Security vendors flamed over Flame publicity

By now you’ve seen the security vendor freak-out over this Flame malware that’s been giving the Iranians so much trouble. Looking at it yesterday, I knew a backlash was inevitable. Sure enough, the backlash came — and it did not disappoint.   

Now, I don’t want to downplay the importance of this malware. Stuxnet and Duqu proved to be pretty darn impressive, and Flame is seen as a next step in the evolution of this family of cyberwar weapons.

The problem is that once discovered, security vendors fall over each other trying to be the first to report it. They flood IT security journalists with emails on how major and grim this new find is. Then come loud headlines that throw the non-experts off track. That last bit is the fault of my own industry, where blazing, pageview-grabbing headlines are the order of the day.

In this kind of circus atmosphere, the security practitioners who work in trenches that don’t change much from day to day look at what’s happening and wonder aloud what was used to spike the punch vendors are drinking.

They ask that question on Twitter, and the response is always satisfying for those who have been around a long time and have seen it all.

Here’s a sampling:

@gattaca: We here at Liquidmatrix discovered #Flame in 1984. #funfauxfacts

@KimZetter: Webroot claims it “discovered” Flame in 2007

@xme: Security vEURndor$ jumping on #flame like rabid animals on a piece of meal…

@gattaca: @theprez98 @wimremes Well, to be fair, my ancestors found the code for #Flame in a cave painting.

@wimremes to @gattaca: Dude, I discovered #flame in 1976. We shared a placenta.

@krypt3ia: I really wish all this #FLAME talk would just #FLAME out because I am about to immolate the lot of you. #F_LAME

@threatagent to @theprez98 @gattaca @wimremes BBQ was discovered a few hours after #Flame

And so on…

Now, sometimes when a FUD campaign is exposed, vendors back down and offer more reasoned analysis. Such was the case yesterday, as this late-day PR pitch shows:

Hi Bill,

I saw your post today about Flame, questioning if the security vendor community is overreacting and it made me wonder if you might be interested in talking with Kevin Pouche, a 15 year veteran in the business of IT and data security and COO at K logix, a Boston-based data security firm working with companies like John Hancock, Children's Hospital Boston and Xerox.

As evidenced by these impassioned articles Kevin wrote for Forbes, he feels strongly that American business leaders can protect this country from cyber threats with the right level of investment in data protection.

However, there needs to be a shift in the conversation between IT and business executives to help them understand the true value of protecting data. Instead of today's conversations that are often too reactive to the latest report of malware, which creates a "the sky is falling" type of mentality, Kevin and the K logix team are working with IT security leaders to help them shift the conversation to one that focuses on the impact of risk on revenue. They work with clients to present comprehensive analysis on the financial impact of a both good and bad data security programs.

No disrespect intended toward the PR person who reached out or her client. But I often wonder if PR firms have a two-prong strategy when big malware game is discovered: Scare everyone on day one, then tell everyone to calm down a day later. As strategies go, this one — if even remotely true — is just weird.

Discuss among yourselves.