New data security service Metallic ThreatWise is a cyber deception technology that provides businesses with a powerful one-two-punch; first slowing attacks down by diverting bad actors toward fake assets and, second, by providing visibility into attacks in progress – helping businesses proactively contain and remediate threats before they reach their targets.

A boxer needs to have sharp eyes to spot every move that an opponent makes, quick reflexes to dodge, parry or block every blow and stamina to take the odd blow that will inevitably be landed. Unfortunately when seeking to counter cyberattacks, a large number of organisations appear to be stumbling into the ring wearing a blind fold, and are in such bad shape that it is like fighting with slow reactions and very little stamina at all.

Commvault is well known for providing award-winning back-up and recovery services, including Metallic, that allow clients to bounce back after an attack. It now also offers Metallic ThreatWise, which adds the ability to spot an attacker as it makes its first move as well as the ability to respond quickly and appropriately – long before an attacker has time to inject malware or compromise control systems. 

Sharp eyes: threat detection

A worrying number of organisations are blind to threats – even long after an attack has begun. Recent research by IBM found that on average organisations take 207 days to detect a data breach and then 70 days to contain it. Even in the financial services sector, where the majority of attacks occur and where defences need to be strongest, it takes 183 days to detect a breach and a further 52 days to contain it, on average. This provides attackers with ample time to target command and control systems, to move laterally between systems, and then to escalate their access privileges and compromise critical data sets. In such situations you are always going to be on the back foot and in damage control mode. Indeed many of those reading this article may well already have been breached, but are just not aware of it yet. In effect they will have already lost the fight – even before having heard the opening bell.

While traditional data protection solutions play a critical role in recovering from attacks, they come into play when it’s too late – after data has already been compromised. By adding cyber deception to its award-winning Metallic DMaaS portfolio, Commvault is offering next-generation data protection that actively defends data and its recoverability from the moment an attack begins.

From the initial point of access, Commvault reckons that you typically have a two hour window in which to act before an attack begins to escalate. Immediate and accurate detection is essential. However, with the number of potential threats growing exponentially, many security teams find themselves swamped by the number of alerts that they get – a high proportion of which are often false positives.

When sensors are engaged or interacted with, ThreatWise issues real-time triggers that provide key stakeholders and complementary security tools (such as SIEM) with direct line of sight into malicious attempts. And since sensors are only visible to attackers, and not discoverable by legitimate users and systems, notifications are highly accurate, without false positives or alert fatigue.

Quick reflexes: deception and decoys

ThreatWise leverages patented threat sensor technology to mimic customer assets (VMs, databases, containers, and more) at scale. Hundreds, or thousands, of lightweight sensors can rapidly be deployed across entire environments in just seconds.

By covering the attack surface with indistinguishable decoys that look like and behave like real assets, Metallic ThreatWise baits bad actors into engaging fake resources. While such deception can prevent them from landing a blow, it requires instinctively accurate reflexes. This kind of deception is only as good as its accuracy. ThreatWise has the ability to cut through the noise to pinpoint recon, lateral movement, and unwanted privileged access that simply cannot be detected by conventional technology. 

Containing threats and data impact through early warning: 

• Mimic – Dilutes the attack surface by deploying indistinguishable fake decoys, at scale 
• Trip – Draws bad actors into compromising false customer resources 
• Alert – Exposes malicious activity with real-time, high-fidelity alerts 
• Respond – Works seamlessly with security technology to accelerate remediation and contain threats before leakage, encryption, or exfiltration

And while traditional deception solutions can be exceedingly resource intensive, throwing the performance of your systems off balance, ThreatWise’s light-footed approach is able to fool attackers without causing system restrictions or constraints.

Stamina: staying on your feet

Organisations everywhere are recognising the need to adopt a Zero Trust / Zero Loss approach where ransomware defence is built on end-to-end data visibility, broad workload protection, and rapid business response. End-to-end data visibility ensures that organisations are able to catch threats before they impact their data.

“If you’re not actively adopting a Zero Trust / Zero Loss approach then you’re letting your guard down – making you vulnerable to a knock-out blow at any moment”

Commvault offers a unique multi-layered approach to data protection combining advanced indicators to contain threats before leakage, encryption, or exfiltration, with fast, granular restoration for stronger business continuity. 

