Norse Corp.: How To NOT build a cybersecurity startup

In early February, 2016, Norse Corp. was disintegrating.

The high-profile security startup, which described itself as “the world’s largest dedicated threat intelligence network” and was widely known for its innovative Live Attack Map technology – was dead. Its website went dark. Its new CEO, appointed just weeks earlier – after the previous CEO was fired – told employees that they are welcomed to show up to work – but there’s no guarantee that they will be paid. Norse, for all intents and purposes, was dead. 

It was a horrible death – perhaps even the worst demise that a business can experience, complete with allegations about scams, bitter blog posts from former employees, and public clashes on Twitter. 

“[Anthony] It was pretty dramatic. In fact, I don’t know of another cybersecurity firm that had as dramatic of a demise as Norse did. It was pretty spectacular.”

A Few Days Earlier 

On February 1st, 2016, Brian Krebs published in his uber-popular blog, KrebsonSecurity.com, an article with the headline “Sources: Security Firm Norse Corp. Imploding”. In his article, Krebs reported that Norse’s CEO and co-founder Sam Glines was asked to step down by the company’s board of directors. Krebs than goes on to voice accusations from former employees of the company, such as Mary Landesman, a Data Scientist who joined Norse in 2014: 

“I realized that, oh crap, I think this is a scam,” Landesman said. “They’re trying to draw this out and tap into whatever the buzzwords du jour there are, and have a product that’s going to meet that and suck in new investors.”

In his article, Krebs claimed that Norse was the latest in a string of failed companies – some of which he described as being no more than ‘shell companies’ with a record of reporting “false and inflated” financial statements and failing to deliver on promises made to clients. 

These accusations spurred a heated debate between Krebs and two former executives of the company. The first was Sam Glines himself, the recently-dismissed CEO of Norse, who wrote in his blog – 

“There were inaccuracies in the article. I was never an owner of a shell company, and wouldn’t know the first thing about setting one up.”

Jason Belich, Norse’s Former Chief Architect, tweeted about the article, saying it was – 

“Bullshit… just plain not true.  I know. I was there.”

Brain Krebs replied to Belich’s tweet, saying that he asked Jason “about 4 to 5 times to speak on the record,” yet Belich declined. Naturally, this very public back and forth altercation which included words such as ‘hit piece’, ‘agenda driven’ and ‘fundamentally dishonest’ reporting, only served to make the article even more popular… Sam Glines said of the Kerbs article that it – 

“Did incredible damage to Norse and every person or entity affiliated with it […] Prior to this article […] significant deals were being closed and other strategic discussions underway. But as soon as this article/blog was posted, everything quickly began to fall apart. Deals were terminated or paused.”

Jason Bleich, somewhat surprisingly, ended his rant on Krebs’ reporting with a rather more personal contemplation.

“What is genuinely frustrating about this story is there is literally nothing in it about the actual problems and failures which led to Norse’s current situation: Why is Tommy Stiansen such a secretive bastard? Why has Norse garnered so much hate? How did such a toxic corporate culture develop that caused so many former employees to want to speak out? What were the blunders which caused a financial underrun?”

A Month Earlier

Norse was in deep trouble. 

Outwardly, the company kept the appearance of a successful cybersecurity business, but in reality – it was falling apart. The company was still not making any money even more than five years after it was founded, and the funds from earlier investments, including a $12M investment made only a few months earlier by KPMG, a multinational accounting firm,  were almost all gone.

“Norse was in the latter half of 2015 running at an aggressive monthly burn to put out groundbreaking product and capabilities,” wrote Sam Glines, “Unfortunately, we were building ahead of very near-term revenue. This, coupled with lesser than expected sales in the 2nd half of 2015, and the delay in our planned Series B financing led to the perfect financial storm that drove the need to cut back our workforce. And I take full responsibility for these mistakes.”

Howard Bain, Norse’s newly installed CEO, confirmed to Brian Krebs that the company did lay off about 30% of its workforce. 

“The last few weeks have been what Mr. Bain described […] as a “perfect storm” which included the sales miss, scuttled investment, large-scale layoffs, a management change and a so-called DNS attack by hackers that knocked its website and attack map offline and brought down its internal email system for about a week.”

With no money in its coffers and no prospect of new investments, Norse was facing the worst crisis in its short history. And it was then, right when the company was down on its knees – that Brian Krebs decided to publish his investigative piece, and gave Norse its coup de grâce. 

A Year Earlier

“[Anthony] I joined Norse in 2014, left in 2015. So I was there for just a little bit over a year. I was the director of corporate communications there. I’m basically handling PR, blog, social media, media relations, stuff like that.”

