TAG Blog Series 1 – How ADX Supports and Implements Policy

Dr. EDWARD AMOROSO, FOUNDER & CEO, TAG

This series of blogs developed by TAG Infosphere highlights a powerful new cybersecurity solution known as Anti Data Exfiltration (ADX) which provides on-device data security and threat protection. Commercial vendor BlackFog pioneered ADX which is shown to effectively stop cyberattacks such as ransomware, spyware, malware, and phishing.

It is now well-known by organizations of all sizes and across all sectors that ransomware prevention and data exfiltration prevention have emerged as primary objectives for leadership. The problem is that despite such recognition and attention from cybersecurity teams, breach incidents continue to occur. The City of Dallas, for example, recently reported paying millions after a ransomware attack in May 2023.

Furthermore, the loss of data in the enterprise continues to be a nagging cybersecurity problem, one that has been subjected to literally decades of attention, mostly with only modest improvement. In 2023, for example, IBM, Deloitte, PwC, and EY were all victims of a data extortion exploit, related to the MOVEit exploit that hit the industry, driven by a Russian-speaking group called Clop.

In this series of blogs (eBook), we focus on a preventative method known as Anti Data Exfiltration (ADX) that exhibits many important cybersecurity principles for organizations. Pioneered by commercial vendor BlackFog, ADX involves an on-device means for addressing data security, privacy, and ransomware prevention. We will show how ADX complements existing controls, while effectively mitigating threats that can lead to high response cost.

The blogs (sections below) will cover the salient aspects of ADX with the goal of helping security practitioners to understand how the method – and how the BlackFog solution, in particular – can be used to reduce cyber risk. The good news is that in addition to addressing ransomware risk, ADX is also highly effective in reducing the likelihood of successful spyware, malware, phishing, unauthorized data collection, and profiling attacks.

Our hope is that by introducing you to ADX, you will take steps to begin reviewing how this data security method complements or perhaps even replaces your existing endpoint protection. Most of the deployments we’ve seen utilize ADX to make existing solutions such as endpoint detection and response (EDR) better. As the solution evolves, however, it is possible that ADX will become the preferred security approach for devices that can accept agents.

It would be tough to find any business leader, IT practitioner, or cybersecurity expert today who would not identify ransomware as a particularly difficult challenge. Despite many years of industry attempts by vendors and practitioners to reduce the risks of data security and ransomware, organizations around the world continue to experience negative impact, and in particular, the unauthorized loss of data from targeted devices.

In this blog (first section), we address the challenge of data loss in the enterprise, and we explain how a paradigm shift toward the prevention of data exfiltration on the device is an excellent means for taking a positive shift-left step. The commercial solution from BlackFog serves as the practical backdrop to our discussion, illustrating how ADX can be deployed into a live production environment.

Enterprise security teams today generally collect data across their systems and infrastructure to detect whether policy violations or data leakage have occurred – a process typically done after the fact. Such an approach is the basis of most endpoint detection and response (EDR) programs, as well as extended detection and response (XDR) solutions. This reactive approach is often referred to as a shift- right solution.

Emphasis on detection and response implies that something bad has happened and that the security team must spring into action to contain any potential consequences. Much of this paradigm is driven by the view that adversaries (such as nation-states) are so capable that enterprise security teams are defenseless against these attacks. While breaches continue to occur, our view is that preventive steps can, and should be taken.

With the traditional detect-and-response approach, enterprise security teams must sift through large data lakes, often using tedious, manual processes, to identify whether something has occurred. The potential for false positives leading to unnecessary response activity is typically high, and most security teams try to address this challenge by adding more tools or technology to the response ecosystem. This has led to a situation where many organizations now have more than 20 products in place.

The motivation for Anti Data Exfiltration (ADX) is that a more proactive approach that focuses on stopping data leakage from occurring in the first place can be taken. Security practitioners would view this philosophy in the context of a so-called shift-left, and the security benefits of preventing security issues from occurring should be obvious. ADX takes this concept to the device level with focus on data security.

ADX seeks to complement existing detection and response methods by preventing unauthorized data from leaving devices such as PCs, laptops, and mobiles. The approach can co-exist with intrusion signature, behavioral analytic, and deep learning solutions that use models to reduce data risk. ADX uses AI-based behavioral and intent analysis to ensure that unauthorized data is not exfiltrated from the device.

Note that there is nothing about ADX that would lead an enterprise team to step away from its detection and response methods. In fact, it is both a complementary tool to existing methods and a preventive control fundamental to frameworks such as the NIST Cybersecurity Framework (CSF).

ADX is not just a theory but has been implemented into a commercial solution from BlackFog. With locations in the US and UK, BlackFog supports enterprise customers today, many of whom have EDR or related protections installed on their laptops, PCs, and other devices such as Chromebooks. The result is a combined solution that reduces the likelihood that data can be exfiltrated from the enterprise.

While BlackFog is particularly useful in preventing data loss, it also mitigates the risk of ransomware, including cases where ransoms are accompanied by data theft and extortion. The AI based technology in the BlackFog platform monitors, detects, and prevents any unwanted or unauthorized communications between endpoints and any suspicious third-party servers.

At TAG, we are supportive of efforts by vendors and practitioners to shift their defense-based protections toward a more preventive approach. The goal is for defenders to begin catching up on the massive advantage that attackers have had for years. We like the idea of preventing data leakage on the actual device. Readers are advised to spend the time to take a closer look at this approach.

