Advanced Persistent Threat actors are well-paid and highly-motivated attackers who target institutions to steal corporate trade secrets and confidential information. MANDIANT (FireEye) has covered in great detail numerous international groups who engage in these ongoing activities.
Today's protective systems are not well-purposed for stopping these threats. While machine learning anti-APT solutions and Security Information Event Management deployments looked to be promising solutions, the data shows these systems are not effective achieving their goals; 2014 was a record year for data breaches and 2015 isn't expected to be any better.
The Verizon Data Breach Investigations Report includes statistics showing more than one in four attacks against enterprise entities holds an espionage component. Often times this entails threat actors who steal legitimate user credentials to impersonate authorized user access to sensitive materials. With this access, attackers are able to quietly and slowly offload sensitive information critical to a company's competitive advantage. The results can be catastrophic, not only damaging reputations and eroding business trust but in some cases driving companies out of business. Not long ago Inc. Magazine noted that 60% of small businesses fail within 6 months of a cyber attack.
Defending against APTs
Defending against these dynamics requires a multi-pronged defense that integrates many facets of data protection together into a cohesive solution. Doing so often costs hundreds of thousands of dollars and requires a significant investment in qualified security practitioners focused on the problem. Even then the results aren't promising, despite the fact that this isn't practical given the industry's talent shortage. Add to that the cost burden to small and medium sized businesses, and that leaves many without a viable option.
Until now. Definitive Data Security was formed specifically to address this gap and bring certain and measurable controls to bear against this attack dynamic. Our software suite builds upon our :Foundation that provides basic protective capabilities that do not interfere with user workflows. Our software can be deployed in minutes using a self-service model and requires no training. Administrative overhead is simple and does not require extensive experience or knowledge to remain effective. Together with our :Assess component we offer certain and measurable results aimed at reducing exposure to this threat.
Big Fancy Military Encryption
With the onset of BYOD computing and cloud collaboration tools from the likes of Dropbox and Box, information is more accessible to corporate workers than ever before. This increases IT challenges in controlling access and exposes potentially sensitive materials outside the corporate environment.
When reviewing Enterprise File Sync and Sharing, Document Management, and even eSignature solutions, many providers would have you believe they have you protected. You'll often see, "Bank Level Security" or "Military Grade Encryption" - and this should be your first sign to be skeptical. Both phrases are meaningless, and usually accompanied by a long list of regulatory standards and encryption algorithms that provide almost no real value in terms of assessing protections. AES-256 encryption, for example, only contributes to solving the problem because it's only applied in a part of the workflow. This leaves many other touchpoints where your data is exposed in plaintext. And in fact, encrypting data at rest in the data center where it's more unlikely to be touched than any other place in the process is both the easiest to do and likely the least effective of all options. Bank Level Security? Sure - in the one place almost nobody can get to save a handful of company employees.
Granted, this is in fact important - but it is by no means complete. Same goes for, "Military Grade Encryption". We'd much rather have AES-128 applied consistently and properly than AES-256 in only one aspect of the chain. While there are those that do in fact work to break crypto algorithms, the type of attackers that come after your data aren't cracking AES-128 or AES-256, they're looking for soft spots where the data isn't encrypted, or looking to steal your encryption and decryption keys so they can get to plaintext materials. Ignore all these misleading claims - they don't mean a thing.
Protecting Data At Rest
With cloud services, data comes to your host, eventually, and has to be in plaintext for you to access. Else, you can't read it - it would be gibberish. When it's in plaintext on your host, it's exposed. And what happens when you're done using it? Is it removed? Almost never. Thus, there's most often a plaintext version of your information stored on your computer - and this makes it easy for those getting paid to steal your information. As a result, your information is openly exposed in places and in ways you may not know about. All the attacker has to do is find it - and they spend a good deal of their time doing just that.
