[BreachExchange] Protecting trade secrets: technology solutions you can use

[Inga Goddijn]

https://www.csoonline.com/article/3268810/cyber-attacks-espionage/protecting-trade-secrets-technology-solutions-you-can-use.html

With the recent Waymo-Uber trade secret trial making headlines, you may
find that your executives are bringing up the issue of trade secret
protection.  If not, it may be a good time for you to do so.  In this last
part of my four-part series on this subject, I will highlight technology
controls that you should consider to help mitigate risks of trade secret
theft.  In "Stopping trade secret theft in your organization,"
<https://www.csoonline.com/article/3188461/leadership-management/stopping-trade-secret-theft-in-your-organization.html>,
I explained what a trade secret is. In "Stopping trade secret theft in your
organization, part 2,"
<https://www.csoonline.com/article/3197630/leadership-management/stopping-trade-secret-theft-in-your-organization-part-ii.html>,
I provided an overview of trade secret law, for non-lawyers. "Understanding
root causes of trade secret breaches"
<https://www.csoonline.com/article/3250696/data-protection/understanding-root-causes-of-trade-secret-breaches.html>
contained my analysis of the root causes of recent trade secret thefts.

By focusing on technology, I am not minimizing the need for process
controls, training and good policies.  These all have to work together to
provide a holistic security system.  I also will assume that basic security
technology-based controls will have been implemented already.  Often these
are focused on protecting networks and systems.  They include NGFW, SIEM,
EPP, EDR, IDPS, MSSP vendors and MDR vendors.  A broad, structured overview
of technology vendors is provided here
<https://www.rsaconference.com/writable/presentations/file_upload/pdil-w02f_understanding_the_security_vendor_landscape...-final.pdf>.
I am going to focus on *additional* technologies that you may want to
consider to mitigate risk of trade secret theft.  These technologies are
focused on *protecting data*.  To secure your organization you need to
tailor the mitigations to the risks.  The business upside benefit of better
trade secret protection is that your organization will be better equipped
to securely and effectively collaborate with business partners.

For this post, I will make use of the NIST CSF to organize the analysis.
While the CSF is titled “Framework for Improving Critical Infrastructure
Cybersecurity”, it can be used for risk management of any component or
subcomponent of your infrastructure.  My goal is to highlight security
technologies that could support each of the basic five CSF functions.  The
products I mention are only illustrative products; I don’t have any
connection with any of these vendors.

The CSF can best be thought of as a gradient, because the technology
products do not fit neatly into one function.  Instead vendor solutions
cover more than one capability, either natively, or through partnerships
with other vendors.  I assigned each vendor to a *principal* function.  In
*your* selection of vendors, you still need to make sure all five functions
are covered by at least one vendor.
1. Identify

In this step you need to identify and document risks.  This will require a
data asset inventory, data flow diagrams and business data valuation.  The
data inventory and maps should be available from your enterprise
architecture teams and business owners.  The business data valuation will
need to be worked out in your conversations with legal and finance.  Next
you need to describe your use case.  Will you have a few insiders accessing
your trade secret data?  Will you have a broad range of partners sharing
the data?  Once this use case is defined, you will also need to identify
misuse cases.  Each misuse case will have an attack path; these could be
quite different from the commonly cited “kill chain”
<https://www.lockheedmartin.com/us/what-we-do/aerospace-defense/cyber/cyber-kill-chain.html>.
The attack paths can be highlighted using attack tree methodology.  Then
outline how these risks will be blocked by the CSF framework functions and
supporting technologies.

After you identify trade secret information, you need to classify it within
your corporate classification schema.  Boldon James
<https://www.boldonjames.com/> and Titus <https://www.titus.com> are two
technology vendors that enable data classification and labelling.  Boldon
James’ strategy is to enable user classification of data at the time of
creation.  This can be fully automated, user assisted or manual.  Effective
classification of trade secrets may be more difficult than tagging
documents containing PHI or credit card information.  This is where
automated assistance can be helpful.  Once the data is classified it is
labelled and suitable metadata attached.  This metadata can be read by
downstream solutions that will protect the data.  These downstream
solutions include:  DLP, email gateways, and collaboration tools such as
SharePoint and Box.
2. Protect

Once data has been classified and labelled, there are a wide range of
possible protection choices, depending on your use cases.  These could
include ERMS (Enterprise Rights Management System) persistent encryption,
file encryption, document passwords, etc.

