Transcription
F-SECURESECURITY CLOUDPURPOSE, FUNCTIONAND BENEFITSF-Secure Labs Whitepaper10/2021
CONTENTSF-Secure Security Cloud in brief .3The benefits of the Security Cloud. 4How does the Security Cloud work?. 6Security and privacy. 8About F-secure.10
F-SECURE SECURITY CLOUD IN BRIEF7The F-Secure Security Cloud (later: Security Cloud) is acloud-based system for cyber threat analysis, designed,developed, and operated by F-Secure Corporation.At its core, the Security Cloud is a constantly-evolvingrepository of malware and other cyber threat-relateddata. Millions of endpoint clients, cloud-based systems,and internet-connected smart devices provide us withdata to be analyzed. We then refine the data further,thanks to algorithms for threat intelligence, artificialintelligence, as well as the latest developments inmachine learning. This deep analysis is carried out withthe greatest respect to privacy and anonymity.ANNUALBEST PROTECTIONAWARDSEvery device that utilizes the Security Cloud benefitsreciprocally from this data. The Security Cloud iscomprised of multiple different components, eachoffering different benefits. These components are usedin a multitude of different products, from endpointclients to products protecting cloud-based systems.For example, threats that mobile devices encountermight produce data and give insights that contributeto protecting corporate networks of Fortune 500companies, and vice versa. As the Security Cloud relieson data gathered from user devices to provide theservice, F-Secure ensures that data protection andprivacy policies are strictly upheld. Data collected fromusers is anonymized and no personally identifiable orother sensitive information is gathered. You can findmore information about our data protection and privacypolicies from the Security Cloud Privacy Policy.Independent testing by av-test“7 out of the last 10 years”The Security Cloud is a constantly-evolving system.For this reason, the information in this document,including features and metrics, is subject to change.We update this document whenever major changes aremade to the system. You can find the latest version ofthis document on the F-Secure website.F-Secure Security Cloud Whitepaper3
THE BENEFITS OF THE SECURITY CLOUDThreat data from swarm attacks forma real-time protective network globallyStrong protection with a light footprint formobile devicesNew online threats are emerging all the time, and anyuser or company may encounter a new threat at anytime. With a Security Cloud-enabled product, threat datagoes directly to the Security Cloud; this includes theresults of local analysis, behavioral and other metadata,as well as samples of files and web addresses. This datais further improved when other users encounter thesame or similar threats. This makes it possible to createmore effective and generic detections that provideprotection from previously unseen but similar threats. Allusers of Security Cloud-enabled products subsequentlybenefit from this data and receive protection faster andmore accurately. The Security Cloud forms an extensiveprotective network that grows more intelligent overtime, and as more and more data feeds into the networkand gets analyzed.We understand that users are very sensitive to any kindof negative effects protection has on their devices. Thisis why mobile protection needs to be battery-efficientwithout sacrificing the quality of protection. The SecurityCloud can operate as the sole engine for lightweightproducts that only requires users to give their consentwhen uploading certain files for analysis. Only a fractionof the files from users are uploaded, as in most casesthe safety of the file can be analyzed with existing data.This behavior is resource-saving and optimal for mobiledevices.Strong protection for IoT devicesIoT devices in the home network can be protected withsecurity software embedded on the router, providingbrowsing protection, tracking protection, botnetprotection, and smart home security – all providedby the Security Cloud. Smart home security blocksmalicious or compromised connections to and fromsmart home or IoT devices based on the URL or hostname reputation. Tracking protection prevents trackingsites from following surfing habits and collecting dataabout users.A winning combination of cloud analysis, humanintelligence, and offline malware enginesTraditional cyber security products rely mainly onmalware analysis engines installed locally on the device.Our latest product offerings combine traditionalapproaches to local analysis coupled with real-timeanalysis in the Security Cloud. The Security Cloud utilizesadvanced technology and data that is unavailable onproducts locally, due to the computing resourcesrequired to perform machine learning on big datasetsand dynamic analysis. This