Jan. 30, 2016
Brian Krebs published an outstanding report today titled “Sources: Security Firm Norse Corp. Imploding” which has led to the emergence of a number of blogs and social media rumblings about what this means for the cyber threat intelligence community. Some have already begun positioning that this is the fall of threat intelligence. I would not only disagree and believe this to be a mostly isolated case but position that if anything this is a good sign of the community’s growing maturity. The purpose of this blog is to discuss why Norse’s potential and impending implosion does hold some lessons learned for the industry but holds no prediction of negative things to come for the threat intelligence community as a whole.
Before elaborating on these points though, I want to start off with the much needed statement about the people at Norse. To anyone in the community that holds strong negative feelings for Norse (and you are not alone) please be conscious that many of the individuals working at Norse were professionals and very talented. Many of the negative feelings towards the company were likely based on the marketing efforts and mislabeling of the content and value of their product; not negativity towards the people that work there. I hope the former employees land softly at their next jobs and I would encourage companies looking to hire to think of these individuals without prejudice.
With regards to Norse it was in many ways a good looking company. It garnered national media level attention through smart placement of their cyber attack map (yes the pew pew cyber map analysts have mostly grown to hate – but it looked good in media). There were some key employees recruited who were well respected in the industry. And it raised tens of millions of dollars in investments to appear as an exciting California security startup. So now that the company is apparently imploding it does seem natural to think that this may be an indication of things to come with regards to the threat intelligence industry and for a ripple effect in investments into this space. However, I would state this as wholly inaccurate although there are some lessons learned here for both investors and security startups.
First, Norse Corp. may have garnered national level attention but most of it was not actually good attention. Also, they billed themselves as a threat intelligence company when, in my opinion, they simply were not. Folks who are familiar with me, or read it in the Krebs report, will remember that I came out very publicly chastising their dangerous assessment that there were Iranian attacks on U.S. industrial control systems. The key reason that they had a bad assessment is actually why Norse was always doomed to fail. The company was interpreting Internet scanning data against their high level sensors as attack intelligence. Most threat intelligence companies rely upon enriched data complemented with access to incident response data of actual intrusions; not scanning activity. Norse also held no verifiable industrial control system expertise but were quick to make assessments about these systems. And further when they stated that there were attacks on control systems by Iran what the data seemed to show was they actually should have said scans against systems trying to mimic industrial control systems by Iranian IP addresses. The effort by them and the think tank AEI to state that there should be policy considerations in the Iranian nuclear negotiations based off of this data is a great representation of what not to do in the industry. Simply put, they were interpreting data as intelligence. There is a huge difference between data, information, and intelligence as I outlined here. While their product and Internet level scanning data was interesting and potentially very valuable for research it was not threat intelligence. So while they may have billed themselves as significant players in the threat intelligence community they were never really accepted by the community, or participating in it, by most leading analysts and companies. Therefore, they aren’t a bellwether of the threat intelligence industry or of other companies having trouble simply because they weren’t really ever in “the industry.” The threat intelligence community can be fairly small and making strategic mistakes can have significant lasting impact. Trust is a huge part of the equation in this community.
Second, this case-study of Norse holds great lessons learned. First, because trust is a significant part of doing intelligence work and in participating in this community there is a requirement for companies to realize they are dependent on the ecosystem and are not living in a bubble. Formal and informal relationships, company partnerships, and information sharing can help companies succeed quickly. It is not a competitive landscape in such that companies should think that success is a finite item where one company’s success means less is available for others. Quite the opposite. As threat intelligence is used more appropriately throughout the industry it will continually open up the market. For example, threat intelligence is meant to make good security programs better or to help give important context and information to strategic level organization decision makers – it is not meant to replace bad security programs or act as a magical solution for security. Second, threat intelligence companies should be very careful in lining up their marketing efforts with an honest assessment of what the company’s product or services actually produce. This should apply to any security startup but it is vital in the threat intelligence community. Whereas claims around general security can be difficult to interpret there are definitive ways to look at company claims in intelligence and dismiss them completely as hype. This dismissal is hard to recover from. Finally, an important lesson learned here is for investors and Venture Capital firms to dig deep not only into what is being shown by the company but also in how they are perceived in the community. There are many “experts” in this community who’ve never held the appropriate positions or roles to ever have been put in a situation to speak with expertise about threat intelligence. As an example, one of my critiques of Norse was that their “intelligence report” on industrial control system attacks was not written by anyone with industrial control system expertise. Just as we would expect a Russian intelligence analyst to have an understanding of Russia or even speak Russian the community and investors should demand that assessments are qualified by actual expertise not just general “cyber” expertise.
Venture Capital firms invest in companies with the expectation of not getting an immediate return on investment. In an overly simplified stereotype most Venture Capital funds expect not to see their returns for five to seven years with events such as an IPO or company merger/acquisition. Following that logic, it is reasonable to believe that investments made five to seven years ago are starting to be looked at for their return on investment to the Venture Capital firms. The landscape for investment will likely become much more competitive. There will be lessons learned from investing in good-sounding but under-performing companies. Investors and industry analysts will demand more proof of claims, understand what hype looks like a bit better, and invest even more intelligently. This is a good thing for the industry. I doubt Norse will be the last company to fail in the threat intelligence industry but the industry and investments into it will likely continue to grow. The focus will be on smarter money.
This post originally appeared at RobertMLee.org.