Skip to main content

The saga of Norse and an industry indictment

I first interacted with Norse and Sam Glines in 2013, when they were making the rounds in St. Louis pitching their product. They showed up to our office with 3 people and another person on the phone. They couldn't really answer any of my technical questions, but were pleasant enough. I knew right away though, they had nothing to offer me as leader of an IT security program at a then Fortune 500 energy company. Because they had an office in St. Louis and I was keen to see them succeed, I gave Sam advice to the effect that in their current form they were only replicating what Damballa had already done years earlier and much better. I told him they were too early and needed to establish an actual threat intelligence team with experienced, industry recognized analysts. I also recommended they focus on nation state versus the commodity type data they were collecting in the "deep, dark, web". No idea what he actually thought of this, but I'm going to go out on a limb and say they were just focused on sales and brand building at this point. Despite the fact that, they were no where near being a actual threat intelligence company.

Fast forward to Blackhat the following year and the marketing blitz had begun. Norse made a big splash at the conference with their Viking swag and booth babes. I looked at their product again at this time and was surprised to see little had changed. Just a pew pew map and indicators of minimal value. Yet, the industry ate this up. The security hype cycle was spinning up and channel sales everywhere was happy to oblige.

In the summer of 2014, I was starting to look for a new job and even reached out to Sam, along with several other companies. I wanted to find out if they were planning on staffing any intel analysts in St. Louis instead of their main California office. At this point, I thought they still had a fighting chance to succeed if they could build off their marketing success and build a real intelligence capability. Fortunately for me, this never went anywhere and I landed my current role, which is one of the best jobs I have ever had. If Norse would have stayed in their lane, the odds are they would have grown into something. However, they made critical errors in judgement.

The beginning of the end occurred later that year when Norse comes out with flawed Sony attack attribution. They clearly embarrassed themselves and the FBI and other industry reporting confirmed as much. This fiasco started to sway broader industry opinion, that they were in fact a bunch of charlatans. And to be fair, it may just be that Tommy is an armchair intel analyst and neglected warnings of other more experienced people working there. Their credibility took another major blow when they put out a complete farce of a report with AEI on Iranian attacks. When you are willing to put out a garbage report for money, what does that tell you about the leadership?

I will first repeat what others have said. I'm sure there are great, talented people working at Norse who are getting a raw deal here. I wish them nothing but the best. However, I feel there are some serious systemic industry problems this has brought into the spotlight.

First, the "FOMO" money has gotten out of control. What was KMPG thinking investing $11.5 million into Norse? Did they not talk to any threat intel experts first to get their views? This was after their very public intel blunders, so there isn't an excuse. There is so much dumb money in the VC cyber market right now, that its propping up companies with vaporware and marketing gimmicks. It puts a black eye on us all, when we let this happen. If they would have just read great insights on the threat intel market by Rick Holland, Wendy Nather, and Robert M. Lee, they would have been more easily able to spot the skeletons in Norse's closet.

Second, what does this tell you about the VARs who championed Norse? Either they lacked the experience and skill to evaluate the product or worse knowingly pushed a bad product for points. I can't forgive this and neither should you. There is no value if a reseller just pushes anything that gives them a bigger sales percentage, instead of testing and ensuring it is a best of breed product or service. Customers deserve better.

Finally, I will echo what Robert M. Lee stated in his blog post. This outcome is not at all indicative of the broader threat intel product and services space. While I personally believe most companies are not ready for threat intel, there are several credible threat intel providers out there doing right by their customers. 

Things happen pretty fast in infosec, but to those in the know, this was a LONG time in the coming.


Popular posts from this blog

FIRST Conference 2018 - Review (Kuala Lumpur Edition)

As apart of my new job, my employer is seeking to gain FIRST membership later this year. To support that goal, I was asked to attend the 30th FIRST Conference in Kuala Lumpur. For the travel weary, this is not a trip to take lightly. For me it was 3 flights and 28 hours total of travel just to arrive. I do have to say, the conference venue, the Shangri-La hotel is absolutely fabulous. Very nice, clean, and ultra courteous staff. The swag bag I was given at registration was also very nice, including 3 shirts, challenge coin, notebook, mini first aid kit, and a pretty decent backpack. I also have to say the lunch options for the conference are vastly superior to anything I have ever experienced. SANS and Blackhat could learn a few things. For a 5 day conference, you get a much greater value here.

If you are interested in jumping straight the slides you can visit here.
OpeningThe conference was kicked off on Day 1 by Thomas Schreck (@shrekts) who gave out some interesting attendance statis…

European DFIR Summit 2018 Review

On Monday October 1st, I attended the European edition of the SANS DFIR Summit in Prague. Normally I try to attend this in Austin, however this year I couldn't make it so attended this one later in the year instead. I took a couple days PTO just to spend some time seeing the sights and it was cool getting to take time visiting the historical sights, instead of my typical shut in routine. If you have time, I would highly recommend this and definitely book a night time river cruise. Also worth noting, the new Spiderman movie was filming last week which was kinda cool.

A few other recommendations I would make, would be to stay closer to the city center and take the subway daily. This has the added benefit of staying at a nicer, more western hotel (eg Marriott, Hilton), but also being near the old town square. I'm staying at the Angelo Hotel, but the training is actually split between two hotels and I don't get the benefit of being able to quickly jet up the elevator to my ro…

Hacking Exposed Notes

Hacking Exposed Notes

Footprinting – profiling an organization Internet, Intranet, Remote Access, and Extranet presence to determine security posture and netblocks

Website Pilfering – grabbing source code to analyze offline

Unix – Wget

Win – Teleport Pro

Search Engines – tools for searching multiple engines, IRC, email, etc at once

Win – FerretPRO($)

Web – DogPile

Registered Networks – internet whois searches

Current Registrars

Unix – Whois, Xwhois

Unix - $ whois “acme.” (list possible domains)

Unix - $ whois “HANDLE JS1234” (list POC info)

Unix - $ whois “” (list email info)

Web – US

Web – International

Web – US Military

Web – US Gov

DNS Interogati…