Security Review Site Really a Front for a Security Consulting Company?
The security space is a very interesting arena. For the customer, it’s often very difficult to separate fact from fiction in many aspects. There are security companies that sell you audits, and then sell you their “solutions”. There are security companies with flashy websites and huge marketing campaigns, only to be stocked with sub-par talent and less than average processes. There are security companies that praise their technical ability and hacker prowess, only to plug your website into a bulk vulnerability scanner and hand you output. Now, it appears that customers have yet another foggy metric to analyze:
Biased inner-industry security company reviews.
Recently, we were alerted that we are under review from a blog that “exposes” IT security providers. Due to popular demand, we were named as the next in line for review (http://secreview.blogspot.com/). Thinking something seemed a little fishy, we set off to track down some details that made us believe this review site was really a front for Netragard:
- A picture is worth 1000 words. Check for yourself – both the blogs (the Secreview site and the Netragard blog(SnoSoft)) are listed below.
Also, check out this Google search that one of our engineers tracked down.
- A Fox in the Henhouse. Some weeks ago, we were approached via echat from someone claiming to be a potential customer, but really turned out to be members of Netragard and Snosoft inquiring about our services. Netragard provides IT security services. Knowing that when a company in the same industry as yours comes calling and asking all about your services, its probably not because they need an audit, we were very leery about doling out any in-depth information. When you spend years refining a process that provides the best possible value to your customers, why hand it out to all your competitors?
- No Hackers Allowed. We find part of our external IP space interestingly blacklisted from accessing www.netragard.com, aligning suspiciously with the blog posting on the Secreview site.
- We are the Best! Interesting enough, Netragard gets the highest rank from the Secreview site. They get the only A+ (the plus must mean better) out of all the reviews. Most everyone else gets a C or below.
- I Know your Way Home. Digging through our chat logs, we found an interesting little trail. The chatters claimed to be using a whitepaper from “one of our competitors” to ask questions regarding our services. At this point in the chat – we have a suspicious feeling that whoever is on the other end is with SnoSoft/Netragard. When asked about their relation to SS/NG – they replied:
“I’m not sure why you are asking me about snosoft/netragard other than the fact that these questions come from one of their white papers.”
- Using the email they provided in our chat session – we got down to work. The email is referenced in a Google-indexed PDF. We search the PDF to find end notes that reference the email address to a current high-ranking employee of Netragard. We found multiple social networking accounts, all belonging to employees of SS/NG, with the same user name as the initial email.
- I Got My Reviewing Degree Online. Even if this reviewing site was from an unbiased team, the review methodology is a little questionable. I’m not sure how you can forecast about a security company’s technical abilities by analyzing the copy on their website, but it appears to be a valid metric on the Secreview site. I’d rather see some actual, real world work from the company in question to make my decision.
- Spikes! A nice spike in traffic from Netragard LLC IP space to the redspin.com website.
So let me ask you this, If I got to grade all my peers in my Art History class – would you believe the results? Forget the reviews you read, as the industry has apparently progressed (or regressed) to the point where reviews by “Real World Ethical Hackers” are nothing more than biased marketing shouts by false-fronts to other security companies. Why not try the following to REALLY audit the auditors:
- Communication. If you feel dirty after talking to an auditor, chances are they aren’t for you. Call up and chat with an engineer or sales rep. They should be helpful and willing to answer your questions if you are legitimate customer.
- References. Ask your auditor for some references, and chat up those references about the quality of work, the communication process, and the technical ability of the auditor. Nobody will give you a better review of a company than someone who paid for their work.
- Contributions to the security community. Does your auditor do research, write relevant articles and papers, or stay on the cutting edge? Ask for education histories and recent research to be sure.
- Objectivity. Does your auditor sell firewalls and managed services? If so, you can expect their number one finding to be that you need them. Make sure your auditor is purely objective and doesn’t try to sell you solutions.
In the end, it comes down to you to make the decision. Know the right questions to ask, build relationships with your vendors, and take an active part in the choices your organization makes regarding security. Stay safe, its stormy out there.
P.S. Our CEO has contacted the Secreview blog site and is waiting for a response. If anyone has experience with Secreview and wants to chat, don’t hesitate to contact us.