Security Through Privacy

By Chris White, Vice Chairman at BlueVoyant

I don’t need to know anything personal about my coworkers to keep cyber adversaries out of my environment, or keep my company’s data and intellectual property secure. Of course, when people go rogue and become malicious insiders, and the deep legal and investigatory engines kick in, it may become a different story. When it comes to preventing the bad guys from causing harm to colleagues and our firm, our cyber defense program focuses on protecting both corporate and personal data. That should be the goal of any cyber defense program or security services provider.

When I think about how we started designing our own/in-house security program at BlueVoyant, our first focus was understanding the data we had in our environment and how to value it. Once we had that understanding, we developed our protection strategy. We realized two things early in the process:

1. A lot of data within our corporate departments (HR, Legal, and Finance) was highly personal, and while we needed it to be protected while in our environment, it wasn’t really ours - it belonged to our staff. We had no basis to tell someone their financial information couldn’t leave our systems, but as long as we had to maintain it there, we had to protect it.
2. While we wanted to be cognizant of the data and protect it, we did not want it to dictate our cyber defense program.

Our Security Operations team confirmed this approach was consistent with modern cyber defense theory. More data isn’t always better for investigations and cyber defense. You may want more data sources, but a lot of the data fields within data sources, particularly application logs, and even logs from security tools, contain irrelevant information (which can also be considered personal in certain parts of the world).

It’s also important to acknowledge that as you scale horizontally, storage requirements increase significantly, which drives up costs without driving additional security value. For all of these reasons, BlueVoyant adopted a “data minimization” strategy as part of our security operations early on in our maturity. We focus on collecting the data we need to baseline normal system and account behavior, while leaving other data out of our security operations.

While we take in hundreds of log sources in order to secure our (and our clients’) environments, we find that on average only about 30-50% of the data within log sources is relevant to most security investigations. By throwing out the other half, we were able to eliminate concerns of ingesting unnecessary private information. We could focus the analysis efforts of our SOC and eliminate unnecessary costs. We still keep raw logs, but make a copy of those and fork them. We move some of this data to cheap storage, like Glacier, while maintaining the more relevant information in the “Operational Storage” of our more expensive SIEM platform.

This approach mirrors the approach taken by modern cybersecurity tools. Consider the example of Next-Gen Antivirus (NGAV). You may want to deploy an NGAV to your corporate endpoints to protect your files from ransomware or theft via advanced malware, but that doesn’t mean the NGAV needs to look at the sensitive (and somewhat irrelevant) data you’re trying to protect!

Here’s a sample of a real-world alert from a NGAV solution. This alert was created based on potentially malicious indicators and behavior. While the solution does capture endpoint IP address and username, you will notice there is no sensitive information collected by the console relative to the endpoint activity alert. The content below is what will be stored in the cloud by the NGAV solution and viewed by the analyst to investigate the threat. As discussed above, the analysts’ activities are always logged and can be reviewed in response to audit and privacy reporting requirements.

In conclusion, there’s a lot of rightful concern around privacy as well as cybersecurity - but when done correctly these two critical business needs should be in full alignment, not orthogonal. In fact, security programs and services that don’t stress privacy may not actually be optimized for detection and response. Specifically:

1. Security alerts and and the data needed to conduct security operations is not the actual content of your files or sensitive applications.
2. Data Protection Controls should be logically segmented between Private Data (PII and Corporate IP) from Security Operations data for Cyber Defense [1] [2]

Much of the data within your systems is completely irrelevant to your cyber defense. Personal information, as well as other content, is not examined by analysts. BlueVoyant’s “data minimization” strategy allows our analysts to focus on collecting only the data necessary to keep both our environment and yours secure.