New data security service Metallic ThreatWise is a cyber deception technology that provides businesses with a powerful one-two-punch; first slowing attacks down by diverting bad actors toward fake assets and, second, by providing visibility into attacks in progress – helping businesses proactively contain and remediate threats before they reach their targets.

A boxer needs to have sharp eyes to spot every move that an opponent makes, quick reflexes to dodge, parry or block every blow and stamina to take the odd blow that will inevitably be landed. Unfortunately when seeking to counter cyberattacks, a large number of organisations appear to be stumbling into the ring wearing a blind fold, and are in such bad shape that it is like fighting with slow reactions and very little stamina at all.

Commvault is well known for providing award-winning back-up and recovery services, including Metallic, that allow clients to bounce back after an attack. It now also offers Metallic ThreatWise, which adds the ability to spot an attacker as it makes its first move as well as the ability to respond quickly and appropriately – long before an attacker has time to inject malware or compromise control systems. 

Sharp eyes: threat detection

A worrying number of organisations are blind to threats – even long after an attack has begun. Recent research by IBM found that on average organisations take 207 days to detect a data breach and then 70 days to contain it. Even in the financial services sector, where the majority of attacks occur and where defences need to be strongest, it takes 183 days to detect a breach and a further 52 days to contain it, on average. This provides attackers with ample time to target command and control systems, to move laterally between systems, and then to escalate their access privileges and compromise critical data sets. In such situations you are always going to be on the back foot and in damage control mode. Indeed many of those reading this article may well already have been breached, but are just not aware of it yet. In effect they will have already lost the fight – even before having heard the opening bell.

While traditional data protection solutions play a critical role in recovering from attacks, they come into play when it’s too late – after data has already been compromised. By adding cyber deception to its award-winning Metallic DMaaS portfolio, Commvault is offering next-generation data protection that actively defends data and its recoverability from the moment an attack begins.

From the initial point of access, Commvault reckons that you typically have a two hour window in which to act before an attack begins to escalate. Immediate and accurate detection is essential. However, with the number of potential threats growing exponentially, many security teams find themselves swamped by the number of alerts that they get – a high proportion of which are often false positives.

When sensors are engaged or interacted with, ThreatWise issues real-time triggers that provide key stakeholders and complementary security tools (such as SIEM) with direct line of sight into malicious attempts. And since sensors are only visible to attackers, and not discoverable by legitimate users and systems, notifications are highly accurate, without false positives or alert fatigue.

Quick reflexes: deception and decoys

ThreatWise leverages patented threat sensor technology to mimic customer assets (VMs, databases, containers, and more) at scale. Hundreds, or thousands, of lightweight sensors can rapidly be deployed across entire environments in just seconds.

By covering the attack surface with indistinguishable decoys that look like and behave like real assets, Metallic ThreatWise baits bad actors into engaging fake resources. While such deception can prevent them from landing a blow, it requires instinctively accurate reflexes. This kind of deception is only as good as its accuracy. ThreatWise has the ability to cut through the noise to pinpoint recon, lateral movement, and unwanted privileged access that simply cannot be detected by conventional technology. 

Containing threats and data impact through early warning: 

• Mimic – Dilutes the attack surface by deploying indistinguishable fake decoys, at scale 
• Trip – Draws bad actors into compromising false customer resources 
• Alert – Exposes malicious activity with real-time, high-fidelity alerts 
• Respond – Works seamlessly with security technology to accelerate remediation and contain threats before leakage, encryption, or exfiltration

And while traditional deception solutions can be exceedingly resource intensive, throwing the performance of your systems off balance, ThreatWise’s light-footed approach is able to fool attackers without causing system restrictions or constraints.

Stamina: staying on your feet

Organisations everywhere are recognising the need to adopt a Zero Trust / Zero Loss approach where ransomware defence is built on end-to-end data visibility, broad workload protection, and rapid business response. End-to-end data visibility ensures that organisations are able to catch threats before they impact their data.

“If you’re not actively adopting a Zero Trust / Zero Loss approach then you’re letting your guard down – making you vulnerable to a knock-out blow at any moment”

Commvault offers a unique multi-layered approach to data protection combining advanced indicators to contain threats before leakage, encryption, or exfiltration, with fast, granular restoration for stronger business continuity. 

