Threat Intelligence
2/4/2016
06:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Newly Fired CEO Of Norse Fires Back At Critics

Critics maintain that Norse Corp. is peddling threat data as threat intelligence.

A massive and potentially company-ending shakeup at security vendor Norse Corp. in recent weeks amid controversy over its practices may be a signal that the threat intelligence industry is finally maturing.

KrebsonSecurity last week reported that Norse had fired its CEO Sam Glines after letting go some 30% of its staff less than a month earlier. The blog quoted unnamed sources as saying Norse’s board of directors had asked board member Howard Bain to take over as an interim CEO.

The remaining employees at the Foster City, Calif.-based threat intelligence firm were apparently informed they could continue showing up for work, but there would be no guarantee they would be paid, KrebsonSecurity reported.

Shortly thereafter, Norse’s website went dark and remained unavailable through the week -- prompting some speculation on whether the company had been shuttered. A spokesperson for a PR agency representing Norse today said the company is still operational, but she did not elaborate.

The KrebsonSecurity article, which was contested by Glines and former Norse chief architect Jason Belich, blamed Norse’s problems on a fast and loose business culture focused on taking quick advantage of the booming interest in threat intelligence rather than on delivering real value for customers. One former employed quoted by Krebs described Norse as a "scam" operation designed to suck in investors.

Norse, once a rising star in the threat intelligence industry and which as recently as Sept 2015 received an investment of over $11 million from KPMG, has been in the news for wrong reasons before.

As KrebsonSecurity noted in its blog, a Norse report last year on growing attacks against critical industrial control systems in the US was soundly trashed for being grossly exaggerated and unsubstantiated by facts. A subsequent review of the report showed that what Norse had described as dangerous attacks was really network scans conducted from locations in Iran against honeypot systems. Another Norse report that claimed Sony’s massive data breach was the result of an insider attack was similarly slammed for being unsubstantiated.

In comments to Dark Reading today, Glines accused his critics of harboring an agenda against Norse. He described Krebs’ article as causing “incredible damage in very short order” and confirmed that Bain had been named interim CEO.

“The quality of Norse's threat intelligence data is extremely good,” says Glines. “The company has one of the largest malware pipelines in the industry and just one of the sinkholes in use has over 1 billion callbacks, after being in operation for less than 3 months,” he says. He described the sinkhole as just one example of the many techniques used by the company to collect threat intelligence.

Glines downplayed the criticisms about Norse’s threat intelligence reports being over the top, but conceded to Norse being beaten up in the media over the past year. He says that was mainly the result of handful of individuals complaining about the company’s practices; others have jumped on the bandwagon because Norse chose not to respond, he says.

Critics have accused Norse of going to market too soon with the data in had, and of drawing conclusions not actually supported by the data. “I’d respond that the entire cyber threat intelligence industry is still young, growing, but relatively immature,” Glines says. “But I’d also add that our customers and partners were getting tremendous value from the data. Every product, every application, every service, is a work in process.”

Robert M. Lee, founder and CEO of critical infrastructure security firm Dragos Security and one of Norse’s strongest critics, says Norse’s problem is that it is tries to make too much of the data it has.

A lot of the raw data that Norse collects from its sensors around the world is threat information, not threat intelligence, he told Dark Reading.

“Data is just data without context,” Lee says. Some of it can help organizations answer fundamental questions like whether their systems are infected or not. But that is not the same thing as threat intelligence, which involves the ability to take data from multiple sources, analyze it and predict with a high degree of confidence, he says.

“Real threat intelligence is not something you can plug into a firewall," he says. It requires a much higher degree of expertise both technical and domain, than simply gathering and looking at threat data.

“If Norse had used their data for what it was, it would have helped companies simplify what they were looking at,” he says. “Instead they were taking threat data and billing it as actionable intelligence.”

The questions being raised over Norse’s practices pointing to a maturing overall of the threat intelligence industry, Lee says. “I don’t see this as impacting the larger threat intelligence industry. I see this as an indicator that the market won’t accept bad threat data anymore.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
phdad_ccm
50%
50%
phdad_ccm,
User Rank: Apprentice
2/24/2016 | 1:14:32 PM
Too many consulting firms, too few success stories
Security is the new band wagon companies are jumping on. Problem is that most security providers try to provide their "cookie cutter" answer to their clients' security or risk issues. Buying an off the shelf product is like using aspirin as a common fix to all physical ills. Companies should obtain a trusted advisor (answering only to the Board of Directors) who will evaluate the firm's risks, practices and policies and then to customize a plan to address those risks within an acceptable timeframe and budget.
StephenR232
50%
50%
StephenR232,
User Rank: Apprentice
2/6/2016 | 7:15:48 PM
It's a very murky field
Threat intelligence is inherently a murky thing. It purports to tell you unknown unknowns and the remedy is typically a tool or service they sell. But it's very hard to evaluate the quality or utlitity of the information this sell and serve up. There's no way to normalize what they publish vs what anyone publishes and often the information itself crosses into the innuendo and urban myth territory. Which is fine for your lawyers and regulatory staff who have processes to follow, audits to pass and checkboxes to check but beyond that it's a big question. Norse simply got caught first.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
8 Key Building Blocks for Enterprise Network Defense
Networks are changing rapidly -- and so are strategies for protecting them. This Tech Digest looks at the fundamentals for the next-gen environment.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In this episode of Dark Reading Radio, veteran CISOs will share their experience and insight into how organizations can get the best bang for their security buck.