So the next time you see, "data is encrypted in-transit and at-rest" understand what's probably happening - your information is uploaded to your cloud provider's servers using SSL/TLS - which has it's own set of problems - but assuming that's been done right eventually your document is on the cloud servers but still in plaintext - only then and there does it get encrypted and moved into storage. The bottom line is this: If your document isn't encrypted before it reaches the servers, and if your encryption keys aren't kept on your host, then the information that reaches your cloud provider is in fact wide open to threats from inside your provider's organization. You are still, no matter what, counting on the good nature of every single employee in your vendor's organization to keep your data safe. This is something we never want to do, but it's done by almost everyone in the industry today.
Cloud Security Providers
There's a healthy after-market of software providers that attempt to address these specific problems. They offer host-encryption before your data is uploaded to cloud services and moved through collaboration systems. Some are effective at doing this, but not all. In any case, none are effective against the host threat, meaning the attackers sitting in your network looking for plaintext materials on your computer will still be able to steal this information even though you're using a cloud security provider.
Does that mean you shouldn't use a cloud security provider? Not necessarily - there are a few vendors who do this quite well, but they aren't effective against the host attack. If you are confident that you're protected in other ways, then there are a few vendors who are appropriate and offer you what you need. In most cases, though, you'll still need protection against the host attack, and that's where Definitive Data Security can help you.
Protecting the Host
To defend against these host impersonation APT attacks, use one of the market's host-based data protection solutions that combines access control with encryption. There are several options, though we are partial to SSProtect which offers several distinct advantages:
- Alternative offerings are difficult to deploy and expensive to manage; they require a healthy set of prerequisites and take weeks of prior planning. SSProtect can be deployed in minutes and does not require any other software to operate.
- Many solutions require containers to access data, thus require user training. SSProtect is non-intrusive and applies protections to documents and files in their native formats and workflows. We use a scalable self-service model that minimizes deployment and maintenance costs.
- Most solutions offer local data protection but SSProtect applies protections that follow data. This provides seamless collaboration; no more user groups, no more protection permissions - protect, work with materials, and share without worrying about who has what permissions and where.
- SSProtect is the only solution to offer measurable and certain data exposure risk information, on-demand at any time. This gives you instant visibility into data use history and exposure showing where, when, by whom, and with what resources data is and has been accessed.
- SSProtect is the only software that can retain protections when the host is compromised, and it does not use SSL/TLS or common libraries prone to 0-day vulnerabilities. This minimizes patch frequency and dependencies on vulnerable components, minimizing administrative overhead.
In addition to these advantages, we offer :Recover for optional integrated backup and restore with no additional change to workflows and :Email for integrated Outlook message protection. Altogether, SSProtect is the most secure, advanced, and comprehensive host data protection platform available which prohibits advanced host intrusion threats while also protecting against cloud exposure and collaborative weaknesses in an easy to use and simple solution.
What Else You Can Do
No matter what you decide to do, ask questions, use common sense, ask for help, and don't believe everything you hear. We have countless examples of engagements where we encountered individuals who were certain their software provided these solutions only to learn that wasn't the case. Even their own organizations misled them into believing they had coverage, and it's not usually a very pretty sight to watch them discover these realities.
The best path forward is to ask for proof. Common sense goes a long way in this game and when you're ready, get in touch with an expert to perform an analysis on your system, end-to-end. They can point out weaknesses and flaws and help you address them, and work with you to find out how much protection you need based on the value of your data and the risk appetite of your organization. If you need help finding a vendor, give us a call and we can direct you to a number of our partners we know and trust to do a thorough job for you.
If you go it alone, be careful - there are a lot of people with lots of titles and certifications who still don't have a great understanding of the landscape. Keep in mind that there are good doctors and bad doctors - the same applies to security. While it's hard to be a doctor, and it's hard to be a security practitioner, it's harder still to be good at either. If you use common sense and trust your gut, you'll be much better positioned to make the right decision.
This article was published May 31st, 2015