eEye CTO Maiffret Weighs In On Cloud Security, Disclosure Debate
Nearly a decade has passed since security researcher Marc Maiffret and his colleagues at eEye Digital Security unearthed the Microsoft Code Red vulnerability, and it's been even longer since Maiffret's brush with the FBI at age 17.
Maiffret re-joined eEye Digital Security in July as CTO after a three-year hiatus during which he explored other parts of the security industry. CRN caught up with him recently to discuss eEye's new channel initiative and how threat management has evolved as a business. Following is an edited transcript of the interview.
There's been a lot of talk lately about using the cloud to enhance security. What are some benefits of this approach, and are there any weaknesses?
Cloud apps in general have two main security implications. One, it's a bit easier to respond to issues when you have a main cloud app to update. It's not like Microsoft trying to update millions of systems around the world, and it's much easier to control the quality of the application.
That being said, what terrifies me about cloud apps is that for last ten years, the big driver in security, and the improvements it has brought, has been from research community. Independent researchers are driving these companies to build more secure products.
But when you look at the cloud space, vulnerability research doesn't apply. You can't sit there and attack Salesforce.com. So that takes out the research community and leaves it up to the companies themselves, and we have seen security be treated as an afterthought by a lot of tech companies.
Microsoft recently started talking about something called "coordinated vulnerability disclosure," a renewed attempt to reshape the responsible disclosure argument. eEye started out embracing full disclosure -- has your stance changed since then?
I think between 60 and 90 days in typically a good enough amount of time for most tech companies to resolve and put out a patch for a vulnerability. What the research community wants is for companies like Microsoft to agree to some timeline, at which point, if they haven't resolved that vulnerability, researchers should be able to publish that information without being labeled a bad guy.
The driver for researchers to want that framework is the fact that too many vulnerabilities, when reported to the vendor, can sit for months or even years, which isn't acceptable.
Google researcher Tavis Ormandy incurred Microsoft's wrath back in June by disclosing details on a zero day vulnerability in the Windows Help and Support Center. Opinions seem pretty divided in the security industry as to whether he did the right thing. Where do you stand on this?
I think he's just a vulnerability researcher who's not motivated by making money, but by helping the IT community and making people secure. That's his intention, no matter who his employer is.
The incident did show there's a massive gap between how researchers are framing the disclosure debate and how Microsoft handles it.
Security researchers are coming to the table and saying here's what we find acceptable as a starting point. Google's security guys gave tangible numbers and said after 60 days, it's gloves off. They said that should also apply to Google themselves.
Next: Room For Improvement For Microsoft In Security?
You've been a vocal critic of Microsoft's security stance in the past, although you've also given them credit for making progress, too. Where do you still see room for improvement?
Security researchers that used to do public sector research and report vulnerabilities to vendors are now just selling vulnerabilities to security companies and defense contractors. Although Microsoft is doing a better job of securing software, they haven't changed the dynamic of how they work with security researchers. To a researcher, it's not worth getting a 'thank you' note buried in the bottom of a Microsoft advisory.
I think Microsoft is trying, the blog post about changing the coordinated disclosure, that really just changing the labeling, not changing the fundamentals. If they want to show research community, and want to work with them, they need to come out and say three months, five months, if they don’t fix issue by then security researchers should be able to fix it.
eEye has a new channel program -- can you give me a sense of what's changed?
We want to make sure we get the program launched back out there and to educate partners on the new technologies we have. People understand eEye as a vulnerability assessment company, but we have an entire new product, Retina CS, for reporting and management of vulnerability information. It's been written to allow partners to wrap services around that process.
So we're in the process of educating partners about this new technology we have, and we've also revamped lot of things, from technology training to the partner portal itself.
When you got started in security, stories about teen hackers getting busted by the Feds were big news. But these stories don't seem to have the same news impact as in the past. Why do you suppose that is?
I think there are definitely more people getting into security and hacking now as teens than when I was in it. When I was doing stuff, the only way you could learn about technology was to hack and look at other companies' systems. Nowadays, with VMware, you can set up whole lab environment from your own desktop PC at home.
If you have security expertise and knowledge of hacking, there's not much need to go out there and do things like I did. There are also a lot more outlets now. Ten years ago, it was hard to find companies looking for the security skill set. Of course, there are still teens out there doing things illegally. If people are getting into hacking these days, it's mostly being centered around cybercrime.
What were your impressions of Black Hat this year?
The proliferation of zero days is driving the need for the next evolution in vulnerability management, not just scanning and reporting. At Black Hat, one of the big themes I heard in talking with other researchers was the increase in the number of zero days being traded, bought and sold by commercial entities and governments.
This has completely exploded and become a big issue, and the scanning and reporting mentality has fallen behind the curve.