This page is undergoing a little TLC
Please come back later...
Image courtesy of freepik.
A typical UK business has a 40% – 46% chance of suffering a data breach this year. There are many different sorts of data breaches – physical data breaches (via USB drive, printed material, theft of unencrypted data in storage), data sent as email content/attachment, or data breaches via covert channels (e.g. malware).
ZORB prevents unauthorised disclosure of data via the network. We check every single data as it is about to be sent from a PC (such as sending to a server, another PC or externally) for three criteria:
- is the application sending this data authorised, known and trusted?
- is the destination of the data to a known, trusted endpoint?
- is the data being sent via a known, trusted channel?
If the answer to any of these is “NO” or “DONT KNOW”, then the data does not get sent.
For example, Outlook wants to synchronise with Microsoft Cloud. If it tries to sync with anything other than a Microsoft-owned endpoint, ZORB can block it.
Now supposed a malicious application on your device has renamed itself to Outlook. Other solutions will see that the application is called Outlook and trust it. ZORB will block it; as even though the application is called Outlook, it is attempting to sending to an unknown third-party server which is not a Microsoft endpoint.
NOTE: ZORB does not prevent physical breaches or breaches via email content. There are other tools on the market that are better positioned to do this than ZORB. Please contact us if you want advice on these.
ZORB Data Shield will block certain types of malware.
Many malwares, such as botnets or ransomware, connect to a Command & Control (CC) server, typically hosted in the cloud. If Data Shield sees an untrusted application attempting to send data to an unknown endpoint – we block it.
Furthermore, Data Shield downloads a daily feed of “known malicious endpoints”. We check outgoing data (especially internet-destined traffic) against this known unsafe list and block accordingly.
NOTE: Data Shield prevents data breaches. It is NOT a replacement for your device’s antivirus. We do not monitor incoming data. So we dont detect malware being downloaded. However, should malware get past your AV and install on your device, we will stop malware from sending data.
In theory, Data Shield will block ransomware. However, this is not its primary role and should not be relied upon.
Some, not all, ransomware calls home to register before it starts encrypting files. This Command & Control (CC) server is typically hosted in the cloud. If Data Shield sees an untrusted application attempting to send data to an unknown endpoint – we block it.
Additionally, Data Shield takes a daily feed of “known malicious endpoints” which does include some ransomware servers. We check outgoing data (especially internet-destined traffic) against this known unsafe list and block accordingly.
NOTE: Data Shield prevents data breaches. It is NOT a replacement for ransomware detection tools.We may detect ransomware communication and block it. But we provide no guarantee that ransomware will not encrypt your data. ZORB should not be your primary defence against ransomware, but we MAY provide a second line defence.
“I’ve just discovered a malicious application called ‘bad.exe’ on my device. It is scanning the network for other devices and sending this data back to a compromised cloud-based identity provider.”
Provided the malicious application is NOT in your trusted list of applications, whilst we do not prevent the application from downloading, installing and running (thats the job of your antivirus), Data Shield will block any attempts the application makes to send data.
If the malicious application renames itself to Outlook, for example, then you have two options.
You can configure trusted destination endpoints for each application, on your Trust List. By permitting Outlook to send data only to Microsoft; ‘legit’ Outlook will continue to run. Whilst ‘bad’ Outlook will still run, any data exfiltration attempts will be blocked as the destination address is not trusted. Furthermore, you will be alerted of the block attempt, the application and the device so that you can remove the malware from the infected PC.
Or, simply remove Outlook from the Trust List. The Trust List then updates on each device running Data Shield. This will not uninstall Outlook, but all PCs running Data Shield will block outgoing Outlook data whilst you resolve the malware issue.
ZORB Data Shield decides if data is permitted to be transmitted via a Trust List on the ZORB cloud portal. The Trust List includes i) application names, ii) destination endpoints, iii) ip addresses and iv) comms ports. The list can be configured to any granularity desired.
If an application is NOT on the Trust List, even if the user manages to install the app, Data Shield will block the app from sending data. (In theory, you no longer need to configure admin-only installation permissions on a device, but we recommend you still do this as good practice.)
Should you then decide to rollout a business approved cloud-storage application for your users, simply add it to the Trust List and Data Shield will no longer block data from it.
Also see “A select few users need to access a certain application” below.
As per “Stop users using unauthorised cloud storage” above, ZORB Data Shield decides if data is trusted via a Trust List of known applications. If an application is not on this list, any data it attempts to send will be blocked.
Multiple different Trust Lists can be set up, as per user privilege. So if Finance have an application that Sales should not be allowed to send data from – simply include the application in the Finance profile but not the Sales profile.
This is not intended to replace access privileges defined in other programs such as Active Directory. Instead, Data Shield provides a second line of defence in that even if a Sales user manages to access the Finance app they wont be able to send data.
“We’ve migrated all our applications to the cloud. We have no standalone applications on user devices. Users should connect to the cloud via the corporate VPN.”
Even though you have migrated everything to the cloud, can you be 100% sure that application data is going ONLY to legitimate cloud endpoints?
