Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

2/4/2016
06:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Newly Fired CEO Of Norse Fires Back At Critics

Critics maintain that Norse Corp. is peddling threat data as threat intelligence.

A massive and potentially company-ending shakeup at security vendor Norse Corp. in recent weeks amid controversy over its practices may be a signal that the threat intelligence industry is finally maturing.

KrebsonSecurity last week reported that Norse had fired its CEO Sam Glines after letting go some 30% of its staff less than a month earlier. The blog quoted unnamed sources as saying Norse’s board of directors had asked board member Howard Bain to take over as an interim CEO.

The remaining employees at the Foster City, Calif.-based threat intelligence firm were apparently informed they could continue showing up for work, but there would be no guarantee they would be paid, KrebsonSecurity reported.

Shortly thereafter, Norse’s website went dark and remained unavailable through the week -- prompting some speculation on whether the company had been shuttered. A spokesperson for a PR agency representing Norse today said the company is still operational, but she did not elaborate.

The KrebsonSecurity article, which was contested by Glines and former Norse chief architect Jason Belich, blamed Norse’s problems on a fast and loose business culture focused on taking quick advantage of the booming interest in threat intelligence rather than on delivering real value for customers. One former employed quoted by Krebs described Norse as a "scam" operation designed to suck in investors.

Norse, once a rising star in the threat intelligence industry and which as recently as Sept 2015 received an investment of over $11 million from KPMG, has been in the news for wrong reasons before.

As KrebsonSecurity noted in its blog, a Norse report last year on growing attacks against critical industrial control systems in the US was soundly trashed for being grossly exaggerated and unsubstantiated by facts. A subsequent review of the report showed that what Norse had described as dangerous attacks was really network scans conducted from locations in Iran against honeypot systems. Another Norse report that claimed Sony’s massive data breach was the result of an insider attack was similarly slammed for being unsubstantiated.

In comments to Dark Reading today, Glines accused his critics of harboring an agenda against Norse. He described Krebs’ article as causing “incredible damage in very short order” and confirmed that Bain had been named interim CEO.

“The quality of Norse's threat intelligence data is extremely good,” says Glines. “The company has one of the largest malware pipelines in the industry and just one of the sinkholes in use has over 1 billion callbacks, after being in operation for less than 3 months,” he says. He described the sinkhole as just one example of the many techniques used by the company to collect threat intelligence.

Glines downplayed the criticisms about Norse’s threat intelligence reports being over the top, but conceded to Norse being beaten up in the media over the past year. He says that was mainly the result of handful of individuals complaining about the company’s practices; others have jumped on the bandwagon because Norse chose not to respond, he says.

Critics have accused Norse of going to market too soon with the data in had, and of drawing conclusions not actually supported by the data. “I’d respond that the entire cyber threat intelligence industry is still young, growing, but relatively immature,” Glines says. “But I’d also add that our customers and partners were getting tremendous value from the data. Every product, every application, every service, is a work in process.”

Robert M. Lee, founder and CEO of critical infrastructure security firm Dragos Security and one of Norse’s strongest critics, says Norse’s problem is that it is tries to make too much of the data it has.

A lot of the raw data that Norse collects from its sensors around the world is threat information, not threat intelligence, he told Dark Reading.

“Data is just data without context,” Lee says. Some of it can help organizations answer fundamental questions like whether their systems are infected or not. But that is not the same thing as threat intelligence, which involves the ability to take data from multiple sources, analyze it and predict with a high degree of confidence, he says.

“Real threat intelligence is not something you can plug into a firewall," he says. It requires a much higher degree of expertise both technical and domain, than simply gathering and looking at threat data.

“If Norse had used their data for what it was, it would have helped companies simplify what they were looking at,” he says. “Instead they were taking threat data and billing it as actionable intelligence.”

The questions being raised over Norse’s practices pointing to a maturing overall of the threat intelligence industry, Lee says. “I don’t see this as impacting the larger threat intelligence industry. I see this as an indicator that the market won’t accept bad threat data anymore.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
phdad_ccm
50%
50%
phdad_ccm,
User Rank: Apprentice
2/24/2016 | 1:14:32 PM
Too many consulting firms, too few success stories
Security is the new band wagon companies are jumping on. Problem is that most security providers try to provide their "cookie cutter" answer to their clients' security or risk issues. Buying an off the shelf product is like using aspirin as a common fix to all physical ills. Companies should obtain a trusted advisor (answering only to the Board of Directors) who will evaluate the firm's risks, practices and policies and then to customize a plan to address those risks within an acceptable timeframe and budget.
StephenR232
50%
50%
StephenR232,
User Rank: Apprentice
2/6/2016 | 7:15:48 PM
It's a very murky field
Threat intelligence is inherently a murky thing. It purports to tell you unknown unknowns and the remedy is typically a tool or service they sell. But it's very hard to evaluate the quality or utlitity of the information this sell and serve up. There's no way to normalize what they publish vs what anyone publishes and often the information itself crosses into the innuendo and urban myth territory. Which is fine for your lawyers and regulatory staff who have processes to follow, audits to pass and checkboxes to check but beyond that it's a big question. Norse simply got caught first.
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
How Attackers Infiltrate the Supply Chain & What to Do About It
Shay Nahari, Head of Red-Team Services at CyberArk,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10102
PUBLISHED: 2019-07-22
The Linux Foundation ONOS 1.15.0 and ealier is affected by: Improper Input Validation. The impact is: The attacker can remotely execute any commands by sending malicious http request to the controller. The component is: Method runJavaCompiler in YangLiveCompilerManager.java. The attack vector is: ne...
CVE-2019-10102
PUBLISHED: 2019-07-22
Frog CMS 1.1 is affected by: Cross Site Scripting (XSS). The impact is: Cookie stealing, Alert pop-up on page, Redirecting to another phishing site, Executing browser exploits. The component is: Snippets.
CVE-2019-10102
PUBLISHED: 2019-07-22
Ilias 5.3 before 5.3.12; 5.2 before 5.2.21 is affected by: Cross Site Scripting (XSS) - CWE-79 Type 2: Stored XSS (or Persistent). The impact is: Execute code in the victim's browser. The component is: Assessment / TestQuestionPool. The attack vector is: Cloze Test Text gap (attacker) / Corrections ...
CVE-2019-9959
PUBLISHED: 2019-07-22
The JPXStream::init function in Poppler 0.78.0 and earlier doesn't check for negative values of stream length, leading to an Integer Overflow, thereby making it possible to allocate a large memory chunk on the heap, with a size controlled by an attacker, as demonstrated by pdftocairo.
CVE-2019-4236
PUBLISHED: 2019-07-22
A IBM Spectrum Protect 7.l client backup or archive operation running for an HP-UX VxFS object is silently skipping Access Control List (ACL) entries from backup or archive if there are more than twelve ACL entries associated with the object in total. As a result, it could allow a local attacker to ...