End-point protection in the spotlight: Carbon Black hits back at claims from reseller that it leaks customer data
US reseller calls Carbon Black a 'prolific data leaker', but vendor says cloud-based multiscanner technology at centre of controversy is an optional feature that is turned off by default
Carbon Black has hit back at claims from a US reseller that its Cb Response product leaks customer data.
US IT security services firm DirectDefense yesterday published a blog post accusing the end-point detection and response (EDR) vendor of being a "prolific data leaker", courtesy of how Cb Response is designed.
DirectDefense staff had been able to harvest data from several Cb Response customers, its president Jim Broome claimed in the post.
The issue, he argued, lay with the fact that files uploaded by Cb Response customers had been forwarded to a cloud-based multiscanner.
Although Broome has since gone on to clarify that his firm "strongly believes" in cloud-based multiscanners, he said they operate as for-profit businesses that spread files to "anyone who wants them and is willing to pay".
"Welcome to the world's largest pay-for-play data exfiltration botnet," Broome wrote.
He also raised the prospect that the issues DirectDefense claimed to have identified are not isolated to CarbonBlack.
"Additionally, it is imminently likely that there are other EDR sources and products to exploit (perhaps even other keys being used by Carbon Black's solutions and even other vendors)," he wrote. "Over the last couple years, there have been over 50 EDR companies launched, and likely, some of them may follow the same inspection model as Carbon Black."
Carbon Black immediately hit back by clarifying in a blog post of its own that using a cloud-based multiscanner is an optional feature in Cb Response that is turned off by default. The feature allows customers to share information with external sources for additional ability to detect threats, its co-founder and CTO Michael Viscuso wrote.
"Cloud-based multiscanners are one of the most popular threat-analysis services that enterprise customers opt into. These multiscanners allow security professionals to scan unknown or suspicious binaries with multiple AV products," Viscuso wrote.
"Cb Response has a feature that allows customers to send their unknown or suspicious binaries to these cloud-based multiscanners (specifically VirusTotal) automatically. We allow customers to opt into these services and inform them of the privacy risks associated with sharing. Our products are not dependent on these services."
Viscuso also said that Carbon Black was not informed about DirectDefense's blog ahead of its publication.
Viscuso's riposte prompted a follow-up blog post from Broome, who argued that vendors need to be more careful with customer data even if it is an optional feature.
"We strongly believe in EDR solutions, and we strongly believe in multiscanners. Due to the sensitive nature of data that is sent out of organisations, and the lack of awareness on the part of customers, our goal was to educate users about the risks posed by this architecture," he wrote.
Bob Tarzey, director at analyst Quocirca (pictured), said the blame in this debate may ultimately lie with customers.
"DirectDefense has uncovered a problem here and I don't think it is enough for Carbon Black to say it is opt in, we expect to opt into safe processes," he said.
"In data protection terms, Carbon Black is outsourcing scanning to a data processor, but it still has ultimate responsibility for protecting its customers' data. That said, perhaps the real issue exposed here is the poor practice by Carbon Black customers, who have embedded access credentials in code. There are ways of avoiding this, and if they had not done this, the examples uncovered by DirectDefense would not make such worrying reading."