That’s Anthony Freed. If the name sounds familiar – that’s because we had Anthony as guest before in an episode we did about a mysterious hacker known as The Jester – plus he was, until recently, Cybereason’s Senior Director of Global Communications. 

“[Anthony] So when I was first hired by Norse, that was my first project. […] And for about six months, we were working on this report, and brought in a friend. […] He and I were doing all the background research around Iran and kind of putting together the context and stuff.”

The report Anthony is referring to was called Pistachio Harvest. It discussed Iran’s cyber attack infrastructure, and was published jointly by Norse and the American Enterprise Institute (AEI). 

“[Anthony]which is pretty notoriously a right-wing think tank that was very much in support of a very aggressive approach to containing Iranian threats, both cyber, nuclear, and their influence in the region.”

What did Norse have to do with Iran? This all goes back to Norse’s most prized asset: its global network of honeypots. 

“[Anthony] Norse was founded by a technologist who came out of the telecoms industry, who had, I guess, famously built out Norway’s telecommunications systems and worked with a few other companies.”

This technologist is Tommy Stainsen, who together with Sam Glines founded Norse in 2011. Previously, he was the Director of Research and Development at Combitel Networks AS – a telecommunications company based in Norway, when Stainsen was born. 

“[Anthony] and so basically the premise behind Norse was it had a status basically like a tier one telecoms provider. So it was on the backbone as far as the worldwide net was concerned. The idea behind it was they would spin up all these emulations.  Norse was a giant honeypot.
So basically they had hundreds of implementations that to an attacker might look like a network for a big bank or a hospital or other high value target. And they set up these emulations all over the world. According to the founder, he was even able to get access to…put sensors in places that were highly restricted and tough to get into like Iran and China.”

Norse’s honeypots were installed in 47 countries – including, as Anthony Freed noted, some countries which traditionally offer little visibility into their networks. These honepots served as traps, dressed up as lucrative targets in order to lure attackers, and reportedly collected a whopping 140 Terabytes of internet traffic data each day. 

The Pistachio Harvest report aimed to prove that Iranian companies were renting and buying IT resources in the US and other western countries, and that some of these resources were being used to conduct cyberattacks on America and its allies – such as against sensitive Industrial Control systems. But as Anthnoy recalls, when he tried to get his hands on some of this data as part of his work on the Pistachio Harvest report – he couldn’t get any. 

“[Anthony] And we were being fed information about what the Norse data for the report was going to be. And we were never actually given the data itself. So we’re kind of working off of notes saying, well, this is what the team is finding. This is what we’re going to give you. So kind of be writing basically the framework for the report until we got the data.

And so we probably had, I don’t know, 50 pages of research and placeholders and waiting for this data, waiting for this data, and it was never coming. And we were told that they had identified potentially tens of thousands of IP addresses that were under control of the Iranian regime that were outside of Iran.”

But when push came to shove and the report was about to be finalized, Anthony discovered to his surprise that –

“[Anthony] There were no IP addresses. Maybe there was a couple that they could tie back, whether they could actually say it was being used in the attacks, highly unlikely.  The entire report was just a fraud.”

So, where did the “tens of thousands of IP addresses” claim come from? 

“[Anthony] So one of the founders’ ex-brother-in-law, who had a little bit of experience with threat intelligence via his military service and stuff, he was put in charge of the threat intelligence team and was spearheading this project. He didn’t know a damn thing, basically.

[…] basically the founder freaking out because this person who was in charge of putting together all this intelligence had basically been saying he identified tens of thousands of IP addresses under control and then it turned out, no… it’s actually maybe 10. But Norse had already started teasing this out to the press and to the government agencies and stuff and using it even before the report was written. And so it was at one point just like a panic, it’s like, go find these fucking IP addresses because we already told people we had. That’s a pretty bad sign.”

The Pistachio Harvest report came out in early 2015 – But almost as soon as it was published, it was absolutely ripped apart by the various commentators who read it. One such expert was Robert M. Lee, CEO and Co-Founder of Dragos, an industrial cybersecurity technology company, and a highly respected voice in the cybersecurity community. Robert wrote in his blog:

“I received an advanced copy of an earlier version of the report that was shared within unclassified government and private industry channels. […] The report was confusing but the data clearly revealed that the “attacks” from Iranian Internet addresses were actually Internet scans from locations such as Iranian universities and hospitals.

[…] [Norse] was interpreting Internet scanning data […] as attack intelligence. Most threat intelligence companies rely upon enriched data complemented with access to incident response data of actual intrusions; not scanning activity. Norse also held no verifiable industrial control system expertise but were quick to make assessments about these systems. And further when they stated that there were attacks on control systems by Iran what the data seemed to show was they actually should have said scans against systems trying to mimic industrial control systems by Iranian IP addresses.”

