Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Doug Clare
Doug Clare
Connect Directly
E-Mail vvv

Encryption Has Its Place But It Isnt Foolproof

Most encrypted data is unencrypted at some point in its lifecycle -- and the bad guys are pretty good at finding the one window left open.

Last year, an uncovered Snowden document from the US National Intelligence Council warned that the slow deployment of encryption and other technologies is putting government and private computers at risk of cyber attacks. The annual cost of cybercrime to the global economy is estimated at over $400 billion. Encryption is viewed by many experts as the go-to security technology, but data breaches and other attacks continue to rise despite advances in encryption.

Arguing against encryption would be a bit like arguing against locks on doors. Strong encryption is a basic defense against the damage that might flow from a successful attack on information infrastructure. Encryption technology is improving, as are best practices in deploying it; and everyone should embrace these improvements. But encryption alone is not enough, and may induce a false sense of security among those who depend on it. 

Sticking with the locks-on-doors analogy, rational people may also install an alarm system on their doors and windows. At my house, I have deadbolt locks on my doors. I also have an alarm system that warns me if a door or window is opened -- regardless of the time. The locks on my doors and windows serve to protect me from intrusion but I know these systems fail for a variety of reasons. Perhaps I’ve forgotten to lock a window. Perhaps one of my kids decides to sneak out for a rendezvous with friends. Or perhaps someone has actually broken a lock in an attempt to enter. My alarm system alerts me and provides me an opportunity to respond.  

[COUNTERPOINT: As Good As They're Getting, Analytics Don't Inherently Protect Data, by Scott Petry, Co-Founder and CEO, Authentic8]

A similar analogy can be drawn from home security to national security. Regardless of your political leanings, the features of a strong defense are well understood – secure borders, big guns, and various “walls and moats” strategies. But governments have deployed layered defenses for millennia, which include both physical defenses and intelligence assets that warn them of threats. Spies, intelligence services, and counter-intelligence are all indispensable, integrated components of national security. Their mission is to detect and counteract threats that aren’t necessarily subject to the controls of strong basic defenses. 

Encryption, while not a physical defense, is much like other basic defense mechanisms that serve to block access to items of value. Like other basic defenses, encryption is not foolproof. It can be evaded and undermined, and it can be prone to errors in deployment; encryption keys can be lost, stolen, or inadvertently exposed. Perhaps even more likely is a situation where we believe we’ve encrypted everything, when in fact we’ve encrypted almost everything. Most encrypted data is unencrypted at some point in its usage lifecycle. The bad guys are pretty good at finding the one window left open.  

Analytics are to encryption what intelligence services are to military defenses. The increasing number, variety, speed, and severity of cyber attacks necessitate a dynamic cyber intelligence posture. In the past, cybersecurity analytics were focused on gathering data about compromises, developing threat “signatures,” and using those signatures to protect against future threats, all comprising another form of defense that served to block an attacker.  

Identifying threats in real time

Advanced detection analytics, by contrast, identify emerging threats by recognizing anomalous patterns in real time. Many of these techniques have commercial and technical roots in high-volume network assurance applications (e.g., telecommunications) as well as financial fraud detection (e.g., banks and insurance). While many firms label their signature-based detection methods as “analytics," the analytics are largely static and built to block known threats and therefore fall into the category of basic defenses.

What differentiates the emerging field of detection analytics from these basic defenses (including physical security, firewalls, encryption, and signature-based detection methods) is that advanced detection analytics are focused on finding anything unusual or threatening that gets by your basic defenses. And since we brought Snowden into this already, let’s include those threats that emerge from the inside.  

Big data stores and emerging forensic tools can be a critical aid in unwinding complex attacks and data exfiltration schemes. But at the forefront of cyber threat detection analytics are real-time streaming analytics applied to data flow within the network, and the profiling of entities (e.g., sensors, devices, servers, routers, and human actors) engaged in network communications. With the help of machine learning, organizations can harvest actionable behavioral analytic insights from huge streams of data traffic in two ways:

  • Self-calibrating models constantly recalibrate traffic behavior of monitored entities, and score anomalies for the extent of their deviation from the norm.
  • Self-learning analytics improve with each resolved alert, serving to systematically automate the insights of human security analysts as they work cases.

Building an ever-clearer picture of the typical behavior of individual entities, these two approaches enable streaming analytics to better identify threats. They also help minimize false positives – a huge problem as many large organizations are currently sorting through hundreds of thousands of alerts each day. And most importantly, these technologies work in real time – providing, for the first time, the ability to sense and respond to the most egregious threats as they happen, and before damage is done. 

