The Cyber Witch Hunts 2017

By

Apr 23rd, 2017


The Salem Witch trials began in the spring of 1692, a group of girls in Salem, Massachusetts, unhappy in the way they perceived that they were being treated, claimed to be possessed by the devil and accursed a bunch of the local village woman of witchcraft, mass hysteria prevailed. Eventually resulting in nineteen woman put to death by hanging and a further 150 woman, men and children being accused of witchcraft.

Fast forward some three hundred years to the spring of 2017 and mass hysteria is again the order of the day. For those that have been living under a rock we have had the following headlines in the last few weeks:

Cyber Security Company Cylance Faces Fraud Controversy as Layoffs Continue
Cylance denies providing fake malware samples
Cybersecurity Company Tanium Exposes Hospital Records
The CEO of This $3.7 Billion Startup Allegedly Fired Employees Right Before Their Stock Options Vested

Now I understand headlines get clicks, the more dramatic the headline the more clicks you are likely to get, but come on guys, there is such a thing as integrity. To suggest Cylance is facing a “fraud controversy” or provided “fake malware” is complete and utter tosh. While we are in a tosh talking mood let’s talk about “Tanium exposes hospital records” and Tanium “fires employee right before their stock options vested”, again complete and utter tosh (for our American readers out there “tosh” is British for bullshit).

The following memes sums up the current state of play in the universe:

Overreaction

Overreaction

Overreaction

Overreaction

That last meme hits the nail on the head, while technically correct he was “robbed” most normal interpretations of the situation would find that heading misleading, to say the least, or tosh to be more accurate, while being polite.

Let’s take the Cylance stories for starters, when you read the multitude of articles covering the story and the response from Cylance you get an understanding of what happened. Cylance provides a tool called “Protect” it uses machine learning to essentially learn what is good and what is bad.

Machine learning does this by training a neural network, you essentially provide data to the neural network, and classify the data sample as either good or bad. The neural network draws conclusions based on the data, for example on a good system all of the files/software might be signed by a valid digital signature with a key issued by a key provider that has never had malware associated with any of its issued keys. This would then become a “positive signal” to the neural network to help it determine if certain software is malicious or safe.

To draw a conclusion the neural network might take hundreds or thousands of signals into account to help make its final determination. The most important part of training a neural network is data, in this example to train it to recognise malware you would need both clean environments and infected environments, which you would likely infect from live malware samples.

Typically, if you had say 10,000 malware samples you would use 70% of the samples to “teach” the neural network, 20% to test and tune the neural network to validate it is detecting samples it has not seen before and the last 10% of the samples as validation that your detection rate is better than a human detection rate. Once your neural network has learned to detect infected environments at better than human detection rates you can release it on the market and happy days you get a billion dollar valuation.

But think about it, what if you really wanted to test our new machine learning overlords, what would you do? Well, I would get the best malware analysis guys I can, get them to create their own unique samples using clever techniques to evade the current solutions out there and see if our neural network can detect it, see if it is as good as we think it is.

That leads to the enviable headlines, “Cylance creates fake malware” and “Cylance faces fraud controversy”, yep, and I call tosh on those headlines. Either the writer doesn’t understand the domain they are providing an opinion about or they are going for click bait, either conclusion questions their journalistic credentials.

The Tanium headlines are just as misleading but for slightly different reasons. The headline that states “Cybersecurity Company Tanium Exposes Hospital Records” implies that Tanium was showing potential customers “hospital records”, most normal interpretations of that would have patients worried that Tanium was exposing their confidential patient records, which is tosh. From the official Tanium response and the official hospital response the data exposed related exclusively to the IT infrastructure, like the computer names or IP numbers, nothing to do with patient records at all.

Don’t get me wrong, that is not a good situation, but it is not Salem Witch burning time. It is hard to say what actually happened here with out “reading between the lines” of both the official hospital and Tanium statements, so rather than do that let me tell you about a time when I worked for a vendor.

We had put in an Access and Identity management solution at a local university, these guys didn’t have a lot of spare IT resources to maintain this new system, and while we were dialing it in, the university gave me remote access so that could tweak the buttons and dials to ensure it remained stable for the first few weeks. After a few weeks everything was running good and the IT guys I was working with were starting to use the system more and more, so wanted some knowledge transfer. Technically the professional services they had paid for had been all consumed, but I wanted happy customers and they were one of our first in the region, so I helped them out. A couple of weeks later they had another bunch of questions and I helped them out, and so on and so on for a few months.

About six months in, we had another university approach us wanting an access and identity management system and I mentioned we already had “x university” as a customer and they were like “great can we see what you have done there” and I was like “I will ask”. So I went to the guys I worked with, the guys I supported, the guys I had spent months unofficially helping out and asked them if they could demo the implementation to “y university”, they came back and said they didn’t have time, but as I had remote login they were happy for me to show them around the console.

