ears of company executives, separating signal from noise in the industry has arguably never been harder. But muting the noise and focusing on security basics can be effective, according to Yoran.<\/p>\n\n\n\n \u201cWhat you do or don\u2019t do directly translates into your probability of getting hacked or not,\u201d he said.<\/p>\n\n\n\n Another trend in the industry is the increasing number of companies that are attributing breaches to hacking groups associated with nation-states. For Yoran, attribution is much more useful to governments than to network defenders.<\/p>\n\n\n\n \u201cI think there is tremendous value in attribution for governments, for the establishment of norms of behavior [that can] eventually become part of international law,\u201d he told CyberScoop. But for potential targets of cyber operations, Yoran added, \u201cthere\u2019s very little value\u201d in attribution.<\/p>\n\n\n\n After uncovering a hacking campaign, cybersecurity companies have to decide who to notify about the threat, and when to do it.<\/p>\n\n\n\n FireEye CEO Kevin Mandia told CyberScoop<\/a> last year that his company typically gives the U.S. and its \u201cFive Eye\u201d allies a heads-up about threat intelligence reports it plans to publish. Some cybersecurity professionals took issue with that method, arguing<\/a> for a country-agnostic approach to disclosing hacking threats.<\/p>\n\n\n\n Asked to weigh in on the issue, Yoran said the decision to go public with cyberthreats is not always cut-and-dry. Internet users around the world deserve to be protected, he said, but not all threats are created equal and warrant disclosure.<\/p>\n\n\n\n \u201cIf we stumble across an operation, are we morally obligated to report it or go public with it?\u201d Yoran, whose over two-decade career in the field has included stops at Symantec, RSA Security, and the Department of Homeland Security, told CyberScoop. \u201cI think it has to be a case-by-case [decision].\u201d<\/p>\n\n\n\n In other words, a global issue like WannaCry is a no-brainer \u2013 warnings about it should be shouted from the rooftops. However, reporting on a cyber-espionage campaign that supports a counter-terrorism mission, for example, is an entirely \u201cdifferent set of morality,\u201d Yoran said.<\/p>\n\n\n\n That situation is not merely a hypothetical. In March 2018, researchers from Kaspersky Lab exposed<\/a> a sensitive U.S. intelligence-gathering operation against ISIS and al-Qaeda operatives.<\/p>\n\n\n\n It is not uncommon for researchers in the industry to come across intelligence operations like that, Yoran said.<\/p>\n\n\n\n \u201cI know multiple researchers [in the industry] who have stumbled across intelligence operations and because of their belief in democracy or Western way of life, or whatever you want to call it, have chosen to disclose it to [an] intelligence agency and not gone public with it,\u201d he added.<\/p>\n\n\n\nWrestling with attribution<\/strong><\/h3>\n\n\n\n