In the aftermath of the excitement of the hit piece on Carbon Black published by DirectDefense and circulated by Gizmodo and others, there are a few lessons that I hope we as a security community (practitioner and vendor) can learn.
1: Understand where your data is going.
The first, and most obvious, is the importance of understanding exactly what data you’re authorizing any tool you purchase to ship outside the boundaries of your control. The “report” singled out Carbon Black, but there are many tools (security and otherwise) that have the capability to leak sensitive data. Hell, a poorly implemented network stack has the potential to spray your data all over the internet. Vetting vendors, products, and product features to keep your data safe is a core function of a security organization. As more and more of our tools and data shift to the cloud and SaaS, the importance increases.
2: No feature is one-size-fits-all.
There isn’t a one-size-fits-all answer to the goodness/badness of a feature like Carbon Black Response’s capability to submit binaries to VirusTotal. In some environments, this feature is entirely safe, and provides value. In other environments, it is completely terrifying and should never even be considered. It’s not up to Carbon Black to make this judgment; it’s up to users. Carbon Black does an admirable job of warning customers of the risk associated with the feature. If we decide we’re okay with the risk and our sensitive binaries get leaked, is that their fault? Some of the hyperbole from the last few days has missed the point that there are cases where the feature is safe and valuable.
3: Protect thy secrets.
As a developer myself, there is one simple lesson I’d hope to pass along to all my fellow code slingers: DON’T PUT SENSITIVE CREDENTIALS IN YOUR CODEBASE. I know it’s easier, I know it doesn’t seem risky—but take the extra hour and extract the creds out and keep them in a secret vault. Just do it.
4: Choose education over clicks.
And lastly… on hit pieces. We security vendors should stop this stupid practice of attacking each other through dubiously-commissioned reports with salacious headlines pushed through willing and uneducated media outlets. We get approached to participate in this kind of thing on a regular basis (we got asked directly over drinks at BlackHat). It’s not good for customers, it’s not good for the vendors, it’s stupid. The reason we take the approach we do with the Red Canary blog is because we think providing educational content and helping people navigate the confusing world of security is what is best for everyone. Maybe we’re sacrificing the eyeballs we could get if we were to publish attack pieces with clickbait-style headlines. We’re 100% okay making that sacrifice and always will be.