There is no doubt that many organisations received an unwelcome penetration test of their security software in the form of the WannaCry ransomware attack. The question is, can security vendors survive with their reputations intact after what appears to be such a massive failure?
SC Media UK had an opportunity to chat with the man who is head of security at ZoneFox and former global head of security at SolarWinds about the whole WannaCry affair. The man, Ian Trump – who calls himself phat_hobbit on Twitter, wasn't holding back.
"By some measures," Trump said, "the security software chosen to defend the organisation had a great deal to do with how successfully the storm was weathered."
He was both "surprised and disappointed" that what he refers to as a 'softball cyber-attack' was able to divide security vendors into two distinct camps: those that worked and nothing got through, and those that failed.
"For those security products that worked, vendors seemed to respond by gleefully running virtual victory laps on social media," Trump told SC Media. "For those that failed, it is going to be a rough journey for the brand."
Trump warns, "For vendors that stopped it, I think you got lucky, but before you uncork the Champagne bottles you need to understand WannaCry is going to be improved, expanded with new capabilities."
Indeed, Trump says that some vendors even responded to WannaCry by removing aspiration claims from the web as a result of the failure of their product to protect marquee customers.
"The road to customer churn is paved with vendor promises," Trump insists. "You never discover how poorly your anti-malware solution works until you install a different anti-malware solution and it starts finding not-good-things."
This led SC to take the accusations to the wider infosec market, and ask if vendor brands can survive post-WannaCry?
Jamie Riden, security consultant at Pen Test Partners, points the finger at a fundamental disconnect in security between solutions and practice. "Vendors have to be prepared to assist organisations not just in plugging in their kit but in creating a responsive security culture," he told SC. "Vendors have to step up to the mark and provide advice and assistance rather than simply hawking their latest wares."
Sam Curry, CPO at Cybereason, sees the real failure in thinking that there's any vendor or service that will take care of security for you. "Many products and services failed," he says, "but in the end security isn't something you can abdicate." Curry compares it to health: if you are poorly, you can't blame the healthcare system – it's your responsibility to eat well, exercise and take the doctor's advice.
Tony Rowan, chief security consultant at SentinelOne, is happier to point the finger at certain vendors. "It's very clear that many legacy endpoint security vendors had a bad time with the WannaCry first round," he insists. "Those that depend on signature hash values will always be on the back foot as they need to find the malicious sample in the first place in order to create and share a signature."
What this means, of course, is that they will always have to have at least one victim before they can respond effectively. "In an attack that sweeps across systems worldwide at speed, this approach is clearly wanting," he said.
Darren Anstee, CTO at Arbor Networks, argues that "many security solutions would have identified the threat, as signatures were available prior to the outbreak, but blocking activity inside a network normally requires manual intervention." Indeed, people are still the primary decision makers in security, the problem being that processes to investigate threats are often too slow to get ahead of something like this.
IOActive's EMEA VP, Owen Connolly, suggests that was not a security technology problem. "Security technology does not work in a vacuum," he told SC. "It needs people and processes to make it effective." Unfortunately, too many executives are listening to the hype and believing that buying a box will solve all your problems. "It still amazes me that in 2017 this attitude prevails that prioritises boxes or software products over good people and practical processes," he concludes.
Eric Berdeaux, CEO of GRC software firm OXIAL, reckons that "WannaCry mostly targeted firms that hadn't made a significant investment in cyber-security", and so it is "hard to say the response was a failure".
Which brings us nicely to the 'what now' question: what lessons does the infosec industry need to take on board from WannaCry?
Simon Edwards, European cyber security architect at Trend Micro, thinks that being up to date is the best lesson to take forwards. "Where customers had the most up-to-date detection methods, they were protected. Some, sadly, were running very old versions and so were not as well protected."
Ziv Mador, VP security research for SpiderLabs at Trustwave, points toward the Microsoft Active Protection Program that shares information about vulnerabilities ahead of Patch Tuesday. "This allows security vendors to develop protections and co-release them with the patch and thus offer better protection of the ecosystem."
Jonathan Zulberg, senior technical director EMEA at TrapX, told SC the industry can learn something from old-fashioned techniques which have existed within the military mindset for generations. "Attackers use deception to launch their attacks," he says, "so it's time we used deception to start defeating the attacks, things based upon making something look interesting and then raising an alert if someone touches it."
We will leave the last word with Mark Hughes, CEO at BT Security: "In today's threat landscape, the way forward is a unified security architecture that prevents attacks before they can inflict damage. A multi-layered approach makes it harder for criminals to operate before, during and after an attack, while the right smart prevention can help rapidly uncover existing vulnerabilities and eliminate risks."