Dan Blum

A member of the Gartner Blog Network

Dan Blum
Research VP
19 years at Gartner
33 years IT industry

Dan Blum, a VP and distinguished analyst, covers security architecture, cloud-computing security, endpoint security, cybercrime/threat landscape, and other security technologies. Mr. Blum has written hundreds of research… Read Full Bio

Coverage Areas:

Collective Defense or Collective Dissent?

by Dan Blum  |  April 16, 2012  |  Submit a Comment

In a recent “botnet bruhaha” post Brian Krebs found that Microsoft stirred up a hornet’s nest when it moved aggressively through a civil law procedure (rather than the more cumbersome criminal law system) to shut down some Zeus and SpyEye botnets. Microsoft’s side of this is that the company is working to the degrade the criminals’ operations. However, some security researchers argue that Microosft staged an ineffective PR exercise for itself and accomplished nothing more than to compromise ongoing investigations by mis-using information the community had shared in good faith.

I’m not here to say who’s right and who’s wrong in this debate, but I thought I’d share it with you to show how complex the world of threat intelligence and security information sharing can get. Reading through the comments on Krebs’ blog feels more like an exercise in collective dissent than collective defense. It’s sad to think that as a result of a company trying to take action against criminals, members of the security research community may trust each other even less and share even less information than they did in the past.

This quarrle may make the security community look like a lot of squabbling mercenaries, but I don’t think that’s the reality for most of us. Some people at Microsoft probably thought they were doing the right thing but some security researchers may genuinely have been inconvenienced from doing work that they also thought was good. Its possible that both arguments have merit. Perhaps we shouldn’t begrudge Microsoft some PR kudos if it strikes a blow against botnets, and we should also want the security researchers to be rewarded for their work and information sharing.

How can we strike a balance between the need to take quick action to operationally degrade cybercrime, but also continue to chip away at the problem of attribution and longer term investigation, prosecution, and deterrence? This should not be an either-or equation. Both the short term and long term action are needed.

How can we (the security community) establish protocols and networks of trust for sharing to help us work together more effectively in the common cause against cybercrime?

Submit a Comment »

Category: Uncategorized     Tags:

0 responses so far ↓

  • There are no comments yet...Kick things off by filling out the form below.

Leave a Comment