Continuing to expand and enhance its Intelligent Data Services Portfolio as it seeks to change the game when it comes to addressing security threats, including ransomware, Commvault has not only introduced Metallic ThreatWise for early detection through cyber deception, but it has also expanded its file anomaly framework to detect malicious applications that may evade traditional detection methods by posing as safe file types (included in its Platform Release 2022E).

This ensures that organisations are able to survive round after round of combat without ever being knocked out. And Metallic’s per-user pricing model means that not only are large organisations able to take on all comers, but small and medium sized ones can punch way above their own weight to do so as well.

Try the Metallic ThreatWise guided demo here: https://bit.ly/threatwise-self-guided-demo

I have written several recent opinion pieces to reflect on the fourth anniversary of the European General Data Protection Regulations (GDPR). I wanted to summarise them here for the readers of Elnion.

Much of the commentary from me and others has been somewhat negative, pointing out what has not worked – and there is plenty that has not. However, we should remember that prior to GDPR there was limited general awareness of the importance of privacy, little recognition by organisations that they needed to take it seriously and an assumption by many that privacy was simply too complicated or intangible to be regulated at all.

The Good

With this hindsight in mind, it is obvious that we have come a long way and that there is now broad awareness of privacy, organisations are almost all now taking it seriously and that GDPR has not only been in force for four years now, but it has spawned many other privacy regulations elsewhere – from CCPA in California and POPI in South Africa, to LGPD in Brazil and countless further regulations in other nations or US states. This is no small achievement.

Unfortunately, GDPR has come in for much criticism. This has either been a reaction to the cost and inconvenience of compliance, or it has been frustration at the way that it has been applied or enforced.

Many commentators, myself included, have railed against the cost and inconvenience of GDPR compliance. My personal mantra has always been to seek to strike the right balance between meaningful protection (digital ethics, privacy and cybersecurity) and the maximisation of economic and social value (cloud, digital transformation and innovation). 

It can be argued however that we currently have the worst of both worlds – there is little in the way of meaningful protection, given the lack of enforcement (which I will come on to). And at the same time, we are inhibiting innovation, with many startups opting either to base themselves outside the EU in order to avoid the overhead that GDPR represents or struggling to thrive within the EU while at a disadvantage to overseas rivals.

To a great extent, such complaints can be overstated. ALL organisations that value their customers and their own reputation, should not only have adequate data management processes in place, but should also have an organisation-wide culture of respecting both privacy and cyber hygiene (and with it cybersecurity). It is only those organisations that lack a ‘privsec’ culture that incur what they would see as ‘extra’ cost when it comes to compliance. That is not to say that the burden could not be eased for start-ups to help foster innovation – under the clear emphasis that they should be getting their act together anyway, because the rules will apply to them fully at some point if they succeed in growing at all.

The Bad

GDPR’s greatest failing has not been down to the regulations themselves, but to their enforcement. As I explain in detail in my articles for Accounting Web and for Commvault, most of the responsibility for regulating the tech giants has fallen to the Irish regulator – the Irish Data Protection Commission (DPC). This is because most of the large tech firms, attracted by the country’s low corporation taxes, have chosen to base their European headquarters in Ireland.

Reluctant to rock the boat, the Irish DPC has almost entirely failed to enforce GDPR on firms like Google and Facebook that not only have business models focused on exploiting data, but that have also been accused of being among the most flagrant abusers of people’s privacy. Whatever the merits of such accusations, it is the DPC’s job to investigate and where necessary to take action.

Even in major instances where the highest European courts have ruled against such firms, as was the case almost two years ago for Facebook in the SchremsII trial, the Irish DPC has yet to enforce such rulings. Indeed such is the DPC’s failure to enforce GDPR that it has even been sanctioned by the European Parliament – in a vote of 541 to 1.

It is notable that in the latest European regulation on content moderation, there has been a move towards central enforcement, to avoid the scenario where a local enforcement organisation such as the Irish DPC is ineffective.

The Irish DPC’s complaint that it is under-resourced rings hollow. It may well have a far lower budget than Facebook or Google spend on their lobbying or legal activities, but this has not prevented other local Data Protections Authorities (DPAs) ruling against these giants.

Indeed such has been the success that Facebook has had in holding off enforcement, even of the SchremsII ruling, that some firms now see an actual business case for non-compliance. Indeed the Irish DPC has been accused not only of being complicit, but even of also being potentially corrupt in the way that is has failed to act.

The Ugly

While changes to the regulations themselves to encourage innovation or to the enforcement regime to hold BigTech to account are actions that the EU could take to improve GDPR, there is one major issue that is beyond its control entirely – the schism between the EU and US.

