Tanium Accused of Exposing California Hospital’s Network in Sales Demos Without Client Permission
Earlier this week, Orion Hindawi, CEO of systems and security management company Tanium, published an open letter covering two issues of current 'bad press'. The first is that Tanium has a toxic staff relations culture. Hindawi denies this: "Mission-oriented, hard-charging, disciplined, even intense, but not toxic."
The second issue is less easy to dismiss. It stems from an initial report in The Wall Street Journal, subsequently picked up by numerous other media outlets.
"For years, cybersecurity startup Tanium Inc. pitched its software by showing it working in the network of a hospital it said was a client..." wrote the WSJ. The problem here is that the demo was live and uncensored, giving out details of the client's name (the El Camino Hospital in Mountain View, California) and IT infrastructure, apparently without authorization to do so.
'Start-up' is a misleading description: Tanium is neither new (it was founded ten years ago), nor small (it was last valued at $3.5 billion). It has, however, been growing rapidly; and that might be part of the problem. In May 2014 it raised $90 Million in funding from Silicon Valley VC firm Andreessen Horowitz; and added a further $52 million in March 2015.
"When you start to develop a new product," Stuart Okin, SVP of Product at 1E told SecurityWeek, "the very first thing you do is solve the problem of how you are going to demonstrate it." 1E spent three months solving this problem at the start of developing Tachyon, a competing product that bears some similarities to Tanium.
Both products must scale to huge numbers, and need to be able to demonstrate this ability. Okin's solution was to develop an in-house emulator using virtual machines. Tanium doesn't seem to have had such a plan. Exactly what happened isn't clear, beyond that Tanium seems to have had a direct link into the hospital's system and was able to demonstrate the product in action, live.
In doing so, viewers would have been able to discover information about the network's infrastructure and its strengths and weaknesses -- knowledge that would have been invaluable to a potential attacker. In his letter, Hindawi acknowledges mistakes. Without mentioning El Camino, he writes, "We should have done better anonymizing that customer’s data."
But he also makes the point, "Other than the few customers who have signed those documents [allowing Tanium demonstrations] and provided us remote access to their Tanium platforms, we do not -- and in fact cannot -- demonstrate customer environments with Tanium." This implies that someone at El Camino provided the physical connection that allowed the Tanium demonstrations.
But the hospital denies this. In a separate statement, a spokesperson said, "El Camino Hospital was recently made aware that Tanium, a former third-party vendor that provided a desktop management program, had been using hospital desktop and server management information as part of a sales demonstration. El Camino Hospital was not aware of this usage and never authorized Tanium to use hospital material in any sales material or presentation."
Clearly, these two statements do not align. "This is a very embarrassing incident for the cybersecurity industry, as it undermines trust towards the large and reputable players," High-Tech Bridge CEO Ilia Kolochenko told SecurityWeek. "However, anyone can make a mistake, and prior to any conclusions or accusations, a thorough investigation should be duly performed. Many successful companies become victims of their own success -- it’s very challenging to maintain skyrocketing growth and assure that every employee respects all the internal procedures and policies in their integrity. In the cybersecurity industry, this problem is especially important, as startups grow very quickly and handle extremely sensitive data. I hope that all companies, not just Tanium, will learn a lesson and revise their internal policies and their practical enforcement."
Mistakes were certainly made, but the bottom line is that it should never have happened. "Using live customer environments for demos is a rookie move, and certainly not representative of standard practice among security software vendors," commented Okin. "There are established protocols for this -- such as demo rigs in the cloud. The 'wild west' startup approach doesn't fly in the security space, especially as these products and solutions are there to protect information, and you often find yourself engaged in heavily regulated environments."
He added that security companies should never be able to VPN into clients' infrastructures, unless it is an essential part of the service offered. This incident, he said, breaks the essential trust that is necessary between security vendor and client.