If your company’s “crown jewels” are created and kept within Office365,
Microsoft has an extensive data protection solution, known as AIP (Azure
Information Protection).  At least part of this capability stems from its
purchase
<https://blogs.microsoft.com/blog/2015/11/09/microsoft-to-acquire-secure-islands-a-leader-in-data-protection-technology/>
of Secure Islands in 2015.  Secure Islands was an innovator in the data
protection space.  Its technology uses data classification, user ID,
destination ID, and other parameters to define an information protection
*profile* that then governs the automated handling of sensitive
information.    Classification is applied manually, automatically or using
a combination of these.  These concepts are being delivered and implemented
in AIP now.
3. Detect

Detection tools employing behavior analytics and deception have gotten more
visibility recently.  UEBA’s (User and Entity Behavior Analytics)
visibility has increased since Gartner coined the category around 2015.
UEBA capability can be stand alone or part of SIEM or other tools.  UEBA
will not be a broadly applicable detection process.  The challenges are
that networks change too fast, users move and get new assignments, mergers
and acquisitions happen, etc.  Under these circumstances it will be hard to
define a stable network baseline.  In addition, security analysts will need
careful training on what to do with findings from these tools.  However,
where the data asset is well defined and the users are carefully described
and not constantly changing, UEBA may be a valuable tool.  This can be the
case for protecting trade secrets.

Securonix <https://www.securonix.com> has been an innovation leader in
incorporating UEBA into its next generation SIEM product.  Advanced
statistical behavioral baseline profiles are generated, based on context
and time series events.  Context information includes which group the user
is in, what assets are being accessed, etc.  Event data includes
information from systems, applications, cloud sources, databases, etc.  The
baseline profile is also aged out over time.  This process comprises a
“machine learning” step.  Then, statistical deviations from the baseline
are tagged when they occur and categorized as to likelihood of threat.

On the deception side, Thinkst <https://www.thinkst.com> has popularized
and simplified the application of “honey pots” and “honey tokens”.  The
Canary tools can enable you to detect intruders attacking trade secret
data.  Canary is a honeypot technology engineered to an easily configurable
form factor (i.e. router, end point, etc.).  The free honey tokens are
imbedded into word documents, spreadsheets, etc. and send you a
notification whenever the object is accessed.   The Canary can be used to
proactively detect reconnaissance activity, while the Token can be used to
detect possible intrusions.  Both of these would be especially applicable
in a distributed environment, where you have trade secret data located at
multiple locations on multiple platforms.
4. Respond

Security automation and orchestration (SAO) is critical for mitigating
trade secret breaches.  Stolen data must be retrieved immediately.  You do
not have a 45-day breach notification option.  If there is a trade secret
breach you will have hours to days to block the leak.  Once the data is
out, it is lost forever, and the information ceases to be a trade secret.
Newer tools from firms like Phantom <https://www.phantom.us>, Demisto
<https://www.demisto.com> and Swimlane <https://www.swimlane.com> can help
speed up the process in several ways.  They can reduce routine work by
analysts; automatically orchestrate response, such as deactivating user
access; and provide playbooks for detailed incident handling, such as
responding to a malicious insider attack.  Another interesting feature is a
secure communications channel, such as ChatOps from Demisto.  In addition
to helping to remediate technical aspect of incident response, your GC and
even CEO may need to be part of the breach response conversation, sooner
rather than later.  In responding to a trade secret theft, you will not
have time for conventional hierarchical communications. This and other
aspects of the incident response plan must be regularly exercised in a
table top simulation.

If you are not large enough to implement SAO tools, you can automate
processes yourself.  Several process automation tools are out there
including:  Nintex <https://www.nintex.com>, KissFlow
<https://www.kissflow.com> (for Google apps) and others.  Nintex is an
enterprise class click and drag workflow tool, with interfaces to Office
365, Dropbox, Dynamic CRM and many other software environments.  It’s only
possible disadvantage is that it does not directly support users, choosing
to work with partners instead.  KissFlow, on the other hand can be
downloaded from the G Suite Marketplace and be up and running in a few
hours.  Its primary focus is automation within Google GSuite.
5. Recover

Legal action...forensics… if you are a victim of trade secret theft, you
will likely need to take some type of legal action.  To prove anything in
court, reliable logs must be kept.  The recent Waymo-Uber trial has
pertinent information on this topic.  Reading through the incident timeline
<https://www.tradesecretsinsider.com/wp-content/uploads/sites/323/2017/03/Waymo-LLC-v.-Uber-Technologies-Inc.-et-al..pdf>,
it appears that Waymo was alerted to large file downloads from its systems
some six months after the fact.  These files had been downloaded by
employees allegedly misusing their network access.  Had this been detected
immediately, the matter might have resolved at that time, without loss of
trade secrets and costly trial preparation.  We will never know exactly
what happened or didn’t happen since the case settled out of court.

That’s it for this four-part series.  If you are looking for more detailed
information on protecting trade secrets I can recommend three books.
“Positively Confidential” (2011), by Naomi Fine, is one.  Fine’s book is a
good overview of business, legal and process issues associated with
protecting trade secrets.  The same can be said for “Secrets” (2015), by
James Pooley.  The classic book on insider threats is “The CERT Guide to
Insider Threats” (2011), by Dawn Cappelli, et al.

Although this is the final post in this series, the business and economic
problems associated with trade secret theft continue.  It was recently
addressed in the State of the Union speech
<https://www.youtube.com/watch?v=eHE7asrrtGg> on January 30, 2018.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180416/c6c108ee/attachment.html>