Flame: The importance vs. the hype

The last two posts have focused on the Flame malware and whether it’s as big a concern as security vendors are making it out to be. I didn’t plan to revisit the issue today, but a comment from a trusted source and a zany press release from another vendor forced a change of mind.

Let’s start with my trusted source: Jennifer Minella, a CISO, infrastructure security specialist, speaker and author. Many of you know her as a straight shooter who doesn’t exaggerate. I’ve come to rely on her honest take on things, and I consider her a good friend. So when she posted the following comment in a previous post, I took notice:

“Flame is VERY different than Stuxnet and Duqu… much much larger, more sophisticated and modular. This time, it’s not hype.”

I will say that from the beginning, I recognized Flame as something significant. My problem is in how security vendors talk about it. Some stick with the details and play it straight, but others have gone off the deep end in hopes of getting in a news report. It’s probably fair to say that the PR firms they work with are not serving them very well this time around.

Why is this important? Because overhyped PR pitches and news stories distract IT practitioners. They don’t need more stories about the boogeyman. They need the basics: how Flame functions, how to see it coming based on network behavior, and how to make it less of a threat to the companies they work for.

The following PR pitch, which landed in my inbox yesterday afternoon, is an example of hype burying the useful, actionable detail:

Hi Bill,

It reads like an Avenger comic book or the next Bond film. Bigger than Stuxnet! Highly sophisticated! Predominantly used in data theft and cyberespionage! The widespread proliferation of malware infected systems and the toolkits hackers need to complete their latest espionage is indeed insidious.

(the vendor) is a recognized leader in providing solutions to defend against Advanced Persistent Threats (APTs). In order to address Flame, Deep Content Inspection (DCI) is a new approach to data inspection that incorporates thorough analysis that must be employed into the network. I wanted to connect you with (the vendor’s CEO) as a resource to discuss the cause and effects of this malware. What is your availability to discuss the significance of Flame and how it could be avoided?

That’s a lot of flash. If the press release gave me research gleaned from customers who use their DCI products, you’d be reading a much different post right now.

My goal here isn’t to bash PR people and security vendors. I know it’s my job to cut through the hype and clutter and get them to give me the simple facts. I also know after several years in this business that when the PR approach is loud and hyperbolic, the same kind of news coverage follows, especially if it’s from the more mainstream press.

The contrast between Jen’s comment and that press release illustrates another important point: Whenever I talk to the security practitioners in the trenches — no matter the issue — they always have a far more muted reaction to the supposedly big news of the day. It’s not that they don’t find newly-discovered malware, vulnerabilities and attack techniques important. Of course they do.

It’s just that in the day-to-day process of mounting a defense, these things don’t look anywhere near as exciting as we in the media sometimes make it out to be.

Granted, their lives do get exciting — in a not-so-good way — when these things result in a data breach. But the media hype isn’t necessarily going to help them prevent the breach.