Security solution provider DirectDefense said it has discovered a significant data leak in Carbon Black’s endpoint detection and response offering that is exposing thousands of files and critical data on the security vendor's customers. But what DirectDefense calls a flaw, Carbon Black calls a feature.
In a blog post Wednesday, DirectDefense CEO Jim Broome said the data leak problem centers around Carbon Black's Cb Response EDR offering and the third-party cloud-based multi-scanner service it uses to upload files to determine whether they are good or bad against multiple anti-virus engines.
However, the blog post said any files uploaded by Cb Response and then forwarded to the cloud-based multi-scanner were available for sale to "anyone that wants them and is willing to pay." That involves the sale of the files submitted as samples of malware.
DirectDefense’s blog post called the situation the "world's largest pay-for-play data exfiltration botnet."
DirectDefense did not respond to a request for comment by press time. The Englewood, Colo.-based solution provider also is a top Cylance partner, advocating in many of its blog posts for the technology. Cylance is a direct competitor of Carbon Black.
Carbon Black, for its part, pointed to its own blog when asked for comment on DirectDefense’s allegation. In the blog post, Carbon Black called the DirectDefense blog "incorrect" in saying that it has an architectural flaw that exfiltrates data. It said "this is an optional feature (turned off by default) to allow customers to share information with external sources for additional ability to detect threats."
While Carbon Black said it does allow customers to use cloud-based multi-scanners -- something it calls "one of the most popular threat analysis services that enterprise customers opt into" -- it said its services are not dependent on the engines.
The company also took issue with DirectDefense's decision to publish its report without first informing Carbon Black of its findings.
"We appreciate the work of the security research community. However, it is important to note that Carbon Black was not informed about this issue by DirectDefense prior to publication of the blog to validate their findings. … It is also not a foundational architectural flaw. It is a feature, off by default, with many options to ensure privacy, and a detailed warning before enabling," the Carbon Black blog post said.
Justin Kallhoff, CEO of Infogressive, a Lincoln, Neb.-based MSSP and security specialist, said the cloud provides benefits and drawbacks to companies. He said companies should carefully consider the implications of uploading data to the cloud, as even companies with extensive security around the cloud like Microsoft and Amazon are now "huge targets" for attackers.
"Cloud-based anything has pros and cons. One of the downsides is trusting other companies with your data, which should never be forgotten. Cloud is now ubiquitous and companies' data is everywhere," Kallhoff said.