technology provides upto-date information about new threats before theyhave been incorporated into commonly used threatdatabases.Botnet protection blocks traffic from compromiseddevices to an attacker’s Command and Control center,adding another layer of detailed information about aninfection. In addition, IoT devices can be protected withmore advanced features such as advanced smart homesecurity. This type of advanced feature blocks trafficfrom smart home or IoT devices based on the behavioranalysis carried out on network activity in case anomaliesare detected.Since F-Secure partners with numerous Fortune 500companies, our consultants have the unique advantageof gaining access to the very cutting edge of malwarewhen it is used –unsuccessfully– against our customers.This data is also fed into the Security Cloud, furtherincreasing its value to other companies and users.F-Secure Security Cloud Whitepaper4
Advanced analysis for collaborationprotectionwe gain a granular, real-time view of how malwareis distributed across the world, down to individualneighborhoods and devices. We can act quickly andperform targeted counter measures with our partners,without compromising the privacy of our users and theoperations of business customers.Products that provide cloud-based collaboration forcorporate customers rely heavily on the Security Cloudto carry out multi-stage analysis of the content. Theanalysis is a layered process that is triggered by thesuspiciousness of the content, such as an email orcalendar invite in the Microsoft Office 365 environment.Suspicious or unknown files are subjected to a deeperanalysis with our cloud sandboxing technology, designedto prevent zero-day malware attacks and other advancedthreats. The cloud sandbox runs the file to analyze itsbehavior. By focusing analysis on malicious behaviorrather than static identifiers, the cloud sandbox canidentify and block even the most sophisticated zero-daymalware and exploits.The Security Cloud saves on resourcesLess computing power requiredSecurity Cloud-enabled products can offload tasksto the Security Cloud that require heavy analysiscomputationally. This saves resources, and thus batterylife, which is crucial on mobile devices and in otherrestricted environments, such as integrated cloudservices, where heavy analysis of local malware is notpossible.Multiple independent analysis methodsensure reliable analysis and elimination offalse positivesLess device storage neededThe Security Cloud allows users to protect themselveswithout analysis engines taking up space on theirlocal devices. This type of solution is ideal for deviceswhere storage space is scarce, such as mobile devices,appliances, and tablets.The Security Cloud includes a comprehensive archiveof files and web addresses. This collection is updated byseveral independently sourced sample feeds. Maliciousand suspicious files uploaded for analysis by users ofSecurity Cloud-enabled products form a part of thiscollection. A limited collection of common clean files isalso included in this collection. The Security Cloud makesits final assessment based on multiple independent datasources and methods for dynamic and static analysis.This method makes it robust and less vulnerable to falsepositives than an anti-malware solution from a singlesource. The Security Cloud also periodically reanalyzesfrequently encountered samples by using the latestinformation available to ensure continued accuracy.Bandwidth savedThe Security Cloud saves significant amounts ofbandwidth by reducing or eliminating the need toupdate definition databases on the local device. Productswith local engines need to update their definitiondatabases frequently to have the latest informationavailable.Faster detection speedProducts with local engines receive periodic updatesto their definition databases. However, the frequencyat which these updates arrive cannot be compared tothe reaction speed of cloud-based systems. Becausethe Security Cloud relies on a cloud-based reputationdatabase, new detections are instantly available for allclients using the Security Cloud services.Tracking malware behavior globally allowstimely and precise mitigation of the impactsof malwareReal-time, global threat maps help us conducttimely and precise malware mitigation. With everyclient that communicates with the Security Cloud,F-Secure Security Cloud Whitepaper5
