Interview with Sunil James, Manager of iDEFENSE’s Vulnerability Contributor Program

Sunil James manages iDEFENSE’s Vulnerability Contributor Program (VCP). He is a member of the company’s Technical Intelligence team. Sunil joined iDEFENSE in July 2000, and has worked in various capacities – both technical and non-technical – throughout the company. Previous to iDEFENSE, he has worked at the US State Department, the Council on Foreign Relations, Johns Hopkins University, and Pinkerton Global Intelligence Services. He is currently pursuing his CISSP certification.

Introduce iDEFENSE. When was the company started? How did it evolve?

iDEFENSE is the only remaining independent security intelligence provider in the market today. The company was founded in 1998, committed to applying traditional intelligence-gathering techniques to provide clients with comprehensive and actionable security intelligence. Based on that vision, a team of former military intelligence personnel and computer security experts was built to address the emerging challenges of the cyber landscape.

What security services do you offer?

iDEFENSE’s family of security intelligence products provides advanced warning and analysis of threats to our clients’ critical information infrastructure. However, our analysts go well beyond technical vulnerabilities and virus attacks to evaluate the impact of hackers, incidents, geopolitical aspects, legal implications and policy decisions on information networks, applications and systems. Our product suite provides decision-makers and frontline security professionals with near real-time access to 15,000 actionable intelligence reports on cyber threats in an easy-to-read, organized format. The products are broken up into the following:

iMONITOR: Uses analysts to develop a custom intelligence collection plan that can include such topics as the misuse of company trademarks, negative press, cyber squatters, protest or conspiracy websites and publicly/privately available details of your network infrastructure. Reporting is immediate (as required), weekly and/or quarterly.

iPOWER: Provides a robust and extremely granular view of vulnerabilities and exploit code that can be easily added to databases, products or services. Data is often fully tested and verified by iDEFENSE Labs and in consultations with affected vendors. Discovered underground exploit code and IDS signatures are also available. iPOWER also covers proactive monitoring and “infiltration” of hacker and virus authoring groups in an effort to glean information well ahead of an active threat.

iAWARE: Our iAWARE weekly reports provide users with security best practice information designed to reinforce or support your organization’s existing security policy. iAWARE reports are a valuable tool in the fight against intrusions and malicious code infections. Researched and written by iDEFENSE’s security experts, these reports combine industry-leading best practices with easy-to-follow instructions on avoiding widespread damage from emerging cyber threats. iDEFENSE provides intelligence-driven desktop services that allow your organization to avoid or mitigate attacks on computer networks and information assets before they occur.

What do you see as your advantages in the marketplace?

Being the only independent security intelligence provider today affords our clients with unfettered/unbiased vendor-neutral access to cyber threats relevant to their environment. Our team of researchers and analysts is by far one of our most distinct differentiators in the market. Our group is passionate about security, is well known and connected in the security community, and has a multitude of backgrounds from the government, commercial information security and academic landscapes. Another key advantage is the proactive way in which we look for threats and research new vulnerabilities; not just reacting to postings and vendor advisories on mailing lists. The final and most interesting advantage I feel is our Vulnerability and Threat Contributor programs.

Introduce your Vulnerability Contributor Program (VCP).

The VCP, which began in August 2002, was established to respond to the needs of government agencies, financial institutions and private organizations to protect their critical information infrastructures against an unprecedented incidence of cyber attacks. There was — and for the near future, will be — a need for proactive solutions to prevent damage before it occurs. An abundance of security knowledge concerning as-yet-undisclosed vulnerabilities, exploits and malicious code is constantly discovered and created by individuals and security groups. Some of this information may be disclosed on a security mailing list or as the result of a post-mortem analysis of a compromised computer system. iDEFENSE appropriately remunerates and recognizes those who provide the company with advance notification of unpublished vulnerabilities and/or exploit code. iDEFENSE verifies vulnerabilities, examines the behavior of exploits and other malicious code, and discovers new software/hardware weaknesses in a controlled lab environment. We notify clients and vendors of vulnerabilities and create temporary workarounds for clients until a vendor patch is issued. By streamlining the notification process, researching exploit code, and providing clients with workarounds, iDEFENSE contributes to secure software initiatives by surfacing many underground “sploits” that would not otherwise have been made public or brought to a vendor’s attention.

Do you accept information for any vulnerability and exploit? How do you decide on what to disclose?

We accept information for any vulnerability and/or exploit and reward contributors for each verifiable piece of new information. We then work with the Contributor to determine the appropriate vendor notification process. The manner in which we decide what will be publicly disclosed depends on various factors and follows our disclosure policy, which is available at http://www.idefense.com/disclosure.html. Contributors are referenced in all public advisories or reports sent to iDEFENSE clients unless they prefer to remain anonymous. Our clients typically get 2-3 weeks advance notice of all issues through the iPOWER service.

What kind of feedback did you receive from the security community to your VCP?

We believe that an open forum is the best way to provide computer security. The debate concerning our VCP really draws in the larger debate concerning the proper way to go about vulnerability disclosure. Some purists feel full disclosure of every potential issue is the best way to go. On the other hand, some in the black hat community would rather keep the underground exploits underground. Then there is a large degree of gray in the middle concerning how to responsibly tell the vendor and your clients, while keeping the blackhats at bay. Our program improves Internet security by reaching a balance between remaining true to our clients and being responsible to vendors and the Internet community at large.

What do you see as the main problems in online security?

The main problem is not the lack of protective measures; it is the lack of intelligence and actionable information. Many people mistakenly approach online security in a technology-only sense by throwing firewalls, intrusion detection systems, and anti-virus software at the problem. While these measures are important, computer security is still at risk, and that is because people do not have the intelligence and guidance to defend against emerging and fast-spreading threats. Development and implementation of a multi-tiered security policy, including information on publicly unknown vulnerabilities, is often neglected and is key to managing these technology point solutions in an effective framework.

The problem with many commercial software and hardware products today is that developers do not approach security in the early development or design phases. Functionality and convenience are often at odds for locking down a system and stripping all unnecessary features that may lead to security incidents. In addition, the vulnerability disclosure landscape is a chaotic beast at best, with little or no regulation as to how exploits and vulnerabilities are reported to vendors and the public.