Surprise, It’s All Broken Again – The Scale Pivot

POSTED ON 03 JULY 2017 // BY BILL MCINNIS

To understand what we are currently trying to solve in the cyber security industry it would be helpful to think about where we have been. We need to take a look back at some key points in the last almost 20 years to illustrate the fundamental shifts in the industry. The beauty of this exercise is that it helps us have an honest discussion about what we are trying to accomplish, above the threatening chaos of the current situation and the financial fascination with our industry at the moment.

In short, I have identified what I believe are the three key pivots in the last two decades. First was the Diversity Pivot, second was the Sophistication Pivot and I propose that we are currently in the Scale Pivot. Each of these started with the realization that everything is broken and ushered in new tech (or new applications of old tech) to help mitigate these gaps, which created new billion dollar companies and a new way of viewing how effective cyber security programs and operations are conducted, fundamentally changing the way we approach our daily efforts.

The Diversity Pivot

Spyware, Phishing, Pharming, Vishing, Email Authentication, Behavior-Based – those are some of the key words that came into the lexicon in the early 2000’s. Up until that point, we thought if we kept our AV up to date, we were good to go. Once we learned of people being tricked to enter credentials, getting calls from phone numbers that appeared to be your bank, cool apps and programs for our desktop that were collecting information about everything we did, then came the realization that everything was broken and we had major gaps in our security. The general public and large organizations became aware of the DIVERSE nature of the threats and that there was a gap in our collective security. The Diversity Pivot had an effect on the security market, contributing to the meteoric rise and acquisition of companies such as Webroot, Ciphertrust, Ironport, Whole Security and others.

The Sophistication Pivot

APT, Spear Phish, RootKit, Zero-Day, Sandbox – Those were some of the words that came to our lexicon in the early 2010’s. Up until that point, we, as an industry, were starting to authenticate email, taking down phishing sites quickly, felt we were getting better at stopping money/data from leaking out of our accounts by not clicking on links for account information, we were enhancing logins, and then it happened. Operation Aurora hit the news like something out of a movie, Google, the company with more PHD’s than any other organization on the planet had been hacked. That was when we learned that not all of the actors were loud criminals who wanted to post pictures of themselves in front of Ferraris on MySpace and Facebook. We learned that apparently there were people whose sole job appeared to be hacking YOUR organization. And they were good at it. We learned that they did research, wrote malware just to target your organization and apparently tested it on AV engines and the like before they sent it. They were, and most definitely still are SOPHISTICATED. For years some vendors were screaming at us that everything was broken, and most didn’t believe them, then all of a sudden, we did. The realization hit that we needed better visibility, we needed to check files coming into our enterprise, we needed to know more about the threats. The security market responded to this pivot with aggressive growth of companies such as Fireeye, Netwitness, Arcsight, Palo Alto, Fortinet and others.

The Scale Pivot

Threat Intel, Threat Feeds, Information Sharing, STIX/TAXII, Cyber Kill Chain, Reverse Engineering, Endpoint Protection, Orchestration, Threat Intel Platform – these are some of the phrases entering organizations’ vocabulary as we speak. In 2009 Internet Identity (IID) was one of, if not the first organization to come to market with a list of recently active or ongoing threats. These were phishing sites that IID identified and deactivated, as well as providing lists of threatening IP addresses based on their research. The identified threats numbered in the thousands and folks were amazed at that number! Fast forward to 2016 and the number across the numerous threat feed providers in the marketplace today is in the millions, every day. So, when compared to the solutions put in place over the last decade, the math has caught up and taken over. That is what is driving the underlying evolution in security technology today. When you dig into the need for information sharing, the need for orchestration, the need to understand where a valid threat fits in the cyber kill chain, the root cause of those needs is the need to function at a SCALE never before seen.

Put it all together and the story goes something like this: at each pivot point, organizations have thought- “We are good. We have [insert solution from last pivot response here]” and then, the event and the collective realization: “Oh, crap, it’s all broken again,” and we seek a solution to fill the new-found gaps in our network and operations security.