Added flexibilitythreat intelligence. Furthermore, the Security Cloud iscontinuously enhanced by technologies that includethe latest malware analysis. The improved protectioncapabilities of the Security Cloud become availableimmediately to all Security Cloud-enabled productswithout the need of client upgrades or user actions.The Security Cloud provides a range of independentservices, and different products employ different setsof these services. This allows F-Secure to maintaina comprehensive portfolio of varying products ondifferent operating systems that all benefit from cloudHOW DOES THE SECURITY CLOUD WORK?OverviewThe Security Cloud on the client sideThe Security Cloud is an online service that protectscustomer devices; that is, computers, mobile devices,routers, and other internet-connected devices that arepresent in people’s homes and offices today. The picturebelow provides an overview of the Security Cloud’s keyfunctions.The Security Cloud provides various services thatindividual security components on the client sidecan connect to. These client-side components aredeveloped by F-Secure. Products using the SecurityCloud are mainly developed by F-Secure, but some thirdparties may have an agreement with F-Secure to utilizeone or more of these services in their own productsand services.SECURITY CLOUD CLIENTSPROTECTED DEVICESNetwork protectionservicesReputation databaseFRONTENDSERVERSReputation servicesAccess ControlAutomated analysisSecurityFile analysis servicesLoad ManagementCachingSample receptionSample archiveSandboxingAutomated analysis: Machine learning,Sandboxing, Static analysis, Sample archiveReputation servicesservice. Web addresses are anonymized before sendingthem to the reputation service.One of the core components of the Security Cloudis F-Secure Karma , the object reputation service,which assesses the safety of objects, thus avoidinga need for deeper analysis. Karma enables clients toquery the reputation of computer networks, files, andweb addresses. Files are checked by calculating theircryptographic hash and sending them to the reputationAs site categorization is included for web addresses, thecontents of the website can be identified. This allows forenhanced online banking security and parental controls,for example. The Security Cloud may request additionalmetadata or a sample of the previously unseen contentfor further analysis. Clients respond to such requestsaccording to their user preferences and privacy policies.F-Secure Security Cloud Whitepaper6
Sample analysis servicesthey are not deemed malicious. A collection of highlycommon clean files is also maintained. Clean files fromcustomer devices are not stored permanently.Lightweight products rely mainly on F-Secure Mind for malware analysis. Mind, which is the Security Cloud’ssample analysis service, works in conjunction with thereputation service Karma. If the reputation of a file ispreviously unknown, the client may be asked to uploadthe sample-related metadata to the Security Cloud foranalysis. The results of the analysis may cause the sampleto be flagged as suspicious and to be uploaded forfurther processing. Once the potentially heavy analysis,including the behavioral analysis, is done, every SecurityCloud client subsequently benefits from the analysis andavoids waiting for the results.Systems for malware analysisToday’s rapidly developing threat landscape requires ahighly automated approach to malware analysis. Files andweb addresses classified as suspicious are received frommany sources and go through multi-layered analysis.This includes, but is not limited to, metadata analysis,structural analysis, statistical analysis, and behavioralmonitoring. For example, software executables canbe both statistically analyzed for malicious patterns,as well as executed in isolated sandboxes where theirreal behavior can be tracked for suspicious activity. TheSecurity Cloud’s algorithms examine sample metadataand analysis results, and either perform further analysis,or classify the object as either clean or malicious. Rareunclear cases can be flagged for manual inspectionand may be examined by human experts for researchpurposes.Sample archiveF-Secure’s sample archive contains files that theSecurity Cloud has received from a variety of sources.Both malicious and suspicious files may be present inthis collection. Malicious files are generally archivedpermanently, whereas suspicious files are removed onceSOME METRICS FROM THE SECURITY CLOUD*The Security Cloud is a critical component that most devices protected by F-Secure technology use.This section presents figures depicting the volumes that the Security Cloud processes.Approximate number of queries per dayreceived by the Security Cloud servicesApproximate number of unique samplesreceived per day by the Security CloudFiles and web addresses blockedAnalysis results given in 100ms2% 99%%2 BILLION400 000*Year 2020F-Secure Security Cloud Whitepaper7
