Barac: Encrypted data and the hidden threat within
Digitization, cloud services and flexible working are all driving the increased adoption of cybersecurity solutions as organizations of all shapes and sizes look to protect their systems and their data. The amount of money that organizations are now investing in cybersecurity is at an all-time high, the numbers are staggering and growing fast. According to research firm Gartner, Inc. worldwide spending on information security products and services will reach $124bn this year, an increase of 8.7% on 2018.
Within cybersecurity, one of the fastest growing sub-sectors is data encryption, with a projected CAGR of 16.8% from 2019 to 2025 according to Grand View Research, Inc. Encryption is the process of protecting data using complex mathematical algorithms to encode it and convert it into unintelligible content that can only be decrypted with the use of secret keys.
Google estimates that, this year, 80% of internet traffic will be encrypted as organizations attempt to protect their sensitive data from external threats, comply with more stringent regulatory environments (such as PCI DSS and HIPAA) and prevent data breaches.
Organizations increasingly understand that the impact of a data breach can be huge and go far beyond simply the value of any stolen data and any fines that may be imposed by industry regulators. The reputational damage and market reaction to a serious data breaches can be hugely damaging.
The US is the largest market globally for encryption solutions with U.S. organizations among the most likely to have a consistent, enterprise wide encryption strategy (56% of U.S. organizations according to The Ponemon Institute).
The threat within
Ironically, the growth in the use of encryption is increasingly being exploited by cybercriminals to facilitate their crimes. The very trait that makes encryption attractive – encrypted data streams are impenetrable – is being used to hide malware and access IT systems.
This isn’t a small problem. According to The Ponemon Institute, encrypted traffic was used as cover for entry for malware in nearly half of the cyberattacks in the past 12 months, and this trend is expected to grow in correlation with the increase in the legitimate use of encryption.
The problem is that it is technically difficult for traditional security tools to look inside encrypted traffic in order to search for malware. As more companies adopt better encryption practices, cybercriminals are using cryptographic protocols, such as the commonly used Secure Socket Layer (SSL) and Transport Layer Security (TLS) protocols, to deliver malicious attacks.
This is because examining encrypted traffic puts an enormous strain on most security devices. To check for malicious code, all of the network traffic has to be decrypted so it can be read, before performing a scan, re-encrypting it and then forwarding it on to the intended recipient. This process is the most commonly used approach to catch hidden malware, yet it comes with many flaws.
Decrypting and inspecting encrypted traffic is extremely compute intensive with the result that very few security devices can do it without severely impacting network performance. Growing volumes of encrypted traffic mean there are more and more data packets to decrypt, scan and re-encrypt. These increased loads often stop devices from functioning altogether, allowing encrypted traffic to flow into the network without any scanning for malware.
The problem is set to get worse with TLS 1.3
A further complication is the recent introduction of a new encryption protocol, TLS 1.3. Ratified by the IETF in August 2018, the protocol includes stronger encryption processes to prevent hackers from snooping on sensitive data. However, these processes will also make it more difficult for enterprises to decrypt and analyze the data traversing their own networks. In essence, TLS 1.3 will take the ‘decrypt/re-encrypt’ method from being technically very challenging to being impossible.
So, while TLS 1.3 will make it easier for organizations to use encryption, a laudable aim in many respects, it will further compound the problem of protecting against malware that is hidden in encrypted data. With TLS 1.3, the use of encryption is likely to increase further and it will be impossible for organizations to ensure the privacy of their internet communications if they are relying on security appliances that need to decrypt traffic in order to scan for malware.
A new approach
Clearly, a new approach is needed to protect against malware hidden in impenetrable encrypted traffic and, recently, solutions have been developed to combat this problem. Using behavioral analytics and AI it is possible to scan and stop malware in real time, without the need for decryption.
A technique known as Encrypted Cognitive Analytics looks at the metadata (information about the data), rather than the data itself, to detect attacks hidden in encrypted traffic in real time without the need for decryption.
The key to this is the discovery that every attack has its own SSL metadata signature between the user and the server. By inspecting this metadata, rather than the contents, of encrypted traffic, and combining this with machine learning and behavioral analytics, it is possible to detect signs of attacks and malware or abnormality on encrypted traffic with very high accuracy.
No decryption means the process can be undertaken in real time, with limited impact on network performance. It is also completely unaffected by the adoption of TLS 1.3 and works equally well at finding anomalies within both encrypted and unencrypted data.
This is an exciting new way to improve cybersecurity and protect against the rapidly growing threat of malware hidden in encrypted traffic. The tremendous performance improvements that arise because there is no need to decrypt the traffic yield significant benefits. Using AI to identify malicious patterns in encrypted traffic sidesteps the decrypt/re-encrypt approach entirely and provides efficient, accurate security with no operational impact.
How changing your company's software code can prevent bias
Two-third of tech professionals believe organizations aren’t doing enough to address racial inequality. After all, many companies will just hire a DEI consultant, have a few training sessions and call it a day.
Wanting to take a unique yet impactful approach to DEI, Deltek, the leading global provider of software and solutions for project-based businesses, took a look at and removed all exclusive terminology in their software code. By removing terms such as ‘master’ and ‘blacklist’ from company coding, Deltek is working to ensure that diversity and inclusion are woven into every aspect of their organization.
Business Chief North America talks to Lisa Roberts, Senior Director of HR and Leader of Diversity & Inclusion at Deltek to find out more.
Why should businesses today care about removing company bias within their software code?
We know that words can have a profound impact on people and leave a lasting impression. Many of the words that have been used in a technology environment were created many years ago, and today those words can be harmful to our customers and employees. Businesses should use words that will leave a positive impact and help create a more inclusive culture in their organization
What impact can exclusive terms have on employees?
Exclusive terms can have a significant impact on employees. It starts with the words we use in our job postings to describe the responsibilities in the position and of course, we also see this in our software code and other areas of the business. Exclusive terminology can be hurtful, and even make employees feel unwelcome. That can impact a person’s desire to join the team, stay at a company, or ultimately decide to leave. All of these critical actions impact the bottom line to the organization.
Please explain how Deltek has removed bias terminology from its software code
Deltek’s engineering team has removed biased terminology from our products, as well as from our documentation. The terms we focused on first that were easy to identify include blacklist, whitelist, and master/slave relationships in data architecture. We have also made some progress in removing gendered language, such as changing he and she to they in some documentation, as well as heteronormative language. We see this most commonly in pick lists that ask to identify someone as your husband or wife. The work is not done, but we are proud of how far we’ve come with this exercise!
What steps is Deltek taking to ensure biased terminology doesn’t end up in its code in the future?
What we are doing at Deltek, and what other organizations can do, is to put accountability on employees to recognize when this is happening – if you see something, say something! We also listen to feedback our customers give us and have heard their feedback on this topic. Those are both very reactive things of course, but we are also proactive. We have created guidance that identifies words that are more inclusive and also just good practice for communicating in a way that includes and respects others.
What advice would you give to other HR leaders who are looking to enhance DEI efforts within company technology?
My simple advice is to start with what makes sense to your organization and culture. Doing nothing is worse than doing something. And one of the best places to start is by acknowledging this is not just an HR initiative. Every employee owns the success of D&I efforts, and employees want to help the organization be better. For example, removing bias terminology was an action initiated by our Engineering and Product Strategy teams at Deltek, not HR. You can solicit the voices of employees by asking for feedback in engagement surveys, focus groups, and town halls. We hear great recommendations from employees and take those opportunities to improve.