FAQs
Some answers to the most common questions we asked.
If you have any questions that we have not covered below,
please contact the ZORB team at
info@zorbsecurity.com
or call +44 1223 603029
Even better than a trial… sign up for 5 FREE ZORB licenses to get you started.
This way you can test our outbound data-blocking functionality and data theft elimination software in your environment before rolling it out to all users.
If you need more than 5 licenses for a pilot, contact the team directly and we will be delighted to provide enough licenses.
Trusted data is a term used in outgoing data security to refer to the integrity of the data flow.
Trusted data packets:
1) come from an application that has been approved by the business
2) are intended for a destination that can be correlated with the source application
3) have a transmission channel associated with that application data (eg HTTPS or VPN, and not SSH or TOR).
A deny-until-proven trusted security stance means data flows that do not pass all three crucial checks are blocked from transmission at the user’s device, before they can enter a network.
Your list of business-approved applications is defined in your ‘safe list’. The list can be configured to contain just the applications, with ZORB taking care of the destination and channel. Or your approved destinations and channels can be added. This list can also be set to any level of granularity to meet business requirements, such as by company, by department, or by individual user.
Defining this on a firewall would require a lot of rulesets and continual maintenance. ZORB’s safe list requires a minimum amount of setup and does not require technical knowledge. We do most of the setup work for you by providing a pre-built safe list that has a standard set of safe applications already configured. You just need to add your business-specific applications to the list.
ZORB’s guide to “Why Outgoing Data Matters to your Cybersecurity Defence Posture” provides more information.
Most Microsoft devices run Window’s Defender Firewall. Typically, this used to protect against incoming threats.
Firewall rules be configured to prevent outgoing data being sent to malicious endpoints. But this assumes knowledge of every possible malicious endpoint; which could be 100s of millions of IP addresses, any of which can change on an hourly basis.
ZORB tackles the same issue, albeit from the opposite angle. By only permitting trasmission of data that is trusted. The permutations of trusted data are a fraction of the volume of possible malicious endpoints. Therefore, whitelisting trusted data is much simpler, quicker, less resource intensive, and less error-prone compared with blacklisting bad endpoints.
Whilst Firewalls, and indeed Intrusion Prevention Systems, can be used for outgoing data security, there are several resource and complexity challenges to overcome:
- define and configure the blocking rulesets
- continuous maintenance of these rulesets, as business applications change or application endpoints change
- malware can easily bypass a firewall by masquerading as a safe application
- many data breaches start from a firewall misconfiguration – one slight miscalculation in a ruleset can leave a business wide open to attack
- by default, unless a rule is configured otherwise, a firewall blocks all incoming data and allows all outgoing traffic. When an application is installed, an incoming data rule is automatically applied to the firewall (although not automatically removed upon uninstall). Application-specific outbound rules must be manually applied
These, and other challenges, are covered in more detail in our CISO guide: “Why Outgoing Data Matters to your Cybersecurity Defence Posture“
Application traffic data is more exposed to threats than ever before. This is because more and more data is leaving the trusted business infrastructure to go over the public internet to cloud applications, data centres or mobile/hybrid workers.
ZORB protects sensitive data from theft on mobile worker’s devices in just the same way as on office-based devices – by only permitting trusted data to be transmitted.
Remote workers should connect to the HQ or cloud applications via VPN. But this does not guarantee all data goes through the VPN. For security and compliance reasons, ZORB can be configured so that all outbound data is forced through the VPN, otherwise it does not get sent.
ZORB does not collect or store application data from the user’s device. We interrogate the integrity of all data flows just before they exit the device’s network interface (to the LAN, WiFi, etc), to determine whether to block or permit the data to be transmitted. But no user application data is captured during this process.
Some non-user data is collected during a blocking incident, for reporting purposes. Such as the IP address of the device on which the data compromise was blocked, the originating application, and destination information. This data is sent to our online portal for you to review, and is not used for anything other than for your reporting purposes.
Alternatively, ZORB can report the alert attributes directly to your own SIEM or helpdesk.
ZORB works on data flow, not data content, which means that ZORB does not care if data is encrypted or not.
Regardless, it is basic security hygiene that you ensure all outbound data is encrypted when passing over a public network such as wifi or the Internet. But take note, encryption does not stop data theft – encryption only makes data unreadable.
Download Your FREE Guide
Outgoing data security is a core element of cyber defence and data compliance
ZORB provides one administrator license to our online portal. (Additional licenses are available upon request.)
The online portal serves two functions, 1) it is the administration centre for all of your devices running ZORB and where you administer the safe lists, and 2) it is the reporting centre.
The reports provide a snapshot of data theft threat posture across your entire device estate, and each block attempt is geolocated and cross-referenced with VirusTotal to aid threat hunting and safe list optimisation.
Alternatively, reporting data can be sent to your business helpdesk or SIEM. The online portal is still required for safe list administration.
Yes.
Network traffic is an invaluable threat hunting tool and ZORB can send a copy of all incoming and outgoing data from a device, to your SIEM.
However, this volume of duplicate traffic could put additional pressure on your internal network. Whilst we can send a copy of the entire packet, it might be better to only send certain fields from each packet to your SIEM. We can work with you to determine the most effective and efficient way to do this.
Contact us to find out more on info@zorbsecurity.com or call +44 1223 603029.
Unfortunately, today, ZORB runs on Windows only. Our roadmap does include roll out to other platforms if demand is shown.
Why not let us know your other use case requirements, or sign up as a tester?
ZORB protects against data theft – the deliberate, intentional theft of sensitive business data originating from a bunch of different sources. Such as from hackers, malware, insider attacks, misconfiguration or vulnerabilities.
ZORB does not prevent data leakage – the accidental disclosure of sensitive information though human error. Such as a user accidentally emailing Personally Identifiable Information (PII) to the wrong address, to a web forum, or posting it on social media.
It is important to recognise that data theft and data leakage each requires a different protection strategy.
- Leakage can be mitigated by user awareness, and tools that inspect the content of emails, web forums, social posts for sensitive data.
- Theft can be prevented through outgoing data security techniques, such as those that ZORB utilises.
Physical data theft includes such things as
- printing classified data and removing it from the building
- copying sensitive data to external drives, such as USB stick
This is not on our roadmap because there are many good tools that already prevent this type of data theft.