Marktkommentar #11: How Customer-Friendly Are the Terms and Conditions of Security Manufacturers?

Hello everyone

Security Breaches don’t matter (much): Travis McPeak, a former security architect at IBM and Netflix, compiled some data in his talk Hard Truths your CISO won’t tell you . These show that it usually takes less than 2 months for a company’s share price to recover after a cyber attack has become known.

A professional skeptic among my colleagues (the pleasant kind, i.e., without additional qualification as a permanent troublemaker) has also had a few publicly available figures processed and comes to the conclusion: On average, a ransomware attack causes total losses of ~40% of EBITDA or ~2% of sales. My interpretation: This is significant, but not dramatically high compared to other business risks (exceptions prove the rule here as well, of course).

And the solution to the quiz of the last market commentary fits in with this: It showed the sales of Solarwinds – the company that was the victim of a supply chain attack in 2020 (I’m sure many still remember the headlines), which then also affected more than 10,000 customers. Of course, it is interesting to note that Solarwinds had demonstrably accepted security gaps, and customers still remained loyal to the provider – the number of customers and sales have increased since the attack. History does not repeat itself, but it rhymes, a clever person has said. I therefore assume that Crowdstrike will continue to be successful despite the small glitch.

This is the transition to the next topic: The feedback on the topic of MDR Breach Warranties has signaled interest in further layman’s legal explanations regarding Terms + Conditions of security providers, of course fueled by the Crowdstrike incident.

Therefore, here is my current view of the T&C landscape. Although I have tried some help from our colleagues from the legal department, this is of course still not legal advice, but only my opinion (which I also like to change if someone puts new facts or simply good arguments on the table).

Not only at Crowdstrike, but at many security providers (e.g. Darktrace, Palo Alto, SentinelOne, Trend Micro), the following clauses can be found in the publicly available terms of use or their translations in some cases even with almost identical wording:

  1. Customers are prohibited from publishing test results:Customer agrees not to: Conduct stress tests, competitive comparisons or analysis of any Offering, or publish performance data of such Offering (provided that this does not prevent Customer from comparing the Products with other Products for Customer’s internal use)”
  2. The effectiveness of the product is not assured: “CUSTOMER ACKNOWLEDGES, understands and agrees that [manufacturer] DOES NOT GUARANTEE OR WARRANT THAT [PRODUCT] WILL FIND, LOCATE OR DETECT ALL SYSTEM THREATS, VULNERABILITIES, MALWARE AND MALICIOUS SOFTWARE OF CUSTOMER OR ITS AFFILIATES”
  3. The availability of the product is not assured: “THERE IS NO WARRANTY THAT THE OFFERINGS OR TOOLS WILL BE ERROR-FREE OR THAT THEY WILL FUNCTION WITHOUT INTERRUPTION OR MEET ANY PARTICULAR PURPOSE OR NEED OF THE CUSTOMER. THE OFFERINGS AND TOOLS ARE NOT FAULT-TOLERANT AND ARE NOT DESIGNED OR INTENDED FOR USE IN HAZARDOUS ENVIRONMENTS THAT REQUIRE FAIL-SAFE PERFORMANCE OR OPERATIONS. NEITHER THE OFFERINGS NOR THE TOOLS ARE INTENDED FOR THE OPERATION OF AIRCRAFT NAVIGATION, NUCLEAR FACILITIES, COMMUNICATIONS SYSTEMS, WEAPON SYSTEMS, DIRECT OR INDIRECT LIFE SUPPORT SYSTEMS, AIR TRAFFIC CONTROL, OR APPLICATIONS OR FACILITIES WHERE FAILURE COULD RESULT IN DEATH, SERIOUS BODILY INJURY, OR PROPERTY DAMAGE. Customer agrees that it is Customer’s responsibility to ensure the secure use of an Offering and the tools in such applications and installations.”

Doesn’t sound customer-friendly or in the interest of the community at first.

  • Nobody is forced to buy from one of these manufacturers or accept the terms and conditions when making a purchase – there is enough competition in the security market.
  • However, if you do not agree with the terms and conditions, you should negotiate this before signing the contract. Example from an EVB-IT: “The inclusion of the contractor’s general terms and conditions on the type and scope of cloud services is only subordinate to all other regulations and only to the extent that they neither conflict with nor restrict all other contractual provisions.” In the case of US providers or providers from the UK, a review of the GTC and the associated subsequent appeal of the invalidity of the GTC by a European customer before a court there is practically without prospects of success
  • Some providers are already positively characterized by the fact that they do not have all of these clauses or sometimes even none of them in their terms and conditions (e.g. Logpoint, Withsecure)
  • The more customers include the evaluation of the terms and conditions in the selection process, the more manufacturers will strive to make them competitive

Regarding the individual clauses:

