Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Doug Clare
Doug Clare
Connect Directly
E-Mail vvv

Encryption Has Its Place But It Isn’t Foolproof

Most encrypted data is unencrypted at some point in its lifecycle -- and the bad guys are pretty good at finding the one window left open.

Last year, an uncovered Snowden document from the US National Intelligence Council warned that the slow deployment of encryption and other technologies is putting government and private computers at risk of cyber attacks. The annual cost of cybercrime to the global economy is estimated at over $400 billion. Encryption is viewed by many experts as the go-to security technology, but data breaches and other attacks continue to rise despite advances in encryption.

Arguing against encryption would be a bit like arguing against locks on doors. Strong encryption is a basic defense against the damage that might flow from a successful attack on information infrastructure. Encryption technology is improving, as are best practices in deploying it; and everyone should embrace these improvements. But encryption alone is not enough, and may induce a false sense of security among those who depend on it. 

Sticking with the locks-on-doors analogy, rational people may also install an alarm system on their doors and windows. At my house, I have deadbolt locks on my doors. I also have an alarm system that warns me if a door or window is opened -- regardless of the time. The locks on my doors and windows serve to protect me from intrusion but I know these systems fail for a variety of reasons. Perhaps I’ve forgotten to lock a window. Perhaps one of my kids decides to sneak out for a rendezvous with friends. Or perhaps someone has actually broken a lock in an attempt to enter. My alarm system alerts me and provides me an opportunity to respond.  

[COUNTERPOINT: As Good As They're Getting, Analytics Don't Inherently Protect Data, by Scott Petry, Co-Founder and CEO, Authentic8]

A similar analogy can be drawn from home security to national security. Regardless of your political leanings, the features of a strong defense are well understood – secure borders, big guns, and various “walls and moats” strategies. But governments have deployed layered defenses for millennia, which include both physical defenses and intelligence assets that warn them of threats. Spies, intelligence services, and counter-intelligence are all indispensable, integrated components of national security. Their mission is to detect and counteract threats that aren’t necessarily subject to the controls of strong basic defenses. 

Encryption, while not a physical defense, is much like other basic defense mechanisms that serve to block access to items of value. Like other basic defenses, encryption is not foolproof. It can be evaded and undermined, and it can be prone to errors in deployment; encryption keys can be lost, stolen, or inadvertently exposed. Perhaps even more likely is a situation where we believe we’ve encrypted everything, when in fact we’ve encrypted almost everything. Most encrypted data is unencrypted at some point in its usage lifecycle. The bad guys are pretty good at finding the one window left open.  

Analytics are to encryption what intelligence services are to military defenses. The increasing number, variety, speed, and severity of cyber attacks necessitate a dynamic cyber intelligence posture. In the past, cybersecurity analytics were focused on gathering data about compromises, developing threat “signatures,” and using those signatures to protect against future threats, all comprising another form of defense that served to block an attacker.  

Identifying threats in real time

Advanced detection analytics, by contrast, identify emerging threats by recognizing anomalous patterns in real time. Many of these techniques have commercial and technical roots in high-volume network assurance applications (e.g., telecommunications) as well as financial fraud detection (e.g., banks and insurance). While many firms label their signature-based detection methods as “analytics," the analytics are largely static and built to block known threats and therefore fall into the category of basic defenses.

What differentiates the emerging field of detection analytics from these basic defenses (including physical security, firewalls, encryption, and signature-based detection methods) is that advanced detection analytics are focused on finding anything unusual or threatening that gets by your basic defenses. And since we brought Snowden into this already, let’s include those threats that emerge from the inside.  

Big data stores and emerging forensic tools can be a critical aid in unwinding complex attacks and data exfiltration schemes. But at the forefront of cyber threat detection analytics are real-time streaming analytics applied to data flow within the network, and the profiling of entities (e.g., sensors, devices, servers, routers, and human actors) engaged in network communications. With the help of machine learning, organizations can harvest actionable behavioral analytic insights from huge streams of data traffic in two ways:

  • Self-calibrating models constantly recalibrate traffic behavior of monitored entities, and score anomalies for the extent of their deviation from the norm.
  • Self-learning analytics improve with each resolved alert, serving to systematically automate the insights of human security analysts as they work cases.

Building an ever-clearer picture of the typical behavior of individual entities, these two approaches enable streaming analytics to better identify threats. They also help minimize false positives – a huge problem as many large organizations are currently sorting through hundreds of thousands of alerts each day. And most importantly, these technologies work in real time – providing, for the first time, the ability to sense and respond to the most egregious threats as they happen, and before damage is done. 

