Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Doug Clare
Doug Clare
Connect Directly
E-Mail vvv

Encryption Has Its Place But It Isnt Foolproof

Most encrypted data is unencrypted at some point in its lifecycle -- and the bad guys are pretty good at finding the one window left open.

Last year, an uncovered Snowden document from the US National Intelligence Council warned that the slow deployment of encryption and other technologies is putting government and private computers at risk of cyber attacks. The annual cost of cybercrime to the global economy is estimated at over $400 billion. Encryption is viewed by many experts as the go-to security technology, but data breaches and other attacks continue to rise despite advances in encryption.

Arguing against encryption would be a bit like arguing against locks on doors. Strong encryption is a basic defense against the damage that might flow from a successful attack on information infrastructure. Encryption technology is improving, as are best practices in deploying it; and everyone should embrace these improvements. But encryption alone is not enough, and may induce a false sense of security among those who depend on it. 

Sticking with the locks-on-doors analogy, rational people may also install an alarm system on their doors and windows. At my house, I have deadbolt locks on my doors. I also have an alarm system that warns me if a door or window is opened -- regardless of the time. The locks on my doors and windows serve to protect me from intrusion but I know these systems fail for a variety of reasons. Perhaps I’ve forgotten to lock a window. Perhaps one of my kids decides to sneak out for a rendezvous with friends. Or perhaps someone has actually broken a lock in an attempt to enter. My alarm system alerts me and provides me an opportunity to respond.  

[COUNTERPOINT: As Good As They're Getting, Analytics Don't Inherently Protect Data, by Scott Petry, Co-Founder and CEO, Authentic8]

A similar analogy can be drawn from home security to national security. Regardless of your political leanings, the features of a strong defense are well understood – secure borders, big guns, and various “walls and moats” strategies. But governments have deployed layered defenses for millennia, which include both physical defenses and intelligence assets that warn them of threats. Spies, intelligence services, and counter-intelligence are all indispensable, integrated components of national security. Their mission is to detect and counteract threats that aren’t necessarily subject to the controls of strong basic defenses. 

Encryption, while not a physical defense, is much like other basic defense mechanisms that serve to block access to items of value. Like other basic defenses, encryption is not foolproof. It can be evaded and undermined, and it can be prone to errors in deployment; encryption keys can be lost, stolen, or inadvertently exposed. Perhaps even more likely is a situation where we believe we’ve encrypted everything, when in fact we’ve encrypted almost everything. Most encrypted data is unencrypted at some point in its usage lifecycle. The bad guys are pretty good at finding the one window left open.  

Analytics are to encryption what intelligence services are to military defenses. The increasing number, variety, speed, and severity of cyber attacks necessitate a dynamic cyber intelligence posture. In the past, cybersecurity analytics were focused on gathering data about compromises, developing threat “signatures,” and using those signatures to protect against future threats, all comprising another form of defense that served to block an attacker.  

Identifying threats in real time

Advanced detection analytics, by contrast, identify emerging threats by recognizing anomalous patterns in real time. Many of these techniques have commercial and technical roots in high-volume network assurance applications (e.g., telecommunications) as well as financial fraud detection (e.g., banks and insurance). While many firms label their signature-based detection methods as “analytics," the analytics are largely static and built to block known threats and therefore fall into the category of basic defenses.

What differentiates the emerging field of detection analytics from these basic defenses (including physical security, firewalls, encryption, and signature-based detection methods) is that advanced detection analytics are focused on finding anything unusual or threatening that gets by your basic defenses. And since we brought Snowden into this already, let’s include those threats that emerge from the inside.  

Big data stores and emerging forensic tools can be a critical aid in unwinding complex attacks and data exfiltration schemes. But at the forefront of cyber threat detection analytics are real-time streaming analytics applied to data flow within the network, and the profiling of entities (e.g., sensors, devices, servers, routers, and human actors) engaged in network communications. With the help of machine learning, organizations can harvest actionable behavioral analytic insights from huge streams of data traffic in two ways:

  • Self-calibrating models constantly recalibrate traffic behavior of monitored entities, and score anomalies for the extent of their deviation from the norm.
  • Self-learning analytics improve with each resolved alert, serving to systematically automate the insights of human security analysts as they work cases.

Building an ever-clearer picture of the typical behavior of individual entities, these two approaches enable streaming analytics to better identify threats. They also help minimize false positives – a huge problem as many large organizations are currently sorting through hundreds of thousands of alerts each day. And most importantly, these technologies work in real time – providing, for the first time, the ability to sense and respond to the most egregious threats as they happen, and before damage is done. 