The Daily Beast reported that –

““It looks very amateur to me,” said one former U.S. official with years of experience on foreign government efforts to hack American systems. It seemed that Norse was basing its conclusions that Iran was behind malicious cyber activity largely on traffic emanating from particular Internet protocol addresses located in Iran. But hackers routinely use IP addresses outside their own country to mask their true location. “This alone would make me think it is not Iran,” the former official said. “Any decent actor worth their salt will jump through a few hops or anonymize their IP.”

Why did Norse release such a poorly researched report in the first place? Part of the reason has to do with its decision to collaborate with the American Enterprise Institute. At the time, the Obama administration was negotiating with Iran over lifting the nuclear sanctions imposed on the radical Islamic state, and the AEI – who has traditionally taken a hard line against Iran in the past – was determined to prove that Iran was still as dangerous as ever, and thus the sanctions should not be lifted. 

“[Anthony] I was always really surprised that at the time that they would want to get in bed with a group like that, they’re very, very not legitimately mainstream. They have an agenda, so that was a sign right there.”

“[Anthony] So the whole thing was very heavily influenced from the beginning to come out with a specific kind of conclusion about Iran, despite there not being any data to support it. […] I think at no point they had any substantial data or the data that they did have, they were reading too much into or probably didn’t have the expertise to be able to evaluate.”

“[Anthony] It was just irresponsible what they were doing. They’re trying to say, so write this report and then we’re going to go find the data to fit into it. And that’s not how you do intelligence. I mean, the data drives the conclusions and this was being done backwards for a certain purpose.”

The second reason, and perhaps one that was responsible for most of Norse’s troubles during its short existence, was its founder, Tommy Stainsen.

I already told you about one of Stainsen’s earlier roles in the Telecom business and how this experience helped him get Norse off the ground. I wish I could tell more about the man, but when Jason Bleich called Stainsen “a secretive bastard” – he wasn’t kidding. Stainsen is so secretive that there’s hardly anything about him online, except for a random YouTube interview and his LinkedIn profile. This is extremely rare for someone who founded several startup companies. If I had to guess, I would say that Stainsen probably paid someone to have all his internet presence erased. 

“[Anthony] The founder, the main technologist behind it, was a very charismatic person who had just a very forceful personality. So they came across as very authoritative and they actually did have some chops and had some good skins on the wall from things they’d done. So it gave an air of authenticity where there wasn’t any.”

Anthony Freed says that Stainsen induced an attitude of ‘fake it till you make it’ in Norse. 

“[Anthony] And I think that’s kind of where the belief that they were going to be able to produce a solution that did what they said it would do would come in time. And if you could just fake it long enough until you make it, everything would be OK. It wasn’t. […]

It’s so funny because the culture, what it was like to be there at Norse, I can only describe it as very much like what the US has been going through these last few years since Trump was elected in 2016 of just so much lies, misinformation. If you tell the story enough times, it becomes true wishful thinking.

[Ran] And once the criticism about the report started being heard, what was the response?

[Anthony] Oh, just deny, deflect. Like I said, if you just want to imagine what it was like, the culture of Norse, just imagine working for Donald Trump, that’s what it was like.”

For Anthony, the Pistachio Harvest was one cashew too much.

“[Anthony] That’s when I divorced myself from the project and basically started looking for another job.”

One And A Half Years Earlier

“A powerful security tool that shows how Norse’s live intelligence identifies the compromised hosts, malicious botnets, anonymous proxies and sources of attack that other solutions miss.” 

That’s how Norse’s press release introduced, in July of 2015, what quickly became a mini-sensation in the cybersecurity industry: Norse’s Live Attack Map. 

“[Anthony] The attack map basically looked like a two-dimensional rendering of the globe, and you’d see what basically looked like laser beams going, shooting from city to city across, and each one of those is supposed to be an attack. And every once in a while, you’d see like 50 lines go from somewhere like China or Russia and hit Seattle.”

Nowadays, such Live Attack Maps – jokingly referred to as ‘Pew Pew’ maps – are quite common: – lots of security companies have them on their websites. But back in 2015 they were still quite rare, and Norse received a lot of media attention because of its innovative map.

“[Anthony] The attack map was fantastic, it was a great marketing tool, it was a lot of fun, it created quite a lot of buzz throughout the industry and stuff. But the leadership at Norse purposely let people assume they were looking at something that they weren’t.”