Continuing to expand and enhance its Intelligent Data Services Portfolio as it seeks to change the game when it comes to addressing security threats, including ransomware, Commvault has not only introduced Metallic ThreatWise for early detection through cyber deception, but it has also expanded its file anomaly framework to detect malicious applications that may evade traditional detection methods by posing as safe file types (included in its Platform Release 2022E).

This ensures that organisations are able to survive round after round of combat without ever being knocked out. And Metallic’s per-user pricing model means that not only are large organisations able to take on all comers, but small and medium sized ones can punch way above their own weight to do so as well.

Try the Metallic ThreatWise guided demo here: https://bit.ly/threatwise-self-guided-demo

In my last two blogs I’ve looked at what privacy is all about in a digital sense, and how creeping surveillance affects us all. In 2022, we’re all just a product to the ad industry.

In this blog, I’m going to provide some tips on how you can protect your privacy by doing some basic stuff – and I’ll also keep the tech jargon to a minimum (that can’t be simply explained, anyway).

Check your phone and tablet’s privacy controls

It might be a surprise to many that in your device’s setting there are several ways to limit what’s collected by your handset or tablet manufacturer¹. Despite their reputation, Google does provide a lot of controls to limit tracking, though older Android handsets that can’t run newer versions of Android will miss out on recent changes. Don’t get smug Apple users, I’m talking to you too; the default iPhone settings send plenty of ad related info to Apple.

One thing a little less obvious are your device’s network options. Turning off WIFI and Bluetooth when you go out shopping will stop you connecting to shop beacons, which track you to target you with ads.

Snooping on you 24/7? There’s an app for that

More apps than not, in fact. I’m not kidding. Even if you flick every privacy switch you can on your devices, the second you install an app you might be turning your device back into a digital spy. And again, Apple users, this applies to you too, even if you choose ‘ask apps not to track’ in iOS.

Apps might ask for access to your location, contacts, your photos, microphone, camera… do you really know what they are doing with it all? Could your apps access these things without asking? Once you’ve given them permission, they can (largely) access them whenever they like. So, you should only install apps from companies that you trust, have good privacy controls or you’re happy for them collect data about you. In most cases, apps like Facebook, Twitter or LinkedIn can be managed in a browser much more privately than the app. Sure, they’ll bug you to install their apps, but that’s only because they want more data to monetize you!

Even apps that don’t come from the big tech giants like Facebook and Google might still use their services, especially where ‘app measurement’ is concerned. Technically, this should be data sent back to developers to tell them about the use of the app – performance, crashes etc. but a lot of metadata about you can also be sent, and aggregated with other data on you to build a more granular picture. It’s possible to limit this too – see the section below on Firewalls.

Many other types of apps, especially games, productivity, photo and messaging apps won’t have the browser option – so you either don’t install it or let them suck your data. Don’t like WhatsApp because it’s owned by Facebook? Try Signal instead, you might be surprised how many of your friends use it. By the way, there are genuine apps for lots of stuff that don’t play the surveillance game, so watch out for those.

Browsers and the web

There is good news about browsers – there are a good number of privacy friendly alternatives that can do a lot to shield you from data harvesting. Personally, I use DuckDuckGo, Firefox and Brave (a privacy focused version of Chrome). Each is different, but all do a good job of blocking attempts to track you. Just using multiple browsers is a good thing too, and don’t be afraid to clean out the cache regularly – it helps with privacy a lot (normally in settings>privacy or settings>data management).

One word of caution on ‘private browsing’ or ‘incognito mode’ – these offer little privacy beyond your device. Someone with your device can’t look at your history once the tabs are closed, and because cookies get wiped, computers at the other end can’t access 3^rd party tracking cookies. That aside, your network provider will know what you’re doing and computers at the other end can still do much of their stuff. For example, they’ll still know broadly where you are (your IP address gives this away) and they may recognise your device’s fingerprint² – so they’ll still know it’s you.

This is more of a desktop issue, but a word of caution on browser plugins. Brave is a version of Google Chrome (which is in fact Open Source) made to be more private, so you can install Chrome plugins. If you start with privacy focused browser and then add data vampire plugins, you’re no better off. Choose your plugins carefully. You should also weigh-up the privacy implications of ‘Sign in with’ tools from the big tech companies – each is different, and certainly don’t use any of them without two-factor authentication.

