Dan Holden and ISS Should Pull Their Heads Out of the Sand

I’m no geography expert, but I didn’t think there were beaches in Atlanta. After reading Dan Holden’s post on ISS’ “Frequency X” blog, I am beginning to doubt this presumed truth. There MUST be beaches in Atlanta… I don’t see any other way that Holden and ISS could have their heads so deep in the sand.

I stumbled upon Holden’s rant, titled “Who do you trust?” in my first (and last) visit to “Frequency X”. Holden talks about a recent ISS advisory and the QuickTime for Java bugs before (in essence) calling TippingPoint a bunch of posers who sublet security research instead of building their own talent.

Disclosure: I used to work for TippingPoint; I no longer do. Accordingly, my views don’t speak for anyone — TippingPoint or my current employer.

Holden writes:

“Well in your humble narrator’s opinion this is what we call ‘rented security’. A customer purchasing their security guidance and protection technology from a company that blindly leases security research from third parties rather than staffing a comprehensive holistic security research staff is akin to buying a fake Rolex. In the end the watch may appear real, you may fool some casual admirers, but it won’t keep accurate time, hold-up, or fool an expert.”

Depending on your definition of “blindly”, TippingPoint’s ZDI program might meet the definition of “rented security”. But it seems Holden’s entire thesis depends upon glossing over a best-of-breed research team. TippingPoint researchers present at the same conferences where ISS employees are sued and then deprived of credit for trying to present… all while customers received no protection for the vulnerabilities that ISS’ own researcher found. I could keep going for another whole paragraph. The “fake Rolex” analogy is miles off, largely because Holden again chooses to ignore TippingPoint’s substantial in-house research. He makes it sound like there’s no talent managing the ZDI, and TippingPoint simply regurgitates purchased information with no review; that claim is obviously baseless.
Holden continues:

“In other words, outsourcing what is supposed to be your core competency as a security organization isn’t a smart business practice. Even Gartner has spoken out about the dangers of this type of activity calling it a ‘risky endeavor’. The real problem is that there is no guarantee whether the information being purchased hasn’t already been shared or really how good or thorough it is.”

Ooh… a “risky endeavor”, according to… Gartner? Now I’m really shaking in my boots. Okay, so maybe I’m not. Maybe I can understand, like most people, that the risk TippingPoint is taking is intended to supplement its research team’s work. Granted, the ZDI is a beast of a supplement, with 92 published advisories in under two years, but it’s still a supplement to a research team that holds its own pretty well. More from Holden…

“However, what happens when you are on a time crunch to bring the cash home before anyone else? Well it’s possible you could miss something which is exactly what happened. While X-Force was in the process of finding and fully exploring the QuickTime bug we found another and immediately notified Apple to responsibly disclose the vulnerability. The patch for this was released yesterday at 4PM EST.

Apple QuickTime Code Execution

Now is it important that we had protection out 3 weeks prior? Well that sure was nice for our customer base but what is truly important is that we understood the original bug and being a true research group that does this type of thing everyday ended up uncovering a related vulnerability in the process.”

What Holden forgets is that “true research groups” make mistakes in assessing vulnerabilities, too. ISS made a huge error of its own with the Apache Chunked Encoding Vulnerability. X-Force Advisory 120 still to this day states (in spite of the Scalper worm, which proves it wrong):

“X-Force has verified that this issue is exploitable on Apache for Windows (Win32) version 1.3.24. Apache 1.x for Unix contains the same source code, but X-Force believes that successful exploitation on most Unix platforms is unlikely.”

ISS “understood the original bug” as well as a fly in your soup on this particular occasion; the timing of their QuickTime find seems like luck. Variants can and do happen (often as a result of shoddy patches, rather than misses by researchers), and that’s true whether you’re contracting research or working commercially. Being a commercial researcher does not intrinsically mean you produce better research. More from Holden…

“…the commercial space isn’t where the most vulnerabilities are found so what is the most important part of vulnerability discovery? Understanding the nuances and severity of the issue and then responsibly working with the vendor to get it rectified. Now this is certainly a complicated subject and some of you may disagree with me.”

If you’re an IPS vendor and I’m buying from you, the most important part of vulnerability discovery is how well your protection adapts to that discovery. Key to adapting to discoveries in a market that is still largely reactive is getting as much raw threat data as early as possible. ZDI does exactly that for TippingPoint, so I of course, disagree. ZDI is a smart, customer-beneficial approach to acquiring as much of the “big picture” of vulnerability intelligence as possible.
Finally, Holden concludes his rampage against purchased research:

“However, until there is a Consumer Reports for the security space as a whole who are you going to trust? Anonymous researcher, or the X-Force guys that wrote the books that anonymous researcher is reading to get his paycheck from who knows what sources?”

Why don’t you tell me… who should I trust? Should I trust X-Force because they’re a good research team and wrote some good books, or should I trust the research team that uses its capital and actively acquires threat information from the outside to complement internally-produced information?

I love how Holden pulls off the “we’re leeter than they are” argument, implying that X-Force authors wrote the books TippingPoint’s ZDI contributors are using. That might have been true five years ago, but it’s hardly the case now. Even if it were, I’d buy from the company that’s producing the raw information. Who cares if ISS team members wrote the books that today’s researchers are using to find bugs? It doesn’t matter to anyone buying today’s protection. The obvious fact is that the research isn’t coming out of ISS anymore, and Holden is trying to stoke the embers of a tired market perception that X-Force is still a top-tier research team.

I digress. Holden’s question was who we should trust. Until ISS establishes a precedent for competing on facts, rather than false spin, at least part of the answer is self-evident: you shouldn’t trust ISS.