Data Shield allows several options. In the case where each cloud app has its own desktop application, Data Shield’s Trust List can be configured to include destination address ranges by application.
For example, only send Google Drive data that is destined to a Google owned IP – otherwise block it. This prevents Google data from leaking to other third-party cloud servers.
Alternatively, if you wish to retain destination control within the corporate infrastructure, remove all applications from the Trust List, and add only the VPN and its known IP address range to the Trust List. This means that only application data sent over the VPN will be transmitted to the corporate HQ, whilst data attempting to be sent outside of the VPN is blocked.
“We host our own Outlook servers. We dont want Outlook data going to Microsoft.”
When you configure your company Trust List on ZORB’s cloud portal, you can allow certain endpoints per application. This is not dissimilar to configuring a firewall. Data Shield works on DENY ALL, unless it is on the allowed list:
1) Outlook, Microsoft – only transmits outlook data destined to Microsoft owned endpoints
2) Outlook, [Microsoft, Google, Amazon] – only sends Outlook data destined to either Microsoft, Google or Amazon endpoints
3) Outlook, 192.168.1.6 – only sends Outlook data destined to an Outlook server on IP address 192.168.1.6
4) Outlook, Microsoft, 192.168.1.6 – only sends Outlook data destined to either an Outlook server on IP address 192.168.1.6 or to Microsoft
You can configure what you deem as trusted data to a high level of granularity. If you have two outlook servers, one running encrypted pop3 and one plaintext pop3:
Outlook, 192.168.1.6, pop3, T995
Outlook, 192.168.1.7, pop3, T110
“Our hybrid workers should only send data over the corporate VPN, even for cloud-based applications.”
If your security policy insists that hybrid workers can only transmit data over the VPN, then remove all applications from the Trust List. Then add only the VPN and its known IP address range to the Trust List. This means that any application data attempting to bypass the VPN will be blocked.
Alternatively, if certain applications are allowed to connect directly to the cloud but all other data must go via VPN, then also add these applications and their known cloud domains to the Trust List.
Also, see “Outsourced all applications to the cloud” above.
Q. Can you be sure that all of your data is transmitted via the VPN? (Potentially due to a poor quality VPN, VPN misconfiguration, or malware putting a new route in the PC router table to bypass the VPN completely.)
Q. Can you be sure that your users are actually using the corporate VPN everytime they connect?
Whilst we encourage VPN usage to enhance security, VPNs are not a silver bullet:
- many data breaches are due to misconfigured VPN, such as VPN tunnelling
- it is very simple to bypass a VPN
- your user might choose not to initialise the VPN because MSOffice apps run slowly over the VPN (despite all their security awareness training)
- some data is harder to transmit over a VPN, such as email
- some networks encourage users not to use the VPN, such as trying to get internet connection over a train WiFi
ZORB Data Shield provides notifications on VPN (mis)usage:
- alerts if a user terminates their VPN after it has booted
- alerts on all and any traffic sent outside of the VPN
Data Shield does not block data from being sent outside of the VPN, but we do alert. The reason is we deem this to be a VPN configuration issue, and we dont want to block data that you have decided can legitimately be sent outside of the VPN.
How can you be certain that updates are coming from a trusted source? ZORB Data Shield will only allow data to be sent from trusted application, to trusted destinations. Anything else is blocked.
Typically an update starts with a pull request from the application. This means we can ensure an update come from trusted sources, e.g. conifgure Office updates to only come from Microsoft, Adobe updates to only come from Adobe etc.
If malware requested a malicious Office update hosted on a non-Microsoft owned IP, the update request will be blocked.
ZORB Data Shield only permits outgoing data based on THREE criteria:
- is the application sending this data authorised, known and trusted?
- is the destination of the data to a known, trusted endpoint?
- is the data being sent via a known, trusted channel?
It’s not unusual for some users to require access to a certain application that other user should not be allowed to access (see “A select few users need to access a certain application” above).
By default, Data Shield blocks data sent via covert channels such as FTP, SSH, RDP, Torrent, TOR, etc.
However, it is possible to configure different Trust Lists for different profiles of users.
Say your developers needed to use SSH, but other users cannot. A Trust List can be created for the dev users that permits different granularity of trusted data:
SSH, T22 – will allow SSH traffic over TCP port 22.
SSH, T22, U22222 – maybe your SSH is set up for either TCP port 22 or UDP port 22222
SSH, T22, 8.8.8.8 – only send SSH traffic on TCP port 22 to IP address 8.8.8.8
“We allow hybrid working, but are concerned about the lack of visibility and risk on remote/home networks.”
ZORB Data Shield has the option to transmit a copy of user traffic to a SIEM. However, this could result in a huge volume of traffic if each remote worker were to transmit a copy of all their incoming and outgoing trafffic.
Data Shield will filter this traffic and only transmit sections of a data packet that is useful for security analysis, thereby reducing traffic uploaded to a SIEM by 95%.
Sending traffic to a SIEM is an optional configuration, and priced seperately. If network traffic would provide you with useful telemetry to threat hunting, contact us at info@zorbsecurity.com