Introduction
It's sometimes overwhelming, seemingly impossible, to think we can stop well-financed nation-state attackers and international crime syndicates - APTs - from stealing corporate information. In the last 7 days alone we've received news of hackable cars, read about the Ashley Madison breach, and started to understand the realities of the PNI Digital Media breach affecting the likes of Costco, CVS, Walmart, and Rite-Aid. On top of that, we've just days ago learned of a critical PHP vulnerability (webservers) and today received reports that nearly a billion devices are susceptible to the, "worst" set of Android vulnerabilities found. Details are sketchy, but then so seems security.
How are you, the Administrator, with an understaffed team and little budget to speak of, supposed to find ways to make the sweeping changes that seem necessary to secure your company's most sensitive information?
How are you, the Executive, supposed to believe anyone has effective measures for your team to use, reliably and effectively, even if you could open up your checkbook? The last thing any of us need right now are distracting empty promises.
Effective Protections
The good news: It really isn’t hopeless, and we have answers for you today. Though most people realize there is no silver bullet, it is in fact the proper alignment of well-known fundamentals that gains the upper hand on APTs. This approach effectively reduces APT impact while at the same time providing facilities for teams to build more efficient Incident Response Plans.
The approach we are going to share with you isn’t probably what you’ve come to expect. There are plenty of naysayers indicating that our approach isn't possible, or asserting that a viable implementation would not have much effect on APT activities.
We recognize and respect the inertia of the status quo, but look around: It isn't working.
If you’re willing to set aside preconceived notions you have possibly (and understandably) developed through a series of empty promises, and if you can for a few minutes reconsider some ideas you may have previously thought ineffective, we can describe an existing, effective, non-intrusive solution that will protect your most sensitive application data from today’s most advanced electronic threats.
SSProtect = The :Foundation Client + KODiAC Cloud Services
The noted solution we engineered, Simple Security: Protect (and/ or Super Simple: Protect), is delivered in SaaS form utilizing DefiniSec-deployed KODiAC Cloud Services. SSProtect, however, uses in place of a web browser a tiny, ~7 MB Windows application, the :Foundation Client, end-users and, "administrators" download and self-install/ configure.
The :Foundation Client, as your primary interface for SSProtect, allows you to protect documents, files, and email then continue working with protected/ managed as before. You will have different facilities available to you based on a growing set of scalable service offerings you can enable at any time, and through the course of using protected content may be prompted to submit primary and/ or 2FA credentials in a variety of forms.
This approach aims to apply layered security primitives to your content while minimizing the resulting impact to ongoing utilization of sensitive data, which we have achieved. We are in the final stages of our Early Adopter trials and expect to make SSProtect Generally Available before the 4th quarter of this year.
Fundamentals
KODiAC brings into alignment common principles required to reduce the effectiveness of APT dynamics. In the paragraphs that follow, we will introduce you to some of these concepts to clarify our approach and give credence to the solution we have engineered.
Getting Proper Amounts of Quality Event Data
We cannot create effective actionable intelligence if source information is unreliable. We also cannot expect analysts to manage systems generating thousands of events each day. When we implement and deploy such systems, our teams suppress alerts and miss critical notifications among false positives. This is part of what happened in the Target breach.
To generate reliable event data, we turn to our secure cloud services which manage critical aspects of secured data access. Isolation, close monitoring, and a tiny attack surface insure ongoing integrity of cloud data. This serves as the source of on-demand data exposure risk classification, which in turn forms the foundation for efficient response planning that is required to manage breach dynamics.
Impersonation
Advanced Persistent Threat actors have time and money on their side, and they eventually penetrate their target and steal credentials for the highest privileged accounts in the system. This gives them unfettered, nearly undetectable access to offload information.
We can make this very difficult for them with proper 2-factor authentication. Unlike most typical 2-factor solutions, we do not use the 2nd-factor as a login gate that then opens up doors to vast amounts of information. When we take this approach, the attacker lying in wait gets immediate access to a treasure trove of information you almost never need to access at one time.
By minimizing the scope of information available with a single 2nd-factor credential and associated authentication activity, we reduce the scope of associated information, limiting exposure to the absolute minimal amount of information necessary for you to carry out ongoing tasks.
Vulnerable Technologies
This is one of those seemingly endless issues that doesn’t exclude anyone. We had the Heartbleed bug in OpenSSL, then watched the start of a $5.4 million dollar engineering effort a few months later get followed up only 11 days ago with yet another critical vulnerability. It takes time and many iterations to fix.
Then there’s the Hacking Team breach that just weeks ago exposed numerous 0-day vulnerabilities in Flash and on Android. We also know that the NSA spent at least $25M in 2013 purchasing 0-day flaws. The evidence is clear: Attackers know technology shortcomings before vendors and Administrators do.
