A massive and potentially company-ending shakeup at security vendor Norse Corp. in recent weeks amid controversy over its practices may be a signal that the threat intelligence industry is finally maturing.
KrebsonSecurity last week reported that Norse had fired its CEO Sam Glines after letting go some 30% of its staff less than a month earlier. The blog quoted unnamed sources as saying Norse’s board of directors had asked board member Howard Bain to take over as an interim CEO.
The remaining employees at the Foster City, Calif.-based threat intelligence firm were apparently informed they could continue showing up for work, but there would be no guarantee they would be paid, KrebsonSecurity reported.
Shortly thereafter, Norse’s website went dark and remained unavailable through the week -- prompting some speculation on whether the company had been shuttered. A spokesperson for a PR agency representing Norse today said the company is still operational, but she did not elaborate.
The KrebsonSecurity article, which was contested by Glines and former Norse chief architect Jason Belich, blamed Norse’s problems on a fast and loose business culture focused on taking quick advantage of the booming interest in threat intelligence rather than on delivering real value for customers. One former employed quoted by Krebs described Norse as a "scam" operation designed to suck in investors.
Norse, once a rising star in the threat intelligence industry and which as recently as Sept 2015 received an investment of over $11 million from KPMG, has been in the news for wrong reasons before.
As KrebsonSecurity noted in its blog, a Norse report last year on growing attacks against critical industrial control systems in the US was soundly trashed for being grossly exaggerated and unsubstantiated by facts. A subsequent review of the report showed that what Norse had described as dangerous attacks was really network scans conducted from locations in Iran against honeypot systems. Another Norse report that claimed Sony’s massive data breach was the result of an insider attack was similarly slammed for being unsubstantiated.
In comments to Dark Reading today, Glines accused his critics of harboring an agenda against Norse. He described Krebs’ article as causing “incredible damage in very short order” and confirmed that Bain had been named interim CEO.
“The quality of Norse's threat intelligence data is extremely good,” says Glines. “The company has one of the largest malware pipelines in the industry and just one of the sinkholes in use has over 1 billion callbacks, after being in operation for less than 3 months,” he says. He described the sinkhole as just one example of the many techniques used by the company to collect threat intelligence.
Glines downplayed the criticisms about Norse’s threat intelligence reports being over the top, but conceded to Norse being beaten up in the media over the past year. He says that was mainly the result of handful of individuals complaining about the company’s practices; others have jumped on the bandwagon because Norse chose not to respond, he says.
Critics have accused Norse of going to market too soon with the data in had, and of drawing conclusions not actually supported by the data. “I’d respond that the entire cyber threat intelligence industry is still young, growing, but relatively immature,” Glines says. “But I’d also add that our customers and partners were getting tremendous value from the data. Every product, every application, every service, is a work in process.”
Robert M. Lee, founder and CEO of critical infrastructure security firm Dragos Security and one of Norse’s strongest critics, says Norse’s problem is that it is tries to make too much of the data it has.
A lot of the raw data that Norse collects from its sensors around the world is threat information, not threat intelligence, he told Dark Reading.
“Data is just data without context,” Lee says. Some of it can help organizations answer fundamental questions like whether their systems are infected or not. But that is not the same thing as threat intelligence, which involves the ability to take data from multiple sources, analyze it and predict with a high degree of confidence, he says.
“Real threat intelligence is not something you can plug into a firewall," he says. It requires a much higher degree of expertise both technical and domain, than simply gathering and looking at threat data.
“If Norse had used their data for what it was, it would have helped companies simplify what they were looking at,” he says. “Instead they were taking threat data and billing it as actionable intelligence.”
The questions being raised over Norse’s practices pointing to a maturing overall of the threat intelligence industry, Lee says. “I don’t see this as impacting the larger threat intelligence industry. I see this as an indicator that the market won’t accept bad threat data anymore.”