It’s worth noting that these analytic approaches are tried and tested. Many of the underlying technologies, including the AI/machine learning analytics, have been protecting most of the world’s credit cards for years. The fraud teams at card issuers use these systems not only to detect fraud, but to set the level of risk that triggers investigation or card blocking, in order to balance loss prevention with a positive customer experience. Moreover, these fraud systems do not require issuers to hire armies of analytic techies. By crunching data to prioritize the biggest threats, they simplify the lives of fraud professionals, and the same would hold true in information security.

While encryption and other basic defense approaches will always have their place in security strategies, encryption alone does not prevent hackers from stealing data. Adding advanced analytic techniques to cybersecurity portfolios complements and can close the gaps left by encryption (and signature-based security) by detecting emerging and evolving attack patterns in real time. As a best practice, companies must advance beyond basic defenses, and enhance their security posture with the analytic equivalent of an effective intelligence service. It’s time to bolster our walls and moats with spies and intelligence.

More On This Topic:

Doug Clare is Vice President of fraud, Compliance, and Security Solutions at FICO. In this role, Doug heads FICO's fraud, financial crime, and cyber-risk businesses. With more than 25 years at FICO, he has deep expertise in helping banks and other businesses manage fraud, ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
2/3/2016 | 7:55:57 AM
Schneier notes on NSA presentation
system attack process summary:

intrusion phases
  • reconnaissance
  • initial exploitation
  • establish persistence
  • install tools
  • move laterally
  • collect exfi land exploit

the event was the usenix enigma conference.


reference (schneier)



attackers don't care about passwords, authentication, or encrypotion: they work by attacking the endpoints with root kits and other un-authorized programming  .until the industry addresses this issue there will be no meaningful progress against computer fraud and abuse.
User Rank: Ninja
2/2/2016 | 7:17:50 PM
Data That Stays Encrypted, Is Read While Encrypted
The window of opportunity is a very valid point, and the only one that matters in arguing for more advanced protection of data.  One imagines technology down the road that can accomplish the (seemingly) impossible.  That is, one only ever deals with encrypted data, and that data as a whole is never decrypted.  However, via a variety of reading methods, the reader can 1) read the data (if a document) line by line where a reader decrypts a certain number of lines using a different key for each paragraph, encrypting the data again using a new cipher as if moves along the document, or 2) the data is printed out using a printer that similarly decrypts chunks using different keys, dropping a bit of decrypted data into a secure print queue, then moving on to another print queue, all the while the user must authenticate over time to keep the processes available, whether reading at a terminal, or receiving printed items.  An option could be to have to destroy data already read before the rest will print; or that it must be locked into a safe box before one could move on to the rest of the material.

These are examples of overkill – perhaps even comedic, but with the right processing power and the right infrastructure, there is no reason extremely sensitive documents can't remain secure and those windows never open, since the windows are actually removed, or mostly removed.  Yes, people are the remaining "window" and always will be, but there are ways to keep that to a dull minimum, too, depending on the information.  As a rule, data should never travel (whether on media or over the Internet) in a decrypted state.  Layering the encryption as described requires time with today's tech, but can be done as computing power increases.  Layering the human factor could work, too, where you require a minimum number of people to be able to translate and use decrypted data, depending on the nature of the information.

I suspect that time and money are a huge reason why so much data that might otherwise be secured is out there, and if we took twice as much effort to lock it down with today's tech and resources, we'd be in much better shape.  But in the end, we need to get rid of the windows and doors, over-complicate our security measures and tech so that once we know we are having a hard time already just getting to the data we are supposed to have access to, we'll know we are doing a better job of securing the information other eyes are never supposed to see.  If we can get to the ultimate state where data is even read while encrypted (I'm imagining this will be when biotech has reached a certain maturity), we'll in great shape, indeed!
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel function where a lack of checks allows the exploitation of an integer overflow on the size parameter of the tz_map_shared_mem function.
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel�s tz_handle_trusted_app_smc function where a lack of integer overflow checks on the req_off and param_ofs variables leads to memory corruption of critical kernel structures.
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel where an integer overflow in the tz_map_shared_mem function can bypass boundary checks, which might lead to denial of service.
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in TSEC TA which deserializes the incoming messages even though the TSEC TA does not expose any command. This vulnerability might allow an attacker to exploit the deserializer to impact code execution, causing information disclosure.
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in all TAs whose deserializer does not reject messages with multiple occurrences of the same parameter. The deserialization of untrusted data might allow an attacker to exploit the deserializer to impact code execution.