Shame on Symantec for throwing NYT under the bus

“We deal in deception here. What we do not deal with is self-deception.”– The Departed, written by William Monahan, Alan Mak and Felix Chong

FADE IN. EXT. DAY. A WHEAT FIELD. BEES AND BUTTERFLIES FLUTTER. WE ZOOM IN ON A WOMAN IN A BUSINESS SUIT, HOLDING A TABLET COMPUTER.

WOMAN: I used to worry about Chinese nation-state hacking gangs sending me customized emails to get me to click on malicious code that lets them break into my company network and exfiltrate our intellectual property — my work! But not any more.

PRODUCT SHOT: We see a data center, and in front of server racks, on a cinderblock, is a MANVIRTEX  ANTI VIRUS SOFTWARE BOX

WOMAN (VO): Manvirtex anti-virus software stops malicious software, whether it’s known or unknown, faster than any leading brand. Its reputation-based approach detects sophisticated, targeted attacks.

CUT TO: WOMAN IN WHEAT FIELD, CLOSE UP, A SLIGHT, BEATIFIC SMILE ON HER FACE.

WOMAN: Even when they specifically target…Me!

PUSH TO EXTREME CLOSE UP.

WOMAN [RAISES ONE EYEBROW AND LOOKS INTO CAMERA]: I like that.

CUT TO BACKGROUND OF WOMAN FROLICKING THROUGH FIELD WITH TABLET, CHECKING CONTENT MANAGEMENT, SAP STATUS, FACEBOOK.

ANNOUNCER (VO): Side effects may include not seeing or stopping malicious software, not stopping the malicious code from being installed or detecting subsequent lateral movement; slow performance, and missing known and unknown viruses. Consult your incident response contractor for details.

***

Last week, the New York Times courageously reported details [1] of how it had been the victims of a Chinese nation-state sponsored industrial espionage campaign. We should applaud The Times for being so forthright about its experience. All too often, victims are hesitant to discuss such matters for fear that they will lose customers or incur liability, but the Times seems to have done pretty much everything right in terms of disclosure. It listened to its partners, and escalated its counter-hacker game appropriately. It sought help from federal law enforcement.

Within the article, Michael Higgins, the Times chief security officer, states something well known in our industry: “Attackers no longer go after our firewall. They go after individuals. They send a malicious piece of code to your e-mail account and you’re opening it and letting them in.”

There’s another dirty secret of our industry, though, something more insidious.

Despite decreasing efficacy in stopping anything other than the most garden variety of threats, antivirus software is to enterprise security architects and vendors and government agencies, essentially a compliance tax. It’s required by every security standards list there is.

But let’s recognize this as the deceit it is — we are, in fact, security people: Anti-virus as a check-box item is as meaningless to an enterprise’s security as a check-box item for parachutists that they have a toothbrush in their pocket before leaping out of the plane — sure, it’s a good idea for some truly basic hygiene, but its application is irrelevant to the meaningful threats encountered as a fundamental part of the activity.

That’s not why I’m so mad, though. I’m mad because right after The Times article was published, Symantec broke all the unspoken rules of the information security industry — nay, the broader security industry! — to specifically throw its customer under the bus.

The Times article mentioned that, during the three-month campaign, attackers installed “45 pieces of custom malware.” The Times then took the unusual step of identifying its anti-malware vendor as Symantec, and then stated that the Symantec security software used by The Times had missed 44 of 45 of these malicious packages.

That is 97.7 percent failure rate.

The Times article quotes a Symantec spokesman as stating that, as is common in the information security industry, Symantec does not comment on its customers.

Then, as if to test the mechanics of the Streisand Effect, and in a manner befitting the sleazoid defense attorney who blames the back-alley rape victim for her attack by claiming she was dressed provocatively, Symantec took the extraordinary measure of going out of its way to release a statement[2] which, in weasely (yet legally unassailable) language leaves the reader with only two possible inferences: The Times was foolishly cheap, or The Times was incompetent – but either way, the incident was not the fault of Symantec:

“Advanced attacks like the ones the New York Times described … underscore how important it is for companies, countries and consumers to make sure they are using the full capability of security solutions,”

reads the innuendo-packed weasel-fest that sounds like it was written by a large, ad-hoc committee of flacks, hacks, lawyers and brand and communications-crisis consultants.

“The advanced capabilities in our endpoint offerings, including our unique reputation-based technology and behavior-based blocking, specifically target sophisticated attacks,”

it continues, demonstrating that, even in trying times the Symantec marketing department can find ways to flog their wares,

“Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats,”

the statement continued.

“We encourage customers to be very aggressive in deploying solutions that offer a combined approach to security. Anti-virus software alone is not enough,”

the committee concluded.