Next steps: VPNs and Firewalls

A VPN (Virtual Private Network) uses a technology that hides your IP address – the ID assigned to your device for network access. It does it by sending all your network traffic through an encrypted tunnel to a datacenter somewhere. This has several advantages. It means your telco can’t monetise your browsing or network habits, and it also means you can connect to services back home while you’re your travelling³. Someone can travel from Europe to the US for example, and still get the local to home experience because all of the network traffic will come from your home country. The ones to look for commit to no activity logging, but again, you need to choose carefully and look at reviews from independent experts in this area. Also remember you have to pay for VPNs – if they’re free, they are invariably just data vampires.

Firewalls are another useful tool in your armoury³. I use a firewall that blocks tracking using app measurement tools and lots of known malware, and while it’s free, they really want you to use their paid VPN service. Mine does break a couple of apps, but it’s something I can manage. If you do run one of these and app stops working, switch off the firewall and try again.

When I first installed my firewall and saw just how much traffic was blocked (much of at night) I was amazed. I’ve set my phone up to be ‘private’ and it’s still blocked 89K attempts.

Search engines

Just as with browsers, the search engine news is also good. While Google is by far the runaway leader in search, there are other options that will deliver great results. Startpage and DuckDuckGo both offer comparable search tools, though I would recommend letting DuckDuckGo manually know you location – before I did this, I was unhappy with the results. Now I use them all the time. Other privacy focused search engines are available.

Smart stuff

Cars. TVs. Speakers. TV dongles and streaming boxes. Smoke detectors and heating thermostats. Water and energy meters, plugs and lights – the list goes on. All now smarter than they were, all now capable of surveillance, so don’t ignore them. My own bugbear are smart TVs. One of mine has no privacy controls at all, the other won’t let me upgrade to the new OS without turning off the privacy controls. Neither are legal under GDPR or the UK’s Data Protection act, but they get away with it. Whatever you have, check what privacy controls you have, and use them. Popular devices like Amazon Alexa and Ring, Google Nest and other smart devices may have more controls than they used to, but you should still read their privacy policies – you might be surprised what you find.

The privacy arms race

Why bother with all this? I point you back to the first blog in this series. Surveillance is rife, and it’s hidden from you. The free stuff you get is hailed from the rooftops, but the sleezy snooping is quietly swept under the carpet… but it’s very well used, to productize you and your life. And not in a good way. I’ll warn Apple users again too. While many Android users are aware of what they’re dealing with, many iOS users are falling for the privacy ads from Apple, who have been ramping up their advertising revenue very nicely, thank you. Don’t be complacent with either platform.

Where will tracking go next – time-based pricing for energy or water use? Car and health insurance, perhaps? It’s already happening. Right now, it’s early adopters are taking these things up because it suits them or there’s a financial advantage. What about when it’s the norm and you’re on the wrong side of the system or in a marginalized group?

Also consider this. Should sensitive data about you be hacked, things could escalate quickly and you could end up feeling like you’re in an episode of Black Mirror.  Remember, if you don’t look after your privacy no one will do it for you. It’s time to tool-up⁴.

1: Wired has tips for Android here and iOS here. For iOS, ignore the advice about Protect Mail Activity – it’s actually bad advice. Instead, turn Protect Email Activity OFF and new switches appear, turn both switches ON for the best protection

2: Browser Fingerprinting: What Is It And What Should You Do About It?, PixelPrivacy, July 2021

https://pixelprivacy.com/resources/browser-fingerprinting/

3: A good firewall for iOS and Mac is https://lockdownprivacy.com/ and for Android (and iOS) I try https://blokada.org/

4: Privacy myths busted: Protecting your mobile privacy is even harder than you think, CNET, Jan 2022, https://www.cnet.com/tech/services-and-software/privacy-myths-busted-protecting-your-mobile-privacy-is-harder-than-you-think/

Not long ago if you went to McDonalds for a coffee, it came with a sticker on the cup. If you saved up six on a little piece of card (also on the cup), your 7^th coffee was free. A simple system, and very private.

That sticker system was scrapped in 2020, for an app¹. Suddenly, McDonalds have gone from knowing nothing about you, to collecting your financial info, your location and even looking at your search and browsing history. And for your <cough> convenience, you can sign-in with Facebook, Google or Apple.

OK, so I work in business too, and it’s imperative that you use data to understand customer behaviour and market to them. But do you really need this level of information? This is just one example of what I refer to as ‘creeping surveillance’.