It’s worth noting that these analytic approaches are tried and tested. Many of the underlying technologies, including the AI/machine learning analytics, have been protecting most of the world’s credit cards for years. The fraud teams at card issuers use these systems not only to detect fraud, but to set the level of risk that triggers investigation or card blocking, in order to balance loss prevention with a positive customer experience. Moreover, these fraud systems do not require issuers to hire armies of analytic techies. By crunching data to prioritize the biggest threats, they simplify the lives of fraud professionals, and the same would hold true in information security.

While encryption and other basic defense approaches will always have their place in security strategies, encryption alone does not prevent hackers from stealing data. Adding advanced analytic techniques to cybersecurity portfolios complements and can close the gaps left by encryption (and signature-based security) by detecting emerging and evolving attack patterns in real time. As a best practice, companies must advance beyond basic defenses, and enhance their security posture with the analytic equivalent of an effective intelligence service. It’s time to bolster our walls and moats with spies and intelligence.

More On This Topic:

Doug Clare is vice president of product management, leading the FICO(r) Analytic Cloud initiative and FICO's cyber security product team. He has been with FICO for more than 25 years, and has deep expertise in helping banks and other businesses manage fraud, risk, compliance ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
2/3/2016 | 7:55:57 AM
Schneier notes on NSA presentation
system attack process summary:

intrusion phases
  • reconnaissance
  • initial exploitation
  • establish persistence
  • install tools
  • move laterally
  • collect exfi land exploit

the event was the usenix enigma conference.


reference (schneier)



attackers don't care about passwords, authentication, or encrypotion: they work by attacking the endpoints with root kits and other un-authorized programming  .until the industry addresses this issue there will be no meaningful progress against computer fraud and abuse.
User Rank: Ninja
2/2/2016 | 7:17:50 PM
Data That Stays Encrypted, Is Read While Encrypted
The window of opportunity is a very valid point, and the only one that matters in arguing for more advanced protection of data.  One imagines technology down the road that can accomplish the (seemingly) impossible.  That is, one only ever deals with encrypted data, and that data as a whole is never decrypted.  However, via a variety of reading methods, the reader can 1) read the data (if a document) line by line where a reader decrypts a certain number of lines using a different key for each paragraph, encrypting the data again using a new cipher as if moves along the document, or 2) the data is printed out using a printer that similarly decrypts chunks using different keys, dropping a bit of decrypted data into a secure print queue, then moving on to another print queue, all the while the user must authenticate over time to keep the processes available, whether reading at a terminal, or receiving printed items.  An option could be to have to destroy data already read before the rest will print; or that it must be locked into a safe box before one could move on to the rest of the material.

These are examples of overkill – perhaps even comedic, but with the right processing power and the right infrastructure, there is no reason extremely sensitive documents can't remain secure and those windows never open, since the windows are actually removed, or mostly removed.  Yes, people are the remaining "window" and always will be, but there are ways to keep that to a dull minimum, too, depending on the information.  As a rule, data should never travel (whether on media or over the Internet) in a decrypted state.  Layering the encryption as described requires time with today's tech, but can be done as computing power increases.  Layering the human factor could work, too, where you require a minimum number of people to be able to translate and use decrypted data, depending on the nature of the information.

I suspect that time and money are a huge reason why so much data that might otherwise be secured is out there, and if we took twice as much effort to lock it down with today's tech and resources, we'd be in much better shape.  But in the end, we need to get rid of the windows and doors, over-complicate our security measures and tech so that once we know we are having a hard time already just getting to the data we are supposed to have access to, we'll know we are doing a better job of securing the information other eyes are never supposed to see.  If we can get to the ultimate state where data is even read while encrypted (I'm imagining this will be when biotech has reached a certain maturity), we'll in great shape, indeed!
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
Capital One Breach: What Security Teams Can Do Now
Dr. Richard Gold, Head of Security Engineering at Digital Shadows,  8/23/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-08-25
filters/filter-cso/filter-stream.c in the CSO filter in libMirage 3.2.2 in CDemu does not validate the part size, triggering a heap-based buffer overflow that can lead to root access by a local Linux user.
PUBLISHED: 2019-08-25
An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS partially wedges when a chgrp fails on account of being out of disk quota. xfs_setattr_nonsize is failing to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. This is primarily a ...
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.