John Stevenson by John Stevenson | | Blog

According to a report by consulting firm Direct Defence, leading Endpoint Detection and Response (EDR) vendor Carbon Black has been sharing customer’s files with cloud-based AV multi-scanning services in an attempt to detect malware. Unfortunately, it seems anyone with access to the cloud service and the right tools can see these files too. The data leaks which include information such as customer cloud and app store keys, users names, passwords and confidential data highlights the fundamentally flawed nature of detection-based anti-malware tools and the dangers of trusting third parties with your data.

The EDR vendor’s product works by whitelisting trusted or “known good” files. To deal with the volume and diversity of files that must be considered for whitelisting, files are uploaded – sent “off box” – to a cloud-based lookup service.  This, in turn, can ask for a second opinion by copying the files again to a cloud based multi-scanner. To aid the cloud-based multi-scanner in identifying good from bad, “good” files are also uploaded. Cloud-based multi-scanners apply multiple AV tools to a file to try and determine whether it is good or bad. All fine in principle, except that the uploaded customer files are then effectively available “for the greater good” to anyone with a multi-scanner account and the appropriate tools. Access to multi-scanner accounts and tools is granted to cyber security professionals, government and corporate security researchers and anyone who is willing to pay.

A contrasting view – A healthy mistrust

Let’s contrast this approach with Content Threat Removal, Deep Secure’s solution to the problem of malware and not previously seen or zero day threats. Documents aren’t “trusted”. We don’t acknowledge the concept of “known good” or “known bad”. Instead we mistrust everything and remove any threat it might contain using a process of transformation. Documents aren’t copied. Instead we extract the business information from them and create brand new documents, throwing the originals away. This transformation process is used to remove any active, code, any unnecessary metadata and ultimately any threat. Documents aren’t sent off-box, much less to a cloud-based multi-scanner. Content Threat Removal functions as a bump in the wire on a boundary. From graphics files to PDFs, business documents are transformed as they travel from source to destination over the boundary point. Documents aren’t shared “for the greater good”. It’s not our place to use your documents to inform multi-scanners, third parties or help others. There’s absolutely zero risk of potentially sensitive business data being shared with anyone as a deliberate or accidental by-product of removing the threat with Content Threat Removal.

A transformation in protection

The Deep Secure Content Threat Removal platform uses this process of transformation to prevent any exploit contained in seemingly valid business communication from crossing a boundary point. It supports a wide range of application-to-application and general business communication across a boundary point and has a number of benefits. It works against unknown attacks. It does not need to maintain a list of known attacks and attack techniques. It works without needing to interact with the vendor. There is no need for signature updates to be brought in regularly from the Internet. There is no need to report behaviour to a central control system for correlation. Using this approach you don’t need to “detect” the zero day exploit or “isolate” it to observe the behavioural characteristics. You just remove it.

If your business has digital assets that you absolutely cannot afford to have compromised, we’d suggest you think twice before enlisting the help of any technology that will share them with others, even with the best of intentions. Instead, keep those assets private and remove any threat they might contain.

View all posts