How data about you is monetized

I can only guess at what all that data is used for in the example above², but it’s typical of many apps that give you free stuff in exchange for data. I also don’t want to beat-up on McDonalds – as a reputable business they do provide opt-outs and are doing a lot to transform their business into a more sustainable one, which is great news.

Much more problematic are where the developer’s ONLY purpose for the app is to siphon your data – the user functions are merely a ruse designed to get you to install it. From games to widgets, productivity apps, and even ones that claim to protect your privacy. Whatever function you need, you can be pretty sure there’s a ‘data vampire’ app for that.

But why? Well, data about you is a lucrative business.

We value your privacy

It may be the biggest lie ever told. They sure do value it though. They value it because your privacy is up for sale all over the place – and mostly, WITH your consent³. Cookie walls – you hate them, so you click OK. Privacy policies – you hate them too, so you don’t read them. Data collection opt-outs are hidden or long winded. It’s all by design. It’s called obfuscation, and they want you to give in. Even user ‘privacy control panels’ are mostly designed to mislead you – all of which, incidentally, is not technically allowed under GDPR.

Data about you⁴ makes $billions for big tech, but smaller companies can still make huge profits from personal data collected from websites and apps. Depending on the level of detail, the data from just a few thousand individuals could net thousands of dollars for a small company, or even a lone developer. It all goes into a pot that profiles you to a scary level of detail – believe me when I say they can predict your actions better than you can. That’s why real time bidding ad-clicks can go for anything from a few cents to $2 and up. Remember, that’s just for a single user click on an ad.

It’s time for business to believe in choice

Creeping surveillance has become normalized when it really should not be – it’s dysfunctional. Many people believe privacy to be a human right. Even Mark Zuckerberg purchased the properties surrounding his own⁵ to create a privacy buffer for his family (which you contributed to, I’m sure he’s grateful). It’s not the only example – Larry Page, the co-founder of Google is a famously private person. The fact is that the people that want to trade on your privacy, crave it for themselves.

This is why data collection should be a choice. Just because you can, doesn’t mean you should. Let’s not forget that many people are happy with data collection – they want the most integrated and tailored experience possible.  And they want it even though they know the ramifications; I’ve met ‘privacy professionals’ that think this way. Personally, I do my best to avoid tracking, apart from with the companies I trust, then I play the game. Surely looking for engaged people like that means you’ve found your hot prospect?

Talking from the business side for a moment, there are plenty of ways to combine tactics – tokenisation, anonymization, differential marketing (and more), in addition to what I’m sad to say has become ‘traditional’ data collection. Let people choose, it fosters trust. Make it simple to select what level of tracking people are comfortable with, including ‘none’. This layered approach will make your prospects and customers happy – if they trust you. It shouldn’t really trouble you unless you are Meta, Google, or swathe of other big names, of course.

The problem is that marketing teams are under so much pressure to get lead numbers up, lead quality suffers. This is often driven by sales management demanding more leads, only to complain about lead quality afterwards, at which point they blame marketing. So, whether you’re in sales and marketing or just reading this with a casual interest in privacy, consider this. When the starting gun was fired on GDPR in May 2018, many US websites worried about the legal consequences blocked European visitors, but the New York Times took a different approach. They dropped real-time bidding and behavioural ads and focused on contextual and regional ads instead. The NYT ad business continued to grow ‘nicely’ as they put it⁶, even without all that creepy targeting.

In my next blog I’ll be looking at what you can do to preserve your privacy. When you lose ground to this sort of creeping erosion of your rights, it can be really very hard to reclaim them, so it’s important that we all keep fighting.

1: This blog refers to the UK App; screen shot shows the privacy information from Apple’s UK app store. Data collection may vary by country or region

2: I have asked McDonalds why they need my browsing history on several occasions, but so far, they have not responded

3: Don’t get hung-up on consent folks, it’s not needed if a business has what’s called a ‘legitimate interest’ – which can be a rather stretchy, elastic term when in the hands of less reputable businesses

4: Note that I don’t refer to it as ‘your data’ – that’s because it isn’t

5: Why Mark Zuckerberg buys up properties that surround his 10 homes:
https://www.scmp.com/magazines/style/news-trends/article/3009010/why-mark-zuckerberg-buys-properties-surround-his-10

6: After GDPR, The New York Times cut off ad exchanges in Europe — and kept growing ad revenue, Digiday, Jan 2019:
https://digiday.com/media/gumgumtest-new-york-times-gdpr-cut-off-ad-exchanges-europe-ad-revenue/