Shostack + Friends Blog Archive

 

The Face of FUD

For your amusement: This image came as an banner on an opt-in email from NetWitness.   You’ll recognize this image as the face of F.U.D. (“fear, uncertainty, and doubt”)

If this is how you feel, buy our products. Then you'll feel better.

Headline is “You are losing the war!”, followed by “Criminal and state-sponsored adversaries are winning”.    The key line: “NetWitness delivers real-time network forensics and automated threat intelligence solutions designed to combat advanced cyber security threats like Operation Aurora.”

I don’t blame them for surfing the publicity wave of “Operation Aurora”  (China, Google, Adobe, et. al.).  And I can’t blame them for following industry practice of amplifying FUD, primarily “fear”, to get potential buyers to give attention and budget to NetWitness solutions, to wit: 

“You have a choice: The NSA or FBI can sit down with your CEO and report your company’s network compromises, or you can be the one telling them that an attack was detected, thwarted, and steps were taken to prevent it from happening again. Which scenario sounds better to you?”

OK… so here’s a glimmer of NewSchool hope in the last lines of the email:

“We’re so sure of this fact that we’re determined to prove it on your network. We’re offering a complimentary Proof of Concept to any organization meeting a minimum set of qualifications.” 

So they are willing to show how their solution will actually work in your organization.  Not bad.  But to get the “NewSchool Tip-of-the-Hat”, it would be even better if the Proof of Concept included some sort of data about effectiveness vs. alternatives vs. make-do-with-whatever.  It would be even better if they published such data or made it available via various information sharing organizations.  We can only hope.

(I have no opinion about NetWitness or their solutions or their competitors, nor do I have any relationship.)

6 comments on "The Face of FUD"

  • shrdlu says:

    I got that same spam today, and my first thought was that they took first prize for FUD, thanks to that subject line.

  • Ben says:

    That’s funny… I saw the subject and just deleted the email… and to think I could have seen that sullen face! 🙂

  • Hi Russell,
    Thanks for rebroadcasting parts of our opt-in email! Even though it appeared in the “amusement” section of your blog, we actually take all this quite seriously at NetWitness and stand behind what we put in the email. Your post raises a classic issue facing security professionals– to FUD, or not to FUD.
    It’s really unfortunate that FUD became a dirty word when compliance and “risk management” took over the security budget, but that’s when many organizations began to fail at security too. While many people, particularly CIOs in hindsight, would argue that compliance has helped increase the focus and spending on information security, I would argue that it has distracted many security programs into performing a large number of basically low impact or worthless activities in the name of metrics, versus FUD. And, compliance certainly has sponsored a whole class of expensive security technologies and associated total ownership costs (TCO) which drain the security budget.
    There’s also an unfortunate psychology involved here. Many security professionals feel guilty or inadequate using FUD as an argument because all the other I/T people have real metrics and we don’t. To some, it’s like when we were kids and everyone had Converse “Chuck Taylor” All-Star high tops and you were the one with the red Pro-Keds. Security people can’t talk about how many “9’s” of network uptime we have, or how much we have improved call center response time, or improved the TCO of storage. Security sucks at producing decent metrics — and the ones we do produce (which I’ll save for a much longer separate discussion), stink even more at reducing the fear of being owned by national-sponsored or organized criminal groups or the uncertainty and the doubts regarding the security of information in a world of advanced threats. Security people cringe when some C-level executive compares the cost of information security to the cost of insurance – “no one likes to pay it, but you have to have it.” Ugh! So, we hate the FUD argument – both when we have to use it and when someone uses it to trivialize what we all do for a living.
    But I do not think security professionals have to feel this way. I think that FUD still has a lot of usefulness in the toolkit of the security professional and within the enterprise security program, if applied in the right doses to the right places. One of my favorite Websites is fudsec.com. There are many good, bad and ugly uses of FUD cited here, for example, one of the good ones is Anton Chuvakin’s post, “A Treatise on FUD” – required reading for any committed FUDists.
    With regard to advanced threats, I encourage the use of a combination of FUD and proof. The FUD comes in the form of security professionals updating their talk track to highlight the real causes of many cyber losses in 2010, and the need for more focus on threat intelligence and operational security. Current issues such as Operation Aurora should be analyzed and briefed to senior management, and should be coupled one of the more credible surveys that show that most data losses result from advanced threat sources (sophisticated exploits, malware, etc.).
    In the end, you will have to produce real evidence, however, and that’s why we put the POC offer on the table in our e-mail blast. FUD only goes so far, so, you have to show your colleagues the smoking gun with your own organization’s data. Ultimately in developing this sort of in-house evidence, you’d be the one to earn Russell’s “New School Tip-of-the-Hat” versus NetWitness. Because while we as a vendor could put out FUD-sounding marketing statistics about how this approach will make you more effective at changing the face of FUD to a smile than other alternatives, you will ONLY believe it when it happens in your organization, you can bank the results, and actually reduce the FUD for yourself and your CEO.