It is the scale problem, that Scale Pivot, that exponentially growing threat situation that turned my attention to Bandura. Everything is broken again, and until your organization can sit down and say it, you might as well put all your data on thumb drives and mail it to the adversaries to at least try and save some of the bandwidth costs from it flying off your network. You should also be prepared to kiss your best cyber-defenders’ goodbye because they know it’s broken and if you won’t give them the tools, they will find places that will. It’s no fun to sit around and watch a train wreck, especially when you will be the one getting blamed.

Likewise, if you are in management and reading this and your CISO tells you they have it covered, ask them how many new technologies they have looked at in the last 6 months that don’t come from one of the major brands that love to take them to expensive dinners and invite them to outlandish conferences where they get to be put on the stage as the keynote speaker. Innovation is coming from new, fast moving companies such as ThreatQ, Reversing Labs, Phantom, RiskIQ, Polarity, DarkCubed, and others. Ask your CISO specific questions about how are they dealing with the scale of things. Can they hold and action millions of Indicators of Compromise (IOCs). That is one of the challenges of today. Time to think bigger! Just thinking that your recent firewall upgrade will cut it is not the solution, as even the beefiest firewalls can, at most, action a few hundred thousand IOC’s, leaving valuable intelligence on the cutting room floor. Worse than that, it can overwhelm your team as you then dump the rest of them into a SIEM and have your team play the matching game all day on threat feeds and your logs, chasing down PCAPS to see if something fired. It may not have fired, and it is probably not a false positive, but could have not fired for many other reasons (another blog post on this in the future). And when you do finally find a match that did fire, if it is from a sophisticated actor there are probably so many holes in your network from the bad actor that you will never find them all. What an incredible waste of time for your team and their talents. It is a sign that something is broken in your architecture, not of a highly functioning team, and probably makes them want to find new jobs.

It’s a math problem – no amount of orchestration or artificial intelligence can solve that for you. Are you getting data from the AIS program at DHS? Do you have a relationship with your sector specific agency (like HHS of you are in healthcare) or the Information Sharing and Analysis Center for your industry (FS-ISAC for financial, MS-ISAC for state and local, etc)? Start adding all of the data available to you freely from organizations like this and some of the security companies that also offer threat feeds, Webroot, Crowdstrike, Cyren, Infoarmour, iSIGHT Partners, and others and you will find yourself with a lot more information than you can deploy. That said it is legit information, there is just a lot of it. Do you really want to accept that you just cant deploy it? Is that supposed to be the way it is?

So, in writing this, I hope the readers can be gentle on my memory as I am sure I got some names and places wrong, but I don’t think you can argue the pivots. On a side note and a bit out of scope for this post, below is a diagram, that I think can have multiple uses, but highlights the key components at the core of what we deal with each day. I think it also highlights the how each is related to each other and explains what we are dealing with threats like WannaCry or Petya (or whatever it actually is). Meaning an actor and a threat is a problem for someone, when you add in the scale, it’s a problem for lots of people – so I figured I would call the threats like Wannacry, Petya, Mirai, etc a Hyper Threat and see if folks think that is a good name for it. Maybe I will follow up on these types of threats in a future blog post. They truly are different and highlight that scale is a gap in our defenses. They have put us on notice that scale will be used more and more until it becomes a normal part of each and every attack.

In closing I hope that you, the reader, can work with your organization and help the industry get leadership to a point where we can all acknowledge that “Yes, it’s all broken again”, because until we acknowledge it and start to re-architecture to address it, nothing will change, it will be a case of organizations saying “were good” and vendors saying “we are faster, smarter, find more, than the other folks”, whereas if we acknowledge it, everything begins to change for the better, there will be new threats from new angles, but we can at least say we can plan and act on diverse threats, from sophisticated actors, at scale.


Bill McInnis
Bill McInnis helped to pioneer the commercialization of curated and contextual cyber threat feeds.

