Cyber-security is set to lose access to the information-sharing database VirusTotal in what has been deemed by some to be an attempt to lock out new entrants into the cyber-security arena.
On May 4, VirusTotal said it would cut off unlimited access to companies that do not share information with the database. The changes were met warmly by some companies like Trend Micro who published the company's support soon after announcement. A colder response came from other, newer companies who felt they were being muscled out of VirusTotal.
The VirusTotal database, owned by Google's Alphabet Inc, has been openly sharing information on cyber-threats for over a decade, handing out the information to companies large and small.
A spokesperson from VirusTotal told SCMagazineUK.com, “Recently, some companies were benefiting from VirusTotal services and samples without contributing their own findings back to the community.” On the back of that, non contributors were denied access.
Exactly who the offending companies are is not yet known but Reuters claims that several sources admit it would affect significant players in the industry like Palo Alto Networks and Crowdstrike.
The database works on a reciprocal relationship, based on contributions from the community of intelligence gathered from AV engines and files discovered in the wild.
Companies that don't use those engines, it appears, cannot contribute and, as of the beginning of this month, cannot access the database. As it happens, this locks out many newer cyber-security companies who eschew AV engines.
The policy changes have set many, often start ups, against the move. Critics say this is a cynical tactic employed by the old guard of the industry to hobble the new.
Chief among those critics is Tomer Weingarten, CEO of SentinelOne, who told SC that although the policy changes won't affect SentinelOne, he is not only concerned, but suspicious.
The problem goes further than merely making users pay to play, but requiring users to actually use Anti-Virus engines which many next-gen companies don't employ.
Weingarten told SC, “VirusTotal has changed their policy in such a way that only technologies that rely on ‘scan engines' can engage with their reputation feed. This alienates any companies, like SentinelOne, who use behavioural-based technologies to detect both known and unknown threats.”
The subject of non contribution, said Weingarten, is pettifogging the issue. "If it was an issue,” said Weingarten, “why were they charging $80k in yearly subscription for access to the data? This was their business model that they created, that they profited from. We believe VT's initial interests were simple, and novel, they wanted to help increase security efficacy by creating a large, crowdsourced repository of threats for anyone to use. That was until the AV vendors started influencing their strategy.”
Older companies were apparently among those pushing for the move to lock out ‘non-contributors', many of which are newer, insurgent companies with high valuations.
Weingarten's suspicion was raised after a number of companies like Malwarebytes and Trend Micro piled on to lend their support to the policy changes. Following the outrage this move sparked, VT relented, saying that it was willing to work with non-AV vendors: “The only conclusion we can draw from this quick flip is they were influenced early on by the AV vendors and (are) now realising they made a mistake.”
While Sentinel One reached out to VirusTotal, those attempts were “constantly ignored” until pressure from the community supposedly moved their hand. The big question, said Weingarten, “is will the AV companies continue to apply pressure on VT to limit the next-gen companies ability to participate".
In the long run, Weingarten believes that the policy change will harm VirusTotal the most: "If they continue down this path they will eventually grow irrelevant without contribution of detection by newer, more advanced technologies. They will become an obsolete repository of known threats and signatures."
Responding to the charge, VirusTotal' spokesperson said this update “is designed to make the community stronger for everyone who participates and we are open to working with any contributor and any technology that adds value to the community. This does not reflect a change in the service that VirusTotal provides, but is a change to our policies that we believe will make our community healthier and stronger.”