There is an the ideological gulf that exists between the EU’s prioritization of privacy as a human right and the US’s prioritization of surveillance for national security. It has already led to the demise of both Safe Harbor and Privacy Shield (note the SchremsII ruling) and will dog attempts to implement any replacement.

The recent announcement of a new transatlantic agreement lacked much in the way of substance or legal merit. It’s claim that it would be supported by Presendential executive orders is of great concern as these are easily reversed and have little legal foundation. Introducing real measures for adequate judicial supervision in the US would require legislation. Unfortunately, complete gridlock in Congress has made it impossible to introduce any federal privacy law. Adding the need for additional measures to keep the EU happy would make any such legislation even more difficult to pass.

We shan’t be holding our breaths for any federal privacy law, let alone one that might resolve the concerns on this side of the Atlantic.

The most that we can probably do is seek as much harmony as possible on either side of the Atlantic divide, with as much alignment as possible between the EU and UK versions of GDPR and with regulation at the federal level in the US at some point in the future to align the proliferation of state by state privacy laws.

I am an optimist – hence my ability to recognise the ‘Good’ where many others have not. I also believe that the ‘Bad’ can be addressed eventually if the Irish DPC can be forced to act (or failing that can be bypassed). I have less confidence that the ‘Ugly’ will be addressed any time soon.

In my last two blogs I’ve looked at what privacy is all about in a digital sense, and how creeping surveillance affects us all. In 2022, we’re all just a product to the ad industry.

In this blog, I’m going to provide some tips on how you can protect your privacy by doing some basic stuff – and I’ll also keep the tech jargon to a minimum (that can’t be simply explained, anyway).

Check your phone and tablet’s privacy controls

It might be a surprise to many that in your device’s setting there are several ways to limit what’s collected by your handset or tablet manufacturer¹. Despite their reputation, Google does provide a lot of controls to limit tracking, though older Android handsets that can’t run newer versions of Android will miss out on recent changes. Don’t get smug Apple users, I’m talking to you too; the default iPhone settings send plenty of ad related info to Apple.

One thing a little less obvious are your device’s network options. Turning off WIFI and Bluetooth when you go out shopping will stop you connecting to shop beacons, which track you to target you with ads.

Snooping on you 24/7? There’s an app for that

More apps than not, in fact. I’m not kidding. Even if you flick every privacy switch you can on your devices, the second you install an app you might be turning your device back into a digital spy. And again, Apple users, this applies to you too, even if you choose ‘ask apps not to track’ in iOS.

Apps might ask for access to your location, contacts, your photos, microphone, camera… do you really know what they are doing with it all? Could your apps access these things without asking? Once you’ve given them permission, they can (largely) access them whenever they like. So, you should only install apps from companies that you trust, have good privacy controls or you’re happy for them collect data about you. In most cases, apps like Facebook, Twitter or LinkedIn can be managed in a browser much more privately than the app. Sure, they’ll bug you to install their apps, but that’s only because they want more data to monetize you!

Even apps that don’t come from the big tech giants like Facebook and Google might still use their services, especially where ‘app measurement’ is concerned. Technically, this should be data sent back to developers to tell them about the use of the app – performance, crashes etc. but a lot of metadata about you can also be sent, and aggregated with other data on you to build a more granular picture. It’s possible to limit this too – see the section below on Firewalls.

Many other types of apps, especially games, productivity, photo and messaging apps won’t have the browser option – so you either don’t install it or let them suck your data. Don’t like WhatsApp because it’s owned by Facebook? Try Signal instead, you might be surprised how many of your friends use it. By the way, there are genuine apps for lots of stuff that don’t play the surveillance game, so watch out for those.

Browsers and the web

There is good news about browsers – there are a good number of privacy friendly alternatives that can do a lot to shield you from data harvesting. Personally, I use DuckDuckGo, Firefox and Brave (a privacy focused version of Chrome). Each is different, but all do a good job of blocking attempts to track you. Just using multiple browsers is a good thing too, and don’t be afraid to clean out the cache regularly – it helps with privacy a lot (normally in settings>privacy or settings>data management).

One word of caution on ‘private browsing’ or ‘incognito mode’ – these offer little privacy beyond your device. Someone with your device can’t look at your history once the tabs are closed, and because cookies get wiped, computers at the other end can’t access 3^rd party tracking cookies. That aside, your network provider will know what you’re doing and computers at the other end can still do much of their stuff. For example, they’ll still know broadly where you are (your IP address gives this away) and they may recognise your device’s fingerprint² – so they’ll still know it’s you.