Share
  • Agreed

    I agree with your thoughts here. As far as I am concerned ISS has been the follower in the market for years. It is just unfortunate that their customers are not better educated about what they are buying. If they were then ISS would surely not have near the marketspace that they have. IBM bought another dud from my perspective. If the research team at ISS was so great then I would think that their VA tool would be leading the pack, whereas it is just horrible.

  • Anonymous

    I think you are missing the point here, and more importantly, are taking the bait – hook, line, and sinker.

    The real issue here is elitism on the part of the ISS blogger. “Rented” or not, they have a better product offering right now.

    As an infosec guy working for a modestly sized organization with roughly 20,000 devices, I could give a rip who is conducting the research behind the protection I’m paying for. I want the most protection, the fastest, for a reasonable cost.

    The researcher side of my brain understands where ISS is coming from, but if you’re going to productize your research, you lose the high ground of whining about where competitors get their research from. The technical aspects of information security have been commoditized. The war is over.

    If you’re hocking your wares, quitcherbitchin. Otherwise, you might have a platform from which to speak.

  • Jason DePriest

    I have been using ISS products for about six years.

    They have a very competent suite of software (and marginal hardware). I like having everything from a single vendor. With the outsourcing and efficiency push going on where I work, making things easier it high on my list of priorities.

    I can have a vulnerability scanner, network IDS, and host IDS all managed from one console. I like that.

    As far as who’s **** is longer? I could care less. If I rely on just my IDS or just my vulnerability scanner for security, then I’m doing something wrong.

    If the latest 0-day isn’t going to break my firewalls and I can block it, I don’t care how long it takes to get a virtual patch from ISS.

    My ISS reps assure me that their purchase by IBM will only mean good things for the customer: faster hardware, more products, tighter integration, etc. Also, that X-Force is still being left to their own devices. Time will tell.

  • http://blogs.securiteam.com/index.php/archives/author/mattmurphy/ Matthew Murphy

    Holden didn’t talk about the product line. I didn’t talk about the product line. The issue central to both posts is trust, and trustworthy research specifically.

    ISS may have a wider product line than most or all of their competitors (note, wider is not higher quality), but they still have an established reputation for slimy competitive tactics and therefore *should not be trusted*.

    Nobody who disagrees is responsive to that point, so I guess that means there isn’t a response.

    @Anonymous

    If by “better”, you mean “more diverse”, maybe. Otherwise, you’re way off.

    @Jason:

    No one cares what your “ISS reps assure” will be true. ISS will never compete for the top end on hardware efficiency, and an X-Force that’s “left to its own devices” will still be a team that engages in ethically-questionable research and misleading self-promotion in a bid to smear competitors.

    Are you really so hooked on ISS’ marketing line that you are willing to repeat it as fact?

  • Jason DePriest

    It was merely a regurgitation of what I had been told. I have seen nothing to confirm or deny it. And I take everything I’m told with a grain of salt. Just because they say it, just because they believe it, doesn’t mean that is how it is going to play out.

    My own experiences have been acceptable but far from extraordinary or amazing.

    Now that ISS has be bought by IBM, I see their tactics going even further away from what I desire: that is, buying other companies that are doing what you want to do well, but can’t.

    As for the “who are you going to trust” question? I don’t know? Nobody? That seems like the only answer that makes sense.

    Ah, well; you’ve a new blog entry about ISS I want to comment on.

  • http://blogs.securiteam.com/index.php/archives/author/mattmurphy/ Matthew Murphy

    What confused me was what the “regurgitation” had to do with the post. Regardless, “trust nobody” is a fair answer… it does indeed appear that my post offers a false dilemma in that regard. I took Holden’s bait.

    D’OH.

  • Trustnoone

    You know, I stubled onto this blog while looking for some usefull feedback on security vendors, and mostly the hype about ZDI.

    Thruth be told, in my years in the field, mottos like “trust, but verify”, “trust no one”, et al abound.

    Most serious research will always entail looking over the other guys slate in case he found something you missed. As such, supplementing your research base with someone else’s is a good thing, god forbid they may have hit on something “obvious” that you missed or assumed had covered.

    because all companies will of course try to get greater market share in their chosen field, they want to be the best, but most especially they want YOU, the paying client to at least think they are !

    I agree that inuendo’s and slimy theatrics are to say the least an insult to clients who have a head on their shoulders and see it for what it is.

    So, as with “their” research, the best trust is to do your own, and if at all possible, pair some competitors together in YOUR defence. I think the era of blind trust (which has never really been there, “THEY” just wanted us to feel that way) is long over.

    As to Holden’s views, well, they are just that HIS views, take them in, assess, and if there is good use it, discard the rest. That is all we defenders of our own little piece of the networked world can do.

    Cheers !

  • http://www.videolarevi.com videolar

    Thanks a lot. Good idea..Now that ISS has be bought by IBM, I see their tactics going even further away from what I desire: that is, buying other companies that are doing what you want to do well, but can’t.

  • http://www.hikayelerevi.net sex hikayeleri

    Thruth be told, in my years in the field, mottos like “trust, but verify”, “trust no one”, et al abound.Good information

  • http://www.videosayfasi.net Komik Videolar

    I agree with your thoughts here. As far as I am concerned ISS has been the follower in the market for years. It is just unfortunate that their customers are not better educated about what they are buying. If they were then ISS would surely not have near the marketspace that they have. IBM bought another dud from my perspective. If the research team at ISS was so great then I would think that their VA tool would be leading the pack, whereas it is just horrible.