It’s worth noting that these analytic approaches are tried and tested. Many of the underlying technologies, including the AI/machine learning analytics, have been protecting most of the world’s credit cards for years. The fraud teams at card issuers use these systems not only to detect fraud, but to set the level of risk that triggers investigation or card blocking, in order to balance loss prevention with a positive customer experience. Moreover, these fraud systems do not require issuers to hire armies of analytic techies. By crunching data to prioritize the biggest threats, they simplify the lives of fraud professionals, and the same would hold true in information security.

While encryption and other basic defense approaches will always have their place in security strategies, encryption alone does not prevent hackers from stealing data. Adding advanced analytic techniques to cybersecurity portfolios complements and can close the gaps left by encryption (and signature-based security) by detecting emerging and evolving attack patterns in real time. As a best practice, companies must advance beyond basic defenses, and enhance their security posture with the analytic equivalent of an effective intelligence service. It’s time to bolster our walls and moats with spies and intelligence.

More On This Topic:

Doug Clare is Vice President of fraud, Compliance, and Security Solutions at FICO. In this role, Doug heads FICO's fraud, financial crime, and cyber-risk businesses. With more than 25 years at FICO, he has deep expertise in helping banks and other businesses manage fraud, ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
2/3/2016 | 7:55:57 AM
Schneier notes on NSA presentation
system attack process summary:

intrusion phases
  • reconnaissance
  • initial exploitation
  • establish persistence
  • install tools
  • move laterally
  • collect exfi land exploit

the event was the usenix enigma conference.


reference (schneier)



attackers don't care about passwords, authentication, or encrypotion: they work by attacking the endpoints with root kits and other un-authorized programming  .until the industry addresses this issue there will be no meaningful progress against computer fraud and abuse.
User Rank: Ninja
2/2/2016 | 7:17:50 PM
Data That Stays Encrypted, Is Read While Encrypted
The window of opportunity is a very valid point, and the only one that matters in arguing for more advanced protection of data.  One imagines technology down the road that can accomplish the (seemingly) impossible.  That is, one only ever deals with encrypted data, and that data as a whole is never decrypted.  However, via a variety of reading methods, the reader can 1) read the data (if a document) line by line where a reader decrypts a certain number of lines using a different key for each paragraph, encrypting the data again using a new cipher as if moves along the document, or 2) the data is printed out using a printer that similarly decrypts chunks using different keys, dropping a bit of decrypted data into a secure print queue, then moving on to another print queue, all the while the user must authenticate over time to keep the processes available, whether reading at a terminal, or receiving printed items.  An option could be to have to destroy data already read before the rest will print; or that it must be locked into a safe box before one could move on to the rest of the material.

These are examples of overkill – perhaps even comedic, but with the right processing power and the right infrastructure, there is no reason extremely sensitive documents can't remain secure and those windows never open, since the windows are actually removed, or mostly removed.  Yes, people are the remaining "window" and always will be, but there are ways to keep that to a dull minimum, too, depending on the information.  As a rule, data should never travel (whether on media or over the Internet) in a decrypted state.  Layering the encryption as described requires time with today's tech, but can be done as computing power increases.  Layering the human factor could work, too, where you require a minimum number of people to be able to translate and use decrypted data, depending on the nature of the information.

I suspect that time and money are a huge reason why so much data that might otherwise be secured is out there, and if we took twice as much effort to lock it down with today's tech and resources, we'd be in much better shape.  But in the end, we need to get rid of the windows and doors, over-complicate our security measures and tech so that once we know we are having a hard time already just getting to the data we are supposed to have access to, we'll know we are doing a better job of securing the information other eyes are never supposed to see.  If we can get to the ultimate state where data is even read while encrypted (I'm imagining this will be when biotech has reached a certain maturity), we'll in great shape, indeed!
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-11
FusionSphere OpenStack 8.0.0 have a protection mechanism failure vulnerability. The product incorrectly uses a protection mechanism. An attacker has to find a way to exploit the vulnerability to conduct directed attacks against the affected product.
PUBLISHED: 2020-08-10
A cross-site scripting (XSS) vulnerability in the Credential Manager component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link.
PUBLISHED: 2020-08-10
An SQL injection vulnerability in the Assets component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
PUBLISHED: 2020-08-10
An SQL injection vulnerability in the Analytics component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
PUBLISHED: 2020-08-10
A cross-site scripting (XSS) vulnerability in the Permissions component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link.