  • Ad 1) Customers are prohibited from publishing test results
    • In my view, the best argument for this is that it should be made more difficult for attackers to bypass security products.
    • Of course, this could also be regulated by a “responsible disclosure” as in the case of vulnerabilities found. In addition, it is unrealistic to believe that well-organized attackers do not carry out “quality assurance” with the common AV/EDR systems. In addition, there are of course many relevant aspects that do not concern the detection/protection functions at all, such as the processor load in AV/EDR products
    • In addition, many customer evaluations are so poorly set up that the results are not comparable and you as a provider then have to constantly justify yourself, I was told. May be => But in the case of independent laboratory tests, the testing organization must also disclose its methodology if it wants to be credible
    • Interesting: In the general terms and conditions of the manufacturers of alarm systems (physical security), there are usually only clauses in general terms and conditions that prohibit re-engineering. That’s why there are probably public comparative tests of alarm systems.
    • The bottom line is that these clauses are bad for customers from my point of view: There are no public tests of e.g. NDR, SIEM, Mailgateway or CASB/DLP products that have not been financed and edited by providers. This means that all customers have to do their own tests and are not even allowed to talk about it afterwards (except under NDA), which leads to enormous duplication of work and additional costs globally. Also explains why Gartner, Forrester, etc. do not carry out technical tests, but essentially refer to market success = > leader is the one who sells a lot.
    • As a result, it should be left to the customers in each individual case whether they want to publish test results or not
    • Here, too, one can only hope that competition will result in more transparency over time
  • Ad 2) The effectiveness of the product is not assured
    • 100% traceable – there is no such thing as perfect security, nor is there no flawless software
    • In comparison with alarm systems for burglary protection, however, it is striking that there are no standards or the “state of the art”, compliance with which is guaranteed by infosec providers
    • This makes comparative tests of effectiveness all the more important
  • Ad 3) The availability of the product is not guaranteed
    • In my naïve way of thinking, one could expect the promise of availability (X% in continuous operation calculated over 1 year), as is also common with the purchase of machines and systems or the SLA of other cloud services
    • Here, too, the EVB-IT templates contain passages that clearly define and demand availability

If anyone has other experiences, examples, exceptions or the like, please feel free to contact me.

If you are interested, here are a few key points from vendor briefings:

Dispel:

  • US provider for Secure Remote Access (IT+OT) incl. standardization of DMZ (similar to e.g. Secomea, Claroty, HMS EWON, Phoenix Contact, Siemens, XONA, Bifrost…)
  • Approx. 100 employees, used by ~300 corporate customers / government agencies (including Mercedes, Daimler Trucks, Mitsubishi, Dep. of Defense)
  • The architecture fully complies with NIST 800-172 including “moving target defense”, i.e. automatically changed storage and processing locations, and thus goes beyond BSI Grundschutz, NERC CIP or IEC 62443 (as far as I can tell – other points of view on this are welcome)
  • Architecture (see also nice diagram in the appendix):
    • 1 virtual appliance (“wicket”) per location or DMZ is required. This is a kind of gateway, always establishes the encrypted connections from the inside to the outside as usual and manages the access authorizations
    • Between the maintenance technician’s endpoint and the virtual appliance in the site, an SD-WAN is periodically regenerated (also possible in private cloud or on prem), so that the technician has to connect to this upstream SD-WAN (and not directly to the gateway)
    • External maintenance technicians can gain access to a VDI in SD-WAN either by downloading an agent or via RDP, SSH, VNC
    • The IP address is reassigned for each VDI and thus for each access
    • The VDIs are each generated from a currently patched golden image and stored in a buffer to avoid waiting times (=> This means that there are still a maximum of 3 minutes until access)
    • Internet access from the VDI to e.g. servers of the machine suppliers can be activated by admins
    • Permanent project folders can also be set up
  • Service technicians from machine suppliers can be invited to sessions
  • All common OT protocols can be transmitted
  • Session recording, logging, time restrictions for access, approval workflows in 4-eyes principle, etc. as with most market-leading systems

Deepfence:

  • Public Cloud Security: Posture Management (scanning for misconfigurations and compliance, e.g. with GDPR) and Runtime Protection (CNAPP) for attack detection on applications and APIs, similar to the cloud modules of EDR providers and the vulnerability management top dogs such as Tenable, Qualys, etc.
  • Also available in a free version with a little less functionality
  • Can be operated on prem by the customer
  • Prioritization of vulnerabilities according to exploitability:
    • In the first step via EPSS and KEV
    • It then checks whether the vulnerable component is loaded into memory at all at the customer’s runtime and whether a network connection (“live sockets”) is possible. In practice, this can reduce the relevant vulnerabilities by a factor of 10
  • Also for monitoring encrypted data traffic between LLMs based on eBPF hooks (without decryption, but via monitoring of the change in the data record on the cloud endpoint)
  • Kunden u.a. Amazon u. Dell

Dropzone AI:

  • Startup from the USA, ~10 corporate customers, also in the EU (but all data hosted in the EU, single tenant, compliant with EU AI Act)
  • Assistance system for SOC analysts (Tier 1 automation)
  • In addition to time savings, of course, there are also benefits in terms of consistency of results
  • Advantages especially for recursive analyses (=> Depending on the result at analysis step 5, start again at step 2)
  • Konkretes Beispiel für Insider Threat Alarm in MS Defender for Office (Severity High):
    • Nur mit Defender/Splunk: Standardtext für Analyst: Activity Policy “External Entity was added to confidential Sharepoint site” was triggered by Michael Müller (Michael.Mueller@Beispielfirma.com)
    • Mit Dropzone: “An Office 365 Cloud Alert was initiated when Michael Müller, a Software Engineer at Beispielfirma, shared a file named XYZ.zip with an external auditor, Stefan Schuster, on Jan 20, 2024. The file, located on a confidential Sharepoint site, was shared with edit permissions. The source user’s IP address, 99.88.110.100, is a common login point for Müller, indicating regular usage. Email exchanges between Müller and Schuster include other staff members (A and B) and confirm the legitimacy of the file sharing for audit purposes. No additional security alerts have been associated with Müller’s account, and there is no evidence of scanner behavior. […] Conclusion: Benign, no further action needed”
  • Of course, the more data sources are made available, the more granular the context enrichment becomes (in the example above, for example, the AI assistant was allowed to read the e-mails of the employees and evaluate organizational charts / the company phone book in addition to the logs in the SIEM)
  • Starting price ~20 thousand EUR / analyst
  • I’m not sure how long this will last as a standalone product on the market, takeover by an XDR/SIEM manufacturer is obvious