End User License Agreement

This is an End User License Agreement (the “Agreement“) between Bandura Cyber, Inc. (“Bandura“), You (or “User” or “your”) and the insurance company affiliate of American International Group, Inc. that issued the insurance policy providing the IP Blocking Solution to you (with its affiliates, “AIG“) (each, a “Party” and collectively, the “Parties“).
Subject to the terms and conditions of this Agreement, Bandura is providing the User, as a qualified policyholder of a cyber insurance policy issued by AIG, one Bandura threat intelligence network security appliance (the “Network Appliance“), including Bandura’s IP Blocking software (together with any third party proprietary software, and any patches, updates, improvements, additions and other modifications or revised versions that may be provided by Bandura or its licensors from time to time, the “Licensed Software“) and open source code software programs (each, an “Open Source Program” and together with the Licensed Software, the “Software“) provided to User as necessary to deliver the blacklist IP blocking service (“IP Blocking Service“). This Agreement is valid and becomes effective upon User’s electronic acceptance of its terms. BY CLICKING THE “I ACCEPT” BUTTON YOU ACKNOWLEDGE THAT YOU HAVE READ THIS AGREEMENT, UNDERSTAND IT, AND AGREE TO BE BOUND BY ITS TERMS AND CONDITIONS.

1. Grant of License.

User acknowledges and agrees that: (i) AIG has contracted with Bandura to make the Licensed Software, IP Blocking Service and associated services available to you at no cost to you; (ii) the Licensed Software, IP Blocking Service and all associated services are being licensed and provided by Bandura, and not by AIG; (iii) neither Bandura nor AIG shall be liable for any damages to User caused by the Licensed Software, IP Blocking Service or any associated services; (iv) Bandura will have access to certain of your information and has developed a policy, which can be viewed at https://banduracyber.com/privacy-policy/ to address your privacy concerns; and (v) AIG will have access to certain of your information and has developed a policy, which can be viewed at www.aig.com, to address your privacy concerns.

Subject to this Agreement, Bandura grants User a non-exclusive, non-assignable, non-transferable, revocable, limited right and license to use the Licensed Software and IP Blocking Service, together with Bandura’s release notes or other similar instructions in hard copy or machine readable form supplied by Bandura to User that describes the functionality of the Network Appliance and/or the Software purchased or licensed hereunder (the “Documentation“). User shall not (i) license, sublicense, lease, sublease, sell, resell, transfer, assign, reverse engineer, decompile, disassemble, sublicense or distribute or otherwise make available to any third party the Licensed Software, IP Blocking Service, or the Documentation, (ii) modify or make derivative works based upon the Licensed Software, IP Blocking Service, or the Documentation; (iii) commercially exploit the Licensed Software, IP Blocking Service or Documentation in any way, or (iv) create Internet “links” to the Licensed Software or “frame” or “mirror” the Licensed Software on any other server, wireless or Internet-based device; (v) impersonate another user of the Licensed Software or IP Blocking Service; (vi) use the Licensed Software or IP Blocking Service to violate the rights of or cause injury to any person or entity; (vii) remove, alter or obscure any proprietary or copyright notice, labels, or marks on the hardware components of the Network Appliance or within the Software; or (viii) disable or circumvent any access control or related security measure, process or procedure established with respect to the Network Appliance or any Software or any other part thereof.

You are solely responsible for maintaining the confidentiality of the access information provided to you for access to the Licensed Software (“Credentials“), and you agree to keep this information confidential. You are solely responsible for all activity that occurs through use of the Credentials. You will not: (1) use another user’s Credentials to obtain copies of or access to the Licensed Software; (2) use your Credentials to download unauthorized copies of or grant others access to the Licensed Software; (3) use the Licensed Software in a way that violates any third party’s rights or any applicable law; (4) upload any files or software that may damage or provide unauthorized access to the data, software or hardware of another; or (5) interfere or allow interference with the proper functioning of the Licensed Software.

If the User is entitled to and elects to receive the IP Blocking Service, Bandura will provide one (1) Network Appliance at no additional charge. Title to and ownership of such Network Appliance provided to the User in connection with the IP Blocking Service will transfer to the User. Bandura will determine the appropriate IP Blocking Service to deliver to each User. Additional Network Appliances can be purchased from Bandura.

The scope of use of any Open Source Programs shall be governed by the applicable open source license agreement included with the Licensed Software. User acknowledges that each Open Source Program is distributed under the Open Source Program license applicable to such Open Source Program, and only such license, and this Agreement in no ways supplements or detracts from any term or conditions of such open source license agreement (the “Open Source License“). Notwithstanding anything to the contrary in this Agreement, User agrees and acknowledges that the rights attached to any Open Source Programs provided hereunder are separate from and do not depend on the Open Source Programs being part of, or used in connection with, the Software or the Network Appliance.