According to Norse’s press release –

“The Norse Live Attack Map is a real-time graphical display of our global network of sensors, honeypots, crawlers and agents working to provide unique visibility into the Internet and the darknets where bad actors operate. The map […] shows how Norse’s live intelligence identifies [what] other solutions miss.”

In other words, Norse claimed that what you’re seeing on its map are attacks being detected, in real-time, by its global network of honeypots. With its pretty graphics and impressive global scope, the Live Attack Map felt like something taken straight out of a science-fiction movie. It was very convincing. 

“[Anthony] And at the time, there were a lot of attacks going on against Xbox Live and stuff like that. So people go like, Xbox is down, I can’t log in, I’m looking at the Norse map and there’s all this attack activity going towards Seattle, so that’s got to be it.”

“[Anthony] And the company basically let people believe they were looking at live attacks that were happening because Norse is on the internet backbone and can see all this stuff around the world. And that was just absolutely not true.”

In reality, what the map was actually showing were online interactions with its sensors. An “interaction” could be almost anything: A cyber attack – but also a harmless ping, an IP scan, even an email being received. 

“[Anthony] So just because you saw a blip doesn’t mean there was an actual attack going on, but something was interacting with that sensor.”

This kind of ‘smoke and mirrors’ approach to security visualization prompted Paul Vixie, a notable computer scientist, to issue this warning in an article published on Circleid.com. 

“ “attack maps” lead to grave misunderstandings, such as: “In the Cloud, everything is crystal clear, look here, we instantly see where attacks are coming from.” Except that we don’t! Most of the time we have absolutely no clue as to where an attack is really originating from. […] Real attacks are so fuzzy and so numerous that no human can possibly follow them. If someone shows you color animation and claims that it offers any kind of clarity or indeed any kind of human understanding, then you should treat this as a “rigged demo” and ask why they are insulting you in this way.”

Attack maps do have their uses. For example, they can be a great sales tool, as noted in a csoonline.com piece:

“Some of the professionals CSO spoke with said they’ll pop one of the maps up on a screen in the SOC (Security Operations Center) if they know a client is coming in, but only because of the eye candy factor. In fact, most of the professionals said they’ve used them, but other than “performance art,” there isn’t any real value in them.”

What most, if not all Attack Maps are showing are simply pre-recorded attacks, or a playback of packet captures by various sensors. So why did Norse’s executive decide to pretend as if their map is showing something it wasn’t? Even Anthony Freed doesn’t have an answer for that question. 

“[Anthony] They would have had a good story around the map if they’d have just told the truth too. […] Like I said, we were fed so much bullshit, it was hard to discern what was based on even a grain of truth and what was just wholly fabricated.”

Two Years Earlier

On November 24th, 2014, a hacker group calling itself ‘Guardians of Peace’ broke into Sony Pictures Entertainment network. They deployed a wiper that erased parts of Sony’s network, not before grabbing and later publicly releasing sensitive information, such as embarrassing emails by the company’s executives. 

An investigation by the FBI and the NSA concluded that North Korea was behind the breach, possibly in retaliation for Sony’s plans to release a comedy called “The Interview” that made fun of North Korean leader Kim Jong-un. But Tommy Stainsen had a different idea. 

“[Anthony] So the founder was convinced he had evidence based off of some of the logs and stuff that were dumped publicly, evidence that it was a group of disgruntled employees who had been laid off, who still had some kind of access and also had intimate knowledge of the Sony systems. Because if you recall, as the attack was investigated, it was believed that the perpetrators knew exactly what they were looking for. Sony’s got a hell of a lot of data. And to be able to go through there and almost surgically find the stuff that would be most damaging to leadership and stuff was pretty phenomenal.”

“I am convinced that this is an inside job.” Stainsen told Bloomberg Politics, “The group, Guardians of Peace, nobody has never heard of them. I cannot find a drop of information on them. I would say if we can’t find anything on them, they don’t exist and they’re certainly not tied to any particular government.”

Stainsen was so convinced he was right and the NSA & FBI were wrong, that he sent Norse’s Senior Vice President of Marketing to repeat these claims on CBS’ 60 Minutes. Stainsen definitely wanted to make a splash, and he did – except maybe not the sort of splash he was aiming for. 

“[Anthony] Everybody that was pinging me on the backend, friends and stuff, were just like, what is going on at Norse? To have a company go out and basically say, the NSA doesn’t know what they’re talking about. It’s not the North Koreans. We know exactly who it is. We know more than the NSA based off of a little bit of evidence that had been dealt publicly. It was insane.

[…] At that point, I don’t know if it was fabrication or just hubris or just an inability to take data and actually convert it to intelligence. But it was a spectacular flail to go on 60 minutes and try to push back against the NSA. And we had many conversations with the government and stuff, and they pushed back on us hard. And I was really surprised that they went forward with that argument publicly.”

