Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

Multiparty Encryption Allows Companies to Solve Security-Data Conundrum

An interdisciplinary research team constructs a way for companies to share breach data without revealing specific details that could exposes businesses to legal risk.

A system that allows companies to submit breach data anonymously and then benefit from the aggregate statistics for their industries could give executives and policymakers a more accurate understanding of how breaches impact businesses and give companies the timely threat intelligence they need to prepare for attacks.

The Secure Cyber Risk Aggregation and Measurement (SCRAM) system — created by an interdisciplinary team of policy, financial, and computer-science researchers at the Massachussetts Institute of Technology (MIT) — uses a special type of encryption to allow various calculations to be performed on protected data in the context of a multiparty computation (MPC) system. An initial proof-of-concept trial not only delivered aggregate breach data for a group of six companies, but it also collected information about the adoption rate of security controls and the controls blamed for the greatest loss. 

Related Content:

Companies' 'Anonymized' Data May Violate GDPR, Privacy Regs

Special Report: Computing's New Normal, a Dark Reading Perspective

New From The Edge: Next-Gen Firewalls 101: Not Just a Buzzword

The researchers plan to next conduct a larger trial of the technology with 60 to 70 companies in several industries to gather sector-specific data, says Taylor Reynolds, technology policy director of MIT's Internet Policy Research Initiative.

"We have shown that firms are willing to share this really sensitive data as long as they know it is going to be protected," he says. "And what that does is it opens up a whole new set of data and statistics for us that will allow us better to better defend our networks."

The research could solve one of the most enduring problems of cybersecurity: the lack of good data on breaches and information on what controls are working. While several industries — most notably healthcare — are required to disclose information on cybersecurity incidents, the practice remains relatively uncommon and minor cybersecurity events have always been underreported. 

A privacy-preserving system could solve the major hurdle preventing such sharing of data, says Darren Van Booven, lead principal consultant at security-services firm Trustwave.

"One of the things that I've always noticed over the course of my career is the difficulty in being able to get quality information on what works and what doesn't, what have other organizations found to be more effective in the way of controls, and what exactly are the losses that have been occurred," he says. "This impacts the job of every CISO because they are trying to report to their executive leadership on what exactly the real risk to their company is right now."

The idea for the system came out of interviews with executives in critical-infrastructure industries, such as financial, oil and gas, and the electric industries. Each industry wanted data, but no executive wanted to put their business at risk by acknowledging breaches, says MIT's Reynolds

"One of the messages that kept coming out was they needed a better way to share data and share information because the current methods are not working," he says. "We put our minds together and knew we had the pieces ... let's get together and devise a way that firms can share data securely without having to reveal it or disclose it to anyone else."

The group of researchers created an MPC system that preserves privacy. The system is enabled by a special type of encryption that allows some types of math to be performed on the encrypted values. Known as threshold homomorphic encryption, the technique is a special way of protecting data by allowing each party to encrypt the information and then decrypt the results of any aggregate calculation. 

The technique solves two problems with other methods of aggregation. Take, for example, a gathering of people who wants to share information on salaries. They could give all the information to a trusted third party, which could then do the calculations and provide an average income for the group. The third party, however, could be compromised or, in the end, found untrustworthy, resulting in a leak of information on a specific person's salary — a violation of privacy. Alternatively, the group could put all the information into a hat and then aggregate the data, but participants could potentially be identified from just knowing the details of any single incident.

However, if each participant added a large random number to their salary, then passed along the total to the next person, no individual salary would be compromised. In a second round of calculation, each person could subtract the large random amount they had previously added, resulting in the exact sum of their incomes.

"Nowhere along that path did anyone have to reveal their own salary in order for us to run that computation," Reynolds says. "It is that type of mathematical modeling that allows us to run those computations on the platform."

The SCRAM system uses a similar approach with homomorphic encryption, a type of privacy-preserving cryptography that allows calculations on encrypted data. 

The pilot project collected data on more than 49 security incidents from the six large private-sector firms and the specific security-control failures that the companies blamed for each incident. Centralized log management was the top control failure linked to breaches, associated with almost $6 million in aggregate losses over the 49 security incidents.

Future trials will attempt to structure the questions and answers to reveal stronger links between controls and breach damages, says Reynolds.

"The Holy Grail here is trying to understand return on investment of security controls," he says. "If I spend the money on X, what will be the return on investment that I get on that when I do risk modeling?"

With the privacy-preserving system, such data may no longer be out of reach.

 

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-30485
PUBLISHED: 2021-04-11
An issue was discovered in libezxml.a in ezXML 0.8.6. The function ezxml_internal_dtd(), while parsing a crafted XML file, performs incorrect memory handling, leading to a NULL pointer dereference while running strcmp() on a NULL pointer.
CVE-