Click here for more information on the specifics and technical details regarding BlackFog’s implementation of ADX.

The implementation of any vendor-provided solution, including Anti Data Exfiltration (ADX) becomes a reality for enterprise teams in the context of establishing policy. When done properly, policy definition incorporates business objectives, perceived threats, and deployed systems and infrastructure into a set of assertions that guide any strategic or tactical security decision-making.

In this article, we address some of the policy decision options that are available to enterprise teams deploying ADX – and, in particular, the commercial solution from cybersecurity vendor BlackFog. Our objective here is to help practitioners move more closely to deployment of a shift-left preventive solution that addresses the risk of data exfiltration on the device in a proactive manner.

The types of policies that require attention in the context of any ADX deployment include various practical controls that should be selected based on an understanding of the threat being addressed. For example, organizations with particularly sensitive data such as national security teams will have more urgent need to deploy ADX to their deployed devices than an organization with a much less intense threat.

The first policy area in which teams must consider their deployed options involves the technique known as geofencing. This method involves managing data sharing, usage, and security based on the physical location of individuals and groups. Geopolitical concerns often have a direct impact on the policies established by organizations, so legal teams generally work with security teams on establishing appropriate geo-policies.

A second area where policy decisions must be made in the context of ADX involves controls to prevent unauthorized data collection. This is the essence of data security policy in that it demands clear definition of the goals of collecting data and how it is done in a manner that is respectful of data privacy concerns, as well as avoidance of unwanted aggregation for the purpose of data science.

A related area for policy decision-making in ADX involves avoidance of unauthorized profiling, which could occur in environments that might be particularly eager to identify threat patterns. The policies associated with profiling in the context of data security will also be driven by many different factors. ADX deployments should only occur with vendors (such as BlackFog) that are respectful of security and privacy in all algorithmic implementations.

A fourth policy decision that is required in the context of ADX involves the manner in which user behavior is anonymized. This is important because data security on the device can involve activity that could be commercially, or even personally sensitive. As such, employees and others being protected with ADX need to understand that their activity is properly anonymized to protect their identity.

Finally, a fifth policy decision that is required to support proper ADX security involves how a security team will address the risks of remote work. Everyone knows that the user’s endpoint device is now the most important aspect of modern work since it travels with the employee regardless of physical location. As such, ADX is well-suited to protecting remote work in the context of localized networking.

As suggested above, implementing ADX at the device level is especially attractive, because it moves the security controls closer to the asset being protected. This is an important design paradigm that originated in the early days of information security. Additional design heuristics that are important in the design of ADX and in the BlackFog implementation, in particular, include the areas discuss below.

Security engineers understand the value of designing systems that minimize the data that must be collected to make cyber prevention decisions. This is especially true for device-resident controls where the logistics of the local computing environment could be constrained and where large volumes of data could cause a problem. Privacy issues can also emerge if the security design is not optimized for the volume of data collected.

Ensuring that a given device control such as ADX covers all types of deployed endpoints is critically important to avoid architectural gaps in coverage. This is particularly important in cybersecurity where malicious actors often target devices or assets where the controls are weakest. This follows the familiar aphorism that a chain is only as strong as its weakest link – hence, the need to provide ADX support for every type of endpoint.

As one might expect, threat mitigation should always be the number one priority in the deployment of any security solution – and that is true for both ADX in general and the BlackFog solution in particular. That said, the practical obligation does emerge for enterprise security teams to provide compliance support for data security requirements. We have found ADX to provide especially useful assistance in meeting the compliance issues listed below.

The need to create evidentiary data to meet obligations for privacy frameworks such as the General Data Protection Regulation (GDPR) in the European Union (and elsewhere) and PCI DSS, has promoted many enterprise teams to fundamentally rethink their data security approach. We have found ADX to be an effective means for demonstrating a mandatory control that can protect user privacy and to meet stringent compliance requirements.

Just as with privacy regulations, the need to maintain on-going and continuous support for compliance in the area of data protection comes from a variety of different initiatives. These can include the need to show consistency with frameworks such as the NIST Cybersecurity Framework (CSF) or to meet data security requirements levied on suppliers as part of a buyer’s third party risk management (TPRM) program.

Click here for more information on the specifics and technical details of how BlackFog helps enterprise teams implement and enforce security policies using ADX.

BlackFog is the leader in on-device data privacy, data security and ransomware prevention. Its behavioral analysis and anti data exfiltration (ADX) technology stops hackers before they even get started. The company’s cyberthreat prevention software prevents ransomware, spyware, malware, phishing, unauthorized data collection and profiling and mitigates the risks associated with data breaches and insider threats. BlackFog blocks threats across mobile and desktop endpoints, protecting organizations data and privacy, and strengthening regulatory compliance.

TAG is a trusted next generation research and advisory company that utilizes an AI-powered SaaS platform to provide on demand insights, guidance, and recommendations to enterprise teams, government agencies, and commercial vendors in cybersecurity, artificial intelligence, and climate science.

Copyright © 2024 TAG Infosphere, Inc. This report may not be reproduced, distributed, or shared without TAG Infosphere’s written permission. The material in this report is comprised of the opinions of the TAG Infosphere analysts and is not to be interpreted as consisting of factual assertions. All warranties regarding the correctness, usefulness, accuracy, or completeness of this report are disclaimed herein.