2. Proprietary Rights.

User acknowledges that ownership of and title in and to all intellectual property rights, including patent, trademark, service mark, copyright, and trade secret rights, in the Licensed Software and IP Blocking Service are and shall remain in Bandura. User acquires only the right to use the Licensed Software and IP Blocking Service and does not acquire any ownership rights or title in or to the Licensed Software or IP Blocking Service. All modifications, updates, revisions and extensions to the Licensed Software, IP Blocking Service and Documentation shall be considered part of the Licensed Software, IP Blocking Service and Documentation for purposes of this Section 2. All data, information, content, graphics, text and other materials or applications prepared by User through the use of the Licensed Software, added by User or integrated by User with the Licensed Software, shall be the sole property of User. You understand that neither Bandura nor AIG has any obligation to monitor the areas of the Licensed Software through which the User can supply information or material.

3. Warranty and Indemnification.

Bandura represents, warrants and covenants that it owns the Licensed Software, including all intellectual property rights therein, and that Bandura has all rights necessary to license and/or provide, in accordance with the terms of this Agreement, the Licensed Software, IP Blocking Service and appropriate Network Appliance, if any, to User.

3.1 Indemnification of AIG:

Bandura shall indemnify and hold AIG harmless against claims, liabilities, and costs, including reasonable attorneys’ fees, incurred in the defense of any claim brought against AIG by User or any other third party in connection with the Licensed Software and/or IP Blocking Service, including, but not limited to, malfunction of a Network Appliance, User’s inability to use the IP Blocking Service or Network Appliance, and/or any damage to User’s network.

3.2 Indemnification of User:

Bandura shall indemnify User against claims, liabilities, and costs, including reasonable attorneys’ fees, reasonably incurred in the defense of any claim brought against User by third parties alleging that User’s use of the Licensed Software, IP Blocking Service or Network Appliance infringes or misappropriates: (i) any patent; (ii) a copyright; or (iii) trade secret rights, provided that, User promptly notifies Bandura in writing of any such claim and Bandura is permitted to control fully the defense and any settlement of such claim as long as such settlement shall not include a financial obligation on User. User shall cooperate fully in the defense of such claim and may appear, at its own expense, through counsel reasonably acceptable to Bandura.

3.3 Indemnification of Bandura and AIG:

To the extent permissible by law, User shall indemnify Bandura, AIG, and their licensors, against all third party claims, liabilities, and costs, including reasonable legal fees, reasonably incurred in the defense of any claim (other than for the infringement of intellectual property rights specified in Section 3.2 above), arising out of User’s breach of its representations and warranties under this Agreement or User’s unauthorized use of the Licensed Software, IP Blocking Service or Network Appliance, and other proprietary information licensed under this Agreement, provided that, Bandura or AIG promptly notifies User in writing of such claim and that User is permitted to control fully the defense and any settlement of the claim.

4. Term and Termination.

This Agreement will become effective on the date User accept its terms and conditions or accesses the Licensed Software or IP Blocking Service and will remain in force until User or AIG terminates this Agreement. AIG will be deemed to have terminated this Agreement and the User’s right to use of the Licensed Software and the IP Blocking Service immediately without notice if User: (i) fails to comply with the terms and conditions of this Agreement, or (ii) no longer has an in-force cyber insurance policy with AIG or one of its insurance company affiliates. Notwithstanding, AIG reserves the right to terminate User’s use of the Licensed Software and IP Blocking Service, for any reason whatsoever, with ten (10) days written notice to User. Email notice to User is deemed to be sufficient notice under this Agreement.

Unless otherwise agreed by User and Bandura, User is not required to return any Network Appliance intentionally provided by Bandura as part of the IP Blocking Service.

5. Waiver.

No waiver of any right under this Agreement shall be effective unless in writing, signed by a duly authorized representative of the Party to be bound. No waiver of any past or present right arising from any breach or failure to perform shall be deemed to be a waiver of any future right.

6. Severability.

If any provision in this Agreement is invalid or unenforceable, that provision shall be construed, limited, modified or, if necessary, severed, to the extent necessary, to eliminate its invalidity or unenforceability, and the other provisions of this License shall remain unaffected.