This is more of a desktop issue, but a word of caution on browser plugins. Brave is a version of Google Chrome (which is in fact Open Source) made to be more private, so you can install Chrome plugins. If you start with privacy focused browser and then add data vampire plugins, you’re no better off. Choose your plugins carefully. You should also weigh-up the privacy implications of ‘Sign in with’ tools from the big tech companies – each is different, and certainly don’t use any of them without two-factor authentication.

Next steps: VPNs and Firewalls

A VPN (Virtual Private Network) uses a technology that hides your IP address – the ID assigned to your device for network access. It does it by sending all your network traffic through an encrypted tunnel to a datacenter somewhere. This has several advantages. It means your telco can’t monetise your browsing or network habits, and it also means you can connect to services back home while you’re your travelling³. Someone can travel from Europe to the US for example, and still get the local to home experience because all of the network traffic will come from your home country. The ones to look for commit to no activity logging, but again, you need to choose carefully and look at reviews from independent experts in this area. Also remember you have to pay for VPNs – if they’re free, they are invariably just data vampires.

Firewalls are another useful tool in your armoury³. I use a firewall that blocks tracking using app measurement tools and lots of known malware, and while it’s free, they really want you to use their paid VPN service. Mine does break a couple of apps, but it’s something I can manage. If you do run one of these and app stops working, switch off the firewall and try again.

When I first installed my firewall and saw just how much traffic was blocked (much of at night) I was amazed. I’ve set my phone up to be ‘private’ and it’s still blocked 89K attempts.

Search engines

Just as with browsers, the search engine news is also good. While Google is by far the runaway leader in search, there are other options that will deliver great results. Startpage and DuckDuckGo both offer comparable search tools, though I would recommend letting DuckDuckGo manually know you location – before I did this, I was unhappy with the results. Now I use them all the time. Other privacy focused search engines are available.

Smart stuff

Cars. TVs. Speakers. TV dongles and streaming boxes. Smoke detectors and heating thermostats. Water and energy meters, plugs and lights – the list goes on. All now smarter than they were, all now capable of surveillance, so don’t ignore them. My own bugbear are smart TVs. One of mine has no privacy controls at all, the other won’t let me upgrade to the new OS without turning off the privacy controls. Neither are legal under GDPR or the UK’s Data Protection act, but they get away with it. Whatever you have, check what privacy controls you have, and use them. Popular devices like Amazon Alexa and Ring, Google Nest and other smart devices may have more controls than they used to, but you should still read their privacy policies – you might be surprised what you find.

The privacy arms race

Why bother with all this? I point you back to the first blog in this series. Surveillance is rife, and it’s hidden from you. The free stuff you get is hailed from the rooftops, but the sleezy snooping is quietly swept under the carpet… but it’s very well used, to productize you and your life. And not in a good way. I’ll warn Apple users again too. While many Android users are aware of what they’re dealing with, many iOS users are falling for the privacy ads from Apple, who have been ramping up their advertising revenue very nicely, thank you. Don’t be complacent with either platform.

Where will tracking go next – time-based pricing for energy or water use? Car and health insurance, perhaps? It’s already happening. Right now, it’s early adopters are taking these things up because it suits them or there’s a financial advantage. What about when it’s the norm and you’re on the wrong side of the system or in a marginalized group?

Also consider this. Should sensitive data about you be hacked, things could escalate quickly and you could end up feeling like you’re in an episode of Black Mirror.  Remember, if you don’t look after your privacy no one will do it for you. It’s time to tool-up⁴.

1: Wired has tips for Android here and iOS here. For iOS, ignore the advice about Protect Mail Activity – it’s actually bad advice. Instead, turn Protect Email Activity OFF and new switches appear, turn both switches ON for the best protection

2: Browser Fingerprinting: What Is It And What Should You Do About It?, PixelPrivacy, July 2021

https://pixelprivacy.com/resources/browser-fingerprinting/

3: A good firewall for iOS and Mac is https://lockdownprivacy.com/ and for Android (and iOS) I try https://blokada.org/

4: Privacy myths busted: Protecting your mobile privacy is even harder than you think, CNET, Jan 2022, https://www.cnet.com/tech/services-and-software/privacy-myths-busted-protecting-your-mobile-privacy-is-harder-than-you-think/