SECURITY AND PRIVACYPrivacy principlesOur services house a massive collection of malicioussoftware that could be harmful if exposed. We thereforeapply strict security practices when dealing with any datacollected from client devices. All data is anonymizedon the client before transmission to the Security Cloud.Data that could be used to determine the identity ofthe device or the user of a device is never collected. Allnetwork traffic between clients and the Security Cloud isalways encrypted.Privacy is one of F-Secure’s core values for alldevelopment and operations of the Security Cloud. Weonly ever collect the minimal amount of data requiredfor providing the service. Our principle is that everytransferred bit must be justifiable from a threat-fightingperspective, and that data is also never collected forpresumed future needs. The following table documentsour privacy principles in full detail.PRIVACY PRINCIPLESWe minimize the upstream oftechnical dataData about customer devices is not collected and transferred unless the data is essentialfor providing the protection service.We do not upstream personal dataThe system is designed not to send any information that can identify a person usinga device that communicates with the Security Cloud. Such data is not needed for theoperation of the Security Cloud. Security Cloud-enabled clients use several algorithms toprevent private data from being transmitted and from filtering out such data from webaddresses and file paths, for example.We use anonymous identifiersClients generate unique anonymous identifiers that cannot be tied to the identity of theuser, license owner, or device owner. These kinds of identifiers are used when repetitiveconnections from the same device need to be tracked.We prevent the consolidation ofbackend dataClients use several different unique anonymous identifiers for different connections to theSecurity Cloud. This makes it impossible for F-Secure to profile users by comparing useridentifiers from different systems.We never store IP addressesCustomers’ IP addresses are never stored.We do not trust the networkAll network transfers are encrypted using strong encryption methods.F-Secure Security Cloud Whitepaper8
SECURITY PRINCIPLESSecure by designA system is never secure unless it has been designed to be secure, and we believe makinga system secure as an afterthought is next to impossible. Having security as a core driver inthe design process means we never have to sacrifice security for functionality.Data encryptionData is always encrypted at rest and in-transit using strong encryption methods.Separated malware environmentsStoring and analyzing malicious software is a challenging task in which we have over 30years of experience. All malware handling is performed in networks separated from theinternet and other F-Secure networks. Storage and analysis networks are isolated fromeach other, and files are transferred using strictly controlled methods.Professional monitoringAll critical systems in the Security Cloud are monitored by F-Secure personnel. All systemsstoring or analyzing malware are operated by F-Secure and trusted partners.Limited accessOnly a limited number of F-Secure employees have access to the Security Cloud’s criticalsystems. Such access is granted, revoked, and audited, according to a documented andcontrolled process.An open attitudeThe most fundamental principle in all security work is an open and humble attitude. Wehave put considerable effort into making the Security Cloud as secure as possible, and thiswork is a continuous process. A secure system can only be maintained by promoting anopen attitude where problems in the system are reported, analyzed, and fixed promptly.This attitude includes transparency if we encounter incidents jeopardizing customersecurity. F-Secure encourages anyone who encounters security issues to get in touch, andwe run a bug bounty program to reward such activity.F-Secure Security Cloud Whitepaper9
ABOUT F-SECURENobody has better visibility into real-life cyber attacks thanF-Secure. We’re closing the gap between detection and response,utilizing the unmatched threat intelligence of hundreds of ourindustry’s best technical consultants, millions of devices runningour award-winning software, and ceaseless innovations inartificial intelligence. Top banks, airlines, and enterprises trust ourcommitment to beating the world’s most potent threats.Together with our network of the top channel partners and over200 service providers, we’re on a mission to make sure everyonehas the enterprise-grade cyber security we all need. Founded in1988, F-Secure is listed on the NASDAQ OMX Helsinki Ltd.f-secure.com/business twitter.com/fsecure linkedin.com/f-secure
THE BENEFITS OF THE SECURITY CLOUD Threat data from swarm attacks form a real-time protective network globally New online threats are emerging all the time, and any user or company may encounter a new threat at any time. With a Security Cloud-enabled product, threat data goes directly to the Security Cloud; this includes the