    • Russell says:

      Hi Eddie,

      Thanks so much for your thoughtful and open comments. It’s great to hear from a senior person in the vendor community.

      Thanks also for seeing the serious elements of my original post. I tagged it “amusement” because I was initially motivated by the graphic image (“fearful face”) NetWitness used in the promotional, opt-in email. I know such decisions are in the hands of creative types in marketing and don’t have much connection to corporate strategy, value propositions, or measuring security. So many of us have been debating FUD and related issues, I just thought that this image was a classic representation.

      On to the heart of your comments…

      “To FUD or not to FUD” is an active topic of debate in this blog and elsewhere, including Anton’s blog and fudsec.org. We’ve even had some blog debates with them:

      http://newschoolsecurity.com/2009/10/just-say-no-to-fud/
      http://newschoolsecurity.com/2009/11/on-smelly-goats-unicorns-and-fud/

      I think everyone involved agrees that security decisions and designs are made in the context of high uncertainty and doubt, overlayed with personal and organization fears and anxieties (spoken and unspoken). We also agree that many times people only take action when they are scared to death, or what the consulting industry has called “the burning platform”.

      The biggest area of disagreement is how anyone with a stake in the outcomes reacts to these intrinsic conditions. Properly speaking, “FUD” is active spin and amplification of fears, uncertainties, and doubt, with an aim to manipulate and/or paralyze the decision-makers so they do what you want them to do. (The posts listed above go into more detail on why I think this should not be the primary strategy of security people.)

      Moving from the general to the specific, I’m thrilled to hear how NetWitness is approaching your PoC to help your potential clients develop their own “in-house evidence”. So often, PoC of some new tool consists of getting it installed, running a few demos, migrating some data, generating a report or two, and then polling the users to see if they like it (“I’ll give it an 86 because it’s got a nice beat and you can dance to it” 🙂 ) It sounds like NetWitness PoC actually attempts to get some meaningful results for the customer.

      I’m just cheering you on to see if you can do even more regarding collecting data and other evidence regarding effectiveness of various solutions. It’s damn hard in the arena you are working in, the now-famous APTs. I’ll point to Richard Bejtlich’s post “Is APT after you?” http://taosecurity.blogspot.com/2010/01/is-apt-after-you.html . He’s way more expert on this than I am. What he basically says is:

      * You can’t really tell if APT is after you or not, until it’s too late.
      * If you are wondering if APT are after you, then they probably are.

      While this may be a very sober, realistic stance, it’s not much comfort to decision makers who may be asked to spend big money (or forgo big revenue) to adequately mitigate the risk. The NewSchool philosophy would be to work toward better data, better analysis, and even better reasoning about uncertainty so that decision makers stand a better chance of making rational economic decisions. In contrast, anyone who uses FUD tactics as their “one-trick pony” is, in effect, pulling in the opposite direction.

      The arena of APT seems to be crying out for better and more sophisticated threat intelligence systems, both individually and collectively. On this, see these two posts:

      http://newschoolsecurity.com/2010/01/doing-threat-intelligence-right/
      http://newschoolsecurity.com/2009/12/can-risk-management-guide-policy-regarding-password-change-frequency/

      Thanks again, Eddie, for joining the debate so constructively.

  • Great points, Russell. Thanks. I think where I differ with Richard, Gartner, and some others is that APTs are a state-sponsored / government issue. There is this whole notion that the trajectory is strictly related to government, DIB, and now related R&D entities. I would argue from first hand experience that other groups have been using what could be classified as APTs for years for other purposes that have nothing to do with political reasons. Anyway, thanks for the response.

  • Pingback: APT Ramblings « cyberwart [link http://www.cyberwart.com/blog/2010/03/14/apt-ramblings/ no longer works]

Comments are closed.