Why most companies WANT you to get breached
Over the last 5 years Jigsaw Security has grown from a small shop of individual researchers working toward a common goal to a powerhouse in the intelligence industry. Our cyber security solutions literally stop millions of malware infections every single day by providing data that renders attackers unable to infect networks. We do this by denying the threat actor access to their own payloads, C2 and other resources using DNS RPZ and similar technologies. In short we redirect traffic away from bad sites to known good sites, collect statistics on infection attempts and then update DNS RPZ zone hundreds of times per hour.
The competition is not our competition
One of the things we have noticed when trying to sell our solution is that our competitors want our data, but they don't want to actually stop infections. Why?! well that's pretty easy, because infections equal income for these companies. Think about it, the top security company has been in business for well over 15 years now. The only problem here is that customers are still getting breached (probably because they don't heed the suggestions of the company). They keep getting breached because these companies makes millions annually off of incident response. There is zero incentive for them to actually stop breaches because they make a ton of money off of breaches (many other security companies are doing exactly the same thing). The same holds true for many managed security providers.
While we compete in the marketplace with many of these MSP's and security companies, how we do business is much different. Our RPZ DNS solutions stop these infections and we provide our customers with the statistics to show how effective our solution is, justifying our existence. I would rather justify our existence through being successful than failing. Most security companies by and large are failing to protect their customers. They protect the largest companies to include companies like CapitalOne that just got breached, they protect Government (remember OMB) and many others yet companies still get breached (sometimes by insiders). The problem is that most security companies are not doing their customer justice. And they keep falling one by one. Why is this happening? Well first off, these security companies again makes a ton of money off of their incident response business. Other MSP's are in the same boat. We have been told that our solution is not compatible with the "business model". That's great except that the number one goal should be to protect infrastructure from infection but that's not whats occurring.
Outdated and Invalid Data
In all fairness they are not the only companies with this issue. A few years ago while working for one of the top 10 businesses in the US we were asked to do a comparison between FireEye's data, Crowdstrike, Dell Secureworks and a few others. One thing stood out with many of the "feeds" and "products" provided by these vendors. They were all using data that was "after the fact", basically indicators of compromise. Once an indicator of compromise is released into the public domain, the threat actor in some cases (but not all) will change tactics. This is called making it more costly to infect. The other thing that was common was that 60+ percent of the domains and IP addresses called out in reports, technical details and other products were showing in our system as offline. I don't know about you but I can tell you that I don't need to be protected against offline systems, it's the active ones that are a threat to the organization.
Some companies reviewed showed better results than others but the issue was the same. The blocklist provided by these companies was not being maintained. So the IDS/IPS, Firewalls and Network Security Devices (NSD's) were blocking domains that weren't even a threat costing valuable resources.
Theft no matter how you look at it
Irregardless of how you look at these situations, one thing is sure. These large companies are ripping off people left and right and still being paid for services not rendered. These security companies are not putting their money where their mouth or their marketing claims fall. They claim to stop a certain percentage of (known) threats, giving themselves an out when an attacker crafts custom malware that they can't detect. And then they get paid to clean up infections that they failed to prevent. It's theft of taxpayer resources, it's corporate theft, breach of their contracts and marketing and honestly, it's appalling.
These security companies are being paid to prevent the breach. But as indicated they fail in nearly every instance and then get rewarded when there is a breach.
How they get away with it
One of the key points is that many of these security companies are not standing behind their products. Partly because they are only covering part of the problem. This layered security approach is a problem. Anytime you layer something, there are bound to be overlaps as well as gaps. They get away with this in part because these companies are propped up by big advertising corporations and others when companies that are truly protecting their customers can't even get in on many of the critical infrastructure contracts that would allow them to make a difference.
Fear is how these security companies get away with it. They pounce when companies are most vulnerable and basically get a blank check to continue failing their customer. Never in my 30+ years of being in an industry have I ever seen people being rewarded for their failures such as this. When these security companies are called on for help, instead of doing the right thing, they take the opportunity to take more money from already struggling companies after they have been breached.
Outdated Protection Models and Products
Many of the products out in the marketplace today can only function using indicators of compromise. They are fed list of IP's, domains, hashes and other seed data to "protect" their clients. The problem is that any one of these methods of detection can be changed in mere seconds by threat actors. It doesn't matter if you use Yara rules to detect things if those very indicators can be changed nearly instantaneously. If you want to deny the threat actors you have to disrupt the actual chain of infection and in many cases that will be unique and different every time an infection occurs.
If you want to be truly secure, you have to account for all of the factors in the chain of infection. This includes the grey matter between the targets ears. The industry has to realize that you can't provide a security issue with fully technical means. The threat actors are attacking through non technical means and then exploiting the human element in many cases to get past the technical defenses.
In short the industry has it all wrong. If companies want to truly be secure they will look past technical solutions and use technologies and strategies that fully address the cyber and non cyber related issues and it will come from companies that are not ripping off their customers and demanding payments when they fail to do the job they were hired to do.
So basically this article has been focused on data breach credit card numbers, health care records, things that don't impact human life. Will the industry wake up when a cyber security breach causes a train derailment or an explosion that kills 10's of thousands of people?
Probably not, let's hope somebody get's a handle on this situation before it's too late...
This is an opinion piece by one of our SOC engineers. Nothing in this post is to imply a position, policy or procedure of Jigsaw Security. Anonymous articles may be submitted to our SOC team for inclusion in our blog and news releases by emailing to firstname.lastname@example.org. Not all submissions will be accepted but we will be fair and public