7. Governing Law.

Except as otherwise restricted by law, this License shall be governed by the internal laws of the State of New York (as permitted by Section 5-1401 of the New York General Obligations Law or any similar successor provision), without giving effect to any choice of law rule that would cause the application of the laws of any jurisdiction other than the internal laws of the State of New York to the rights and duties of the Parties. The Parties expressly agree that the United Nations Convention on Contracts for the International Sale of Goods Act shall not apply to this Agreement.

8. Export Control Notice.

Regardless of any disclosure made by User to Bandura or AIG of an ultimate destination of the Licensed Software or IP Blocking Service (including any Network Appliance provided in connection therewith), User acknowledges that if the Licensed Software, IP Blocking Service or Network Appliance is being released or transferred to User in the United States that it is subject to the U.S. and European Union export control laws. User acknowledges its exclusive obligation to ensure that its exports from the United States are in compliance with the U.S. export control laws. User shall also be responsible for complying with all applicable governmental regulations of any foreign countries with respect to the use of the Licensed Software, IP Blocking Service or Network Appliance outside of the United States. User agrees that it will not submit the Licensed Software, IP Blocking Service or Network Appliance or any related content to any government agency for licensing consideration or other regulatory approval without the prior written consent of Bandura. Customer shall defend, indemnify, and hold Bandura and AIG harmless from and against any and all claims, judgments, awards, and costs (including reasonable legal fees) arising out of User’s noncompliance with applicable U.S. or foreign law with respect to the use or transfer of the Licensed Software, IP Blocking Service or Network Appliance outside the United States by User and its affiliates.

The Licensed Software, IP Blocking Service and Network Appliance provide services and use software and technology that may be subject to United States export controls administered by the U.S. Department of Commerce, the United States Department of Treasury Office of Foreign Assets Control, and other U.S. agencies. The User acknowledges and agrees that the Licensed Software, IP Blocking Service and Network Appliance shall not be used, and none of the underlying information, software, or technology may be transferred or otherwise exported or re-exported to any countries to which the United States maintains an embargo (collectively, “Embargoed Countries”), or to or by a national or resident thereof, or any person or entity on the U.S. Department of Treasury’s List of Specially Designated Nationals or the U.S. Department of Commerce’s Table of Denial Orders (collectively, “Designated Nationals”). The lists of Embargoed Countries and Designated Nationals are subject to change without notice. By using this Licensed Software and IP Blocking Service, User represents and warrants that it is not located in, under the control of, or a national or resident of an Embargoed Country or Designated National. User agrees to comply strictly with all U.S. export laws.

9. Warranty Disclaimer.

EXCEPT AS OTHERWISE RESTRICTED BY LAW, NEITHER BANDURA NOR AIG MAKE ANY REPRESENTATION, WARRANTY, OR GUARANTY AS TO THE RELIABILITY, TIMELINESS, QUALITY, SUITABILITY, TRUTH, AVAILABILITY, ACCURACY OR COMPLETENESS OF THE LICENSED SOFTWARE OR IP BLOCKING SERVICE. BANDURA AND AIG DO NOT REPRESENT OR WARRANT THAT (A) THE USE OF THE LICENSED SOFTWARE OR IP BLOCKING SERVICE WILL BE COMPLETELY SECURE, TIMELY, UNINTERRUPTED OR ERROR-FREE OR OPERATE IN COMBINATION WITH ANY OTHER HARDWARE, SOFTWARE, SYSTEM OR DATA, (B) THE LICENSED SOFTWARE OR IP BLOCKING SERVICE WILL MEET USER’S REQUIREMENTS OR EXPECTATIONS, (C) ANY STORED DATA WILL BE ACCURATE OR RELIABLE, (D) THE QUALITY OF ANY PRODUCTS, SERVICES, INFORMATION, OR OTHER MATERIAL PURCHASED OR OBTAINED BY USER THROUGH THE LICENSED SOFTWARE OR IP BLOCKING SERVICE WILL MEET USER’S REQUIREMENTS OR EXPECTATIONS, (E) ERRORS OR DEFECTS WILL BE CORRECTED, (F) THE LICENSED SOFTWARE OR IP BLOCKING SERVICE OR THE SERVER(S) THAT MAKE THEM AVAILABLE ARE FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS, OR (G) THE SECURITY SERVICES ARE SUITABLE FOR ALL NETWORKS.
THE LICENSED SOFTWARE AND IP BLOCKING SERVICE IS PROVIDED TO USER STRICTLY ON AN “AS IS” BASIS. ALL CONDITIONS, REPRESENTATIONS AND WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT OF THIRD PARTY RIGHTS, ARE HEREBY DISCLAIMED TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW BY BANDURA AND AIG.