And as usual, when reporters and commentators asked Norse for proof for their claims – there was none. As Anthony Freed wrote in a comment to Brian Krebs’ article: 

“When the time came to pony up the evidence, the CTO and CEO [That’s Stainsen and Glines  – R.L] turned tail and left the SVP of marketing and the rest of the team dangling in the wind, looking like overzealous fools peddling snake oil. This was completely unfair and beyond irksome”.

Five Years Earlier

It’s August of 2011, and two entrepreneurs have just secured $50K in seed money from their first investor, Capital Innovators, for their new company, Norse. One of them, Tommy Stainsen, is already an experienced startup founder: his first company, Pluto Communications, developed advanced billing systems for the telecommunications industry. Pluto was acquired in 2004 by Cyco.net, who changed its name to Nexicon and pivoted the business towards Anti-Piracy technology. This pivot failed, but while in Nexicon Stainsen met another employee named Sam Glines, and the two of them decided to re-pivot Pluto’s original billing technology. Kurt Stammberger, Norse’s SVP of Marketing, explained their decision in a later interview. 

“The company really started off as servicing payment providers and in the process of doing that work we found that the actual intelligence that we were gathering from the sensors that we were deploying in doing that function was actually more valuable than the software that we were originally selling. So the company took a hard turn into threat intelligence and we now have the world’s largest privately owned dedicated threat intelligence network.”

A year later, Norse secured another $3.5M dollars, and then $10M dollars more. 

What did Tommy and Sam do with this money? Well, part of it went to the development of their biggest asset: a worldwide network of Honeypots. But a good deal of the money was spent on lavish, glittering parties, daily catered meals in the office and a bunch of shiny sports cars with the new company’s logo. 

Some critics pondered aloud if throwing parties and buying expensive cars isn’t a reckless use of Norse’s investment money, but the company’s founders deflected the criticism saying this kind of “show off” is absolutely necessary in order to convince more engineers to join the budding startup. 

If any of Norse’s investors questioned these financial decisions, they probably learned about Stainsen’s entrepreneurial philosophy of “Fake it till you make it.” It’s not an uncommon philosophy. The great Muhammad Ali famously said that “To be a great champion, you must believe you are the best. If you’re not, pretend you are.” Even Bill Gates is well known for this kind attitude, like when he and Paul Ellen, Microsoft’s co-founder, wooed Altair – a leading computer manufacturer in the 1970s – by saying that they have a new programming language that could run on Altair’s machines, when in reality they had nothing. 

Obviously, there is a fine gray line between Faking It Till You Make It, and simply telling a lie… but it’s a harmless lie, isn’t it? And anyway, Stainsen is an experienced entrepreneur, with deep connections in the telecom industry. Pretty soon the lying and deceiving will stop, and Norse will become a global leader in Threat Intelligence. Right?…

Yeah. Everything will be OK. I mean, what could go wrong?…

Epilogue 

“[Anthony] I think the idea of how Norse was constructed and the kind of intelligence that they were able to tap was probably valuable, but it wasn’t intelligence. It was just data, and it takes a whole nother level of engagement with that data to actually create threat intelligence out of it. And they were very, very far from that. But I think the hubris of the founders and the executive team, possibly even the board was a huge factor there.”

Robert M. Lee, the security expert who publicly debunked Norse’s Pistachio Harvest report, agrees with Anthony, and says that the mainstream media is playing into the hands of overly ambitious companies such as Norse.

“Cybersecurity vendors are being rewarded for bold statements with national headlines that make for great marketing. Proving the claims to be incorrect can be difficult. Even when proving the analysis ambiguous is much easier, such as the Norse report, it garners less media attention and is cast aside for the more alluring headlines.”

Anthony Freed thinks that Norse’s problem went even deeper than simply confusing data with intelligence. 

“[Anthony] The idea that that expertise in one discipline can  automatically transfer to another discipline just because the basic components that you’re working at are similar. And that’s basically what the founder of Norse believed that, oh, I know, telecom inside and out. So the security shit’s going to be really easy.”

Did Stainsen learn a lesson from Norse’s failure? As he doesn’t like to be interviewed, we can’t know for sure. But one thing seems certain: he still thinks he can make it big in cybersecurity. In 2018 Stainsen founded a new company called RedTorch, which markets spying and anti-spying tools and services for celebrity clients.

“[Anthony] Overall, for the cyber security community, I think it was just a great example of how not to do things, how not to build a company, how not to treat customers, treat the media, treat employees. Really Norse is probably the case study in how not to create and operate a cyber security Company.”