SSProtect and KODiAC avoid the use of popular and at-risk open source libraries and core technologies such as SSL/TLS and OpenSSL, SSH, Microsoft ATL, MFC, and .NET. Not only does this mitigate risk from 0-day exploits, but also reduces dependencies on patch management proceedings required to update broken technologies. In fact, SSProtect has not since its first alpha inception in August of 2014 ever relied on any technology that has had a security patch (with the exception of patches for services required to keep the OS running).
Encryption + Access Control = Potential
You’ve undoubtedly heard this many times before – encryption is not security. Despite some misleading interpretations promulgated in the press, encryption remains a critical aspect of data security though requires strong access controls to hold value. For example, SSProtect never marries encrypted content and decryption keys together until secure cloud services authenticate and authorize user access requests. This isolation is critical for many reasons (see below).
CRITICAL: Key Management
A cryptosystem that offers data sharing of any form uses more than encryption/decryption keys, and key generation and management must always remain out of the attacker's reach. Once keys are exposed, they should be discarded and regenerated. Traditional OTFE (on the fly encryption) solutions cannot address this problem - keys must remain in-memory, and attackers with local host administrator credentials can undoubtedly steal them from memory. This exposes the information at least, and at worst offers insight into how other keys can be required. This leads to yet another concept called Perfect Forward Secrecy which insures keys are derived in a fashion that doesn't create dependencies in materials that can later be exploited.
Though details are (clearly) far too complex to cover in this article, we can say with great confidence that this is almost never done right. We also know from firsthand experience that the complexity often leads to conclusions that are convenient yet inaccurate, and that is a big part of the many problems with today's security landscape.
Nonetheless, DefiniSec never has access to customer keys, and once keys are exposed they are discarded and securely regenerated. As a result, DefiniSec cannot access customer data and legal subpoenas for these keys will not expose information to legal representatives. Thus, our customers will have to be involved in order to give up plaintext, and furthermore SSProtect will always have and offer an accurate record of all data access attempts.
The Human Element
We cannot talk about mitigating breach risks without considering how human error comes into play. No matter how hard we try, we will ultimately make mistakes. Systems have to be designed to take this into consideration and minimize the impact by insuring a simple mistake doesn’t expose an inappropriate amount of information.
Our design philosophy is to insure that a) people cannot maliciously acquire material they do not have access to, whether customers, attackers, or internal employees, b) default configurations use the most secure capability the system offers, and c) default workflows use secured data flows though permit customers the rights to determine when, and how, protections can be removed. We take great pride in making security automatic and simple, and the best way to know this is through hands-on experience and evaluation. In the meantime, you can see some evidence of this in our Videos.
Summary
APT dynamics can be stopped when we bring proper security fundamentals together with a coordinated and concerted effort to provide real data protection. DefiniSec built SSProtect using these principles and in direct response to APT breach recovery dynamics.
Additional Features
SSProtect implements a theoretically pure security solution while introducing the new concept of Data Exposure Mitigation and Management. This seeks to reduce the effectiveness of advanced attacks by properly aligning fundamental protections with thorough implementation. We’ve touched on some of the basic principles that go into building this secure foundation with reference to SSProtect, though want to be sure you understand the product offers a great deal of additional capability such as In-Place Encryption which retains native workflows and continuous, in-use plaintext protection in native software and Zero-Configuration Collaboration for Organization Peers. Optional :Recover services Seamless data Backups with Integrity assurances while offering on-demand Restore and full Disaster Recovery Services.
Future services will provide Integrity Remediation for Ransomware reparations that are not subject to corrupted, unauthorized modification, i.e. data backups are protected from corruption and leveraged to apply integrity assurance that makes Ransomware irrelevant. Finally, advanced Analysis delivers Objective Disclosure Risk insight based on the patented offloading, key management, and auditing model such that the, "worst-case" disclosure risk of all items across an Organization of managed Users can be determined by executing a report and viewing the summary results - prioritizing further forensic discovery and analysis for highly-accurate, quick and far less expensive disclosure notification liabilities.
Last and not least, fundamental protective capabilities are available for Outlook email message content, with some variations from managed documents/ files that is somewhat arbitrary/ flexible and not as of yet determined (Early Adopter feedback driving results).
Conclusion
Breaches are going to happen, and systems don’t have to achieve perfection to be useful. Today, success comes with minimizing the impact of a breach and isolating damage to a small portion of the system. You may lose a few things – it's inevitable – but you can keep from giving away the farm by taking measured steps associated with the proven techniques we’ve outlined here. As such, managing data exposure with proper management capacity offers reasonable and practical expectations for data protection, and includes concepts that everyone should understand and anyone can use.
This article was published July 28th, 2015