10. Internet Delays.

User acknowledges that access to the Licensed Software and IP Blocking Service may be subject to limitations, delays, and other problems inherent in the use of the Internet and electronic communications. Bandura and AIG are not responsible for any delays, delivery failures, or other damage resulting from such problems.

11. Limitation of Liability.

EXCEPT AS OTHERWISE RESTRICTED BY LAW OR AS STATED HEREIN, BANDURA AND AIG SHALL NOT BE LIABLE FOR ANY DIRECT OR INDIRECT DAMAGES (IN CONTRACT, TORT (INCLUDING NEGLIGENCE) OR OTHERWISE), INCLUDING BUT NOT LIMITED TO, SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES (INCLUDING, WITHOUT LIMITATION, LOSS OF DATA, REVENUE, PROFITS, USE OR OTHER ECONOMIC ADVANTAGE) ARISING OUT OF, OR IN ANY WAY CONNECTED WITH THE LICENSED SOFTWARE OR IP BLOCKING SERVICE, INCLUDING BUT NOT LIMITED TO THE USE OR INABILITY TO USE THE LICENSED SOFTWARE OR IP BLOCKING SERVICE, , ANY INTERRUPTION, INACCURACY, ERROR OR OMISSION, REGARDLESS OF CAUSE AND/OR FITNESS FOR A PARTICULAR PURPOSE, EVEN IF ADVISED OF THE POSSIBILITY OF THOSE DAMAGES.

IN FURTHERANCE, AND NOT IN LIMITATION OF, THE FOREGOING, BANDURA AND AIG ASSUME NO RESPONSIBILITY, AND SHALL NOT BE LIABLE FOR, ANY DAMAGES TO, OR VIRUSES THAT MAY INFECT, YOUR COMPUTER EQUIPMENT OR OTHER PROPERTY AS A RESULT OF YOUR ACCESS TO, USE OF, OR YOUR DOWNLOADING OF ANY MATERIALS, DATA, TEXT, IMAGES, VIDEO, OR AUDIO ARISING OUT OF OR RELATING TO THE LICENSED SOFTWARE OR IP BLOCKING SERVICE.

12. Confidentiality.
As used herein, “Confidential Information” means any non-public technical or business information of Bandura (or its licensors), including without limitation, any information, relating to Bandura’s techniques, algorithms, software, know-how, current and future products and services, research, engineering, designs, financial information, procurement requirements, manufacturing, customer lists, business forecasts, marketing plans and information, the terms and conditions of this Agreement, and any other information of Bandura (or its licensors) that is disclosed to User. Customer will take all reasonable measures to maintain the confidentiality of Bandura’s Confidential Information, but in no event less than the measures User uses to protect its own confidential information. User will limit the disclosure of Bandura’s Confidential Information to its employees with a bona fide need to access such Confidential Information in order to exercise its rights and obligations under this Agreement; provided that all such employees are bound by a written non-disclosure agreement that contains restrictions at least as protective as those set forth herein. User agrees that Bandura will suffer irreparable harm in the event that User breach any obligations under this Section 12 and that monetary damages will be inadequate to compensate Bandura for such breach. In the event of a breach or threatened breach of any of the provisions of this Section 12, Bandura, in addition to and not in limitation of any other rights, remedies or damages available to it at law or in equity, shall be entitled to a temporary restraining order, preliminary injunction and/or permanent injunction in order to prevent or to restrain any such breach.

13. Entire Agreement.

This Agreement sets forth the entire understanding and license between User, Bandura and AIG. This Agreement may be amended joint notice from AIG and Bandura to User concurrently with User’s renewal of the insurance policy with AIG. No other person is authorized to modify this Agreement or to make any warranty, representation or promise, which is different than, or in addition to, the warranty, representations or promises herein.