Now, did I get “written permission” from “x university”, do I know for sure that these guys ran the request up the chain and got approval from top to bottom, no I didn’t and no I don’t. But that was the type of relationship I had with these guys, they trusted me not to screw anything up, because they trusted that I wanted their implementation to be a success, as I had proven over the previous six months, and that I wouldn’t do anything that would put that at risk.

Was it the right thing to do, no, I should have gotten written permission, which is effectively what Tanium’s statement said in regards to their situation, do I think the university management had any clue about what was happening, no, which is effectively what the hospital’s statement said to their situation, was I acting in bad faith, well no because the guys I had the direct relationship with knew what was happening.

Now I am not trying to issue Tanium a free pass here, what they did and what I did was wrong, always get written permission from someone in authority that has the right to provide the permission, full stop. If you don’t and you get caught, don’t throw the guys you worked with under the bus, apologies, take hit and learn from your mistake.

The second article making the rounds about Tanium was “The CEO of This $3.7 Billion Startup Allegedly Fired Employees Right Before Their Stock Options Vested”, it accuses the CEO of having a list of employees with large option entitlements and of the company being a toxic environment.

Now I have worked at a few startups over the years, and received options or equivalent at all of them, and in every instance my options or equivalent vested either over a 24 month or 48 month period, as long as you made it past month 12. If I left after 23 months I was entitled to 23 months worth of vested options. It was never, you get to month 23 you get kicked out and you get nothing, that’s not how options work. Who the hell would sign up to that type of deal, I will give you a clue, no one and if they ran that sort of deal they would be struggling to attract talent in one of the hottest employment markets on the planet right now, cyber security.

Having worked for a few startups over the years, I have seen some “unique” things, from a Global VP of Sales taking me and the boys out in San Francisco and paying for all of us to get a lap dance to celebrate a big deal, to a sales director cheating on his wife with a Thai ladyboy at a Bangkok conference and the sales lead buying the entire team a round dope at a cafe in Amsterdam. Any one of these things is going to look bad in the papers, so to read that the Tanium CEO was allegedly referring to someone as being “fat” seems pretty tame to me.

For every startup I join I look for reviews, the best source of such reviews I have found is Glassdoor. Looking at the Tanium employee reviews it all looks kosher to me, compare them to Openpeak for example, which was well known to be toxic before they went bust and there is a stark difference. Only ONE of the articles I read about the Tanium story bothered to do that level of research.

I have got to be honest, when I was reading the articles it came across to me as a disgruntled employee that was pushed out tries to stir up trouble by going to the press, and luckily for him/her in this day and age there are enough so called journalist out there looking for good click bait heading. Imagine the headline for my lapdance paying VP.

Here’s the thing, I do think journalist should have integrity, they should question the motivations of their sources and validate any conclusion they are offering to the public. And if you are going to rip off someone elses story and rewrite it, get the facts straight, don’t change the tone of the article to the extent that “shows hospitals computer settings” becomes “Exposes Hospital Records”, it is misleading, calls your journalistic integrity in to question and feeds the “fake news” narrative.

If you have to make up dramatic headlines to get a click it is a non-story, the Cylance malware sample, non-story, the Tanium toxic environment, non-story, that Tanium uses Hospital environment for demos without official written permission, a story, but on the Wall Street Journal? Really? Really? More appropriate for a technology focused site like Seczine.

4 Responses

  1. Sec Ops Guru says:

    Refreshing to see a voice of reason on this topic… amazing how many so called news outlets jump on the bandwagon- clearly without doing any independent research.

  2. Sec Startup-er says:

    While I won’t challenge your other opinions noted here, I will say your following statement is just flat out wrong the way you generalized it:

    “Now I have worked at a few startups over the years, and received options or equivalent at all of them, and in every instance my options or equivalent vested either over a 24 month or 48 month period. If I left after 23 months I was entitled to 23 months worth of vested options. It was never, you get to month 23 you get kicked out and you get nothing, that’s not how options work.”

    The vesting plan you described is incredibly rare and overly generous compared to most. I would love to see examples of highly-valued startups that allow employees to vest stock after just 1 month of employment.

    I’ve worked in startups my entire career, and almost all have what’s known as 4 years options vesting with 1 year cliff. This means that after one full year of employment, employees will receive 1/4 (the “cliff”) their option grant – they vest NOTHING if their employment is terminated prior to their cliff, hence the term. After that, additional options are vested monthly until the entire grant is fully vested at 4 years of employment.

    • Sec Ops Guru says:

      @Sec Startup-er Regardless, not sure why someone would deserve a significant share of ownership in a company before a year… just saying?

    • Adam Jones says:

      I agree, but again a few minutes research on LinkedIn shows you that the executives that have moved on from Tanium were there between 2-3 years, so way after a cliff would have been in place.

      I could only see one or two that might have been at risk from a cliff.

Leave a Reply

 
© 2006-2017 Security Magazine.