What is particularly cowardly and reprehensible about the Symantec statement is what is particularly cowardly and reprehensible about the anti-malware industry in general: Customers are essentially forced by compliance frameworks to buy it, and when it doesn’t work, it’s just darn astonishingly easy to say that the customer wasn’t using the right stuff, or using the right stuff right, or doing the right things with the right stuff it had.

Not to mention that “being very aggressive” in deployment of security options assumes there’s any money left in the security budget after buying all that compliance-mandated ballast.

The fact that Symantec’s own marketing comprises breathless “we-got-your-back” prose like this:

Unrivaled Security. Blazing Performance. Built for Virtual Environments. Symantec Endpoint Protection is built on multiple layers of protection, including Symantec Insight and SONAR both of which provide protection against new and unknown threats.” [2]

…tells me that they can pretty much say anything they want, safe in the knowledge that, when you get hacked, they’ll tell you you shoulda bought a whatsit, and gosh! that’s too bad about all your intellectual property.

If a Chinese hacking gang working regular business hours can install 44 individual pieces of malware on your network unmolested by your anti-virus regime, then a claim of detecting and protecting against, “new and unknown threats” is, you know, subject to challenge.

Now, I don’t for one minute believe that Symantec feels it is perpetrating a fraud upon its customers. I believe Symantec believes that its products, used correctly, are efficacious and good.

I just don’t think that Symantec has considered that it may very well be an idiot.

My analysis is that The Times’ primary mistake was to feel any sense of security based upon Symantec’s own marketing and messaging. The Times isn’t dumb – it did ask AT&T to let it know if AT&T detected any anomalous activity[3]. Once AT&T informed The Times, The Times started its incident response (it used Mandiant).

Now, in the bodyguard business it is a standard industry practice that, if your client is killed on your watch, it’s tacky to bill the estate for your time or services.

Unbelievably, in the anti-virus industry, the opposite seems to be true.

In recent incidents, we’ve seen anti-virus products miss not just the sophisticated custom-built malware, but also the garden variety stuff: along with separate campaigns from nation-state attackers we have also seen low-level malware like banking Trojans running amok within networks; the establishment of mini-botnets and basically the conversion the customer networks into, as Anna Akhmatova famously said of wartime St Petersburg[4], “…a drunken whore/[who] didn’t know who was taking her.”

We then watched as the very anti-virus vendors whose products had missed both the big and little picture marched into the office of the CISO or CIO or CTO and used, in violation of all laws of human decency and as if to provide a new definition of “chutzpah” their abject failure as a sales opportunity.

“If only you’d bought our Whiz-Banger when we tried to sell it to you last autumn”, they say, straight faced and earnest, “none of this would have happened.”

But even if The Times is smart, a genius would be challenged in parsing the industrial-grade gush that is Symantec’s marketing pfapf:

“AV-Test.org has shown that Symantec Endpoint Protection 12.1.2 detects and removes more threats than any other solution in its class.”[5]

Doesn’t that sound like Symantec is saying its anti-virus software is, you know, like, really good?

What, do we now need the caveat section like prescription drug ads?

To be sure, the vendors are by no means entirely to blame: customers routinely misconfigure the products, or fail to recognize the implications of findings.

To this I say that instead of wasting your money by  giving more of it to the AV vendors so they can catch less stuff and then blame you when they don’t, use your internal expertise and what outside resources you might need to get you more information about your actual traffic – and let the traffic tell you the story.

Looking at the traffic, understanding its context, and allowing the behavior of exploited machines to guide you to the problem, the culprit, and ultimately to the solution, is the only tried and true method of ultimately stopping an attack from a sophisticated and adaptive adversary.

And no one — no one — should blame their customer in the public eye in order to sell more software.

It’s just not done. Shame on Symantec for doing it here.

________________________

[1] Perlroth, N (2013) “Hackers in China Attacked The Times for Last 4 Months”, The New York Times, January 31, 2013, A1. Available: https://nyti.ms/TZtr5z

[2] Symantec Corp (2013) “Symantec Statement Regarding New York Times Cyber Attack” January 31, 2013 Available: https://investor.symantec.com/phoenix.zhtml?c=89422&p=RssLanding&cat=news&id=1779762

[3] And, let’s face it: if AT&T could see the anomalous activity, then one of two things happened. First, the breach was as obvious as was the destruction of the Iraqi Public Information Building in front of which stood Comical Ali during the initial attacks on Baghdad in 2003, and AT&T just happened to turn around and see the flames. Or Second, the Chinese attackers inadvertently stumbled across a tripwire set up by the AT&T billing department – now THOSE guys are able to see something wrong right snappy.

[4] Akhmatova, A (1888-1966), “Poem Without a Hero”; Google it.

[5] Symantec Corp (2013) “Symantec Endpoint Protection,” Symantec Enterprise website, Available:https://www.symantec.com/endpoint-protection?fid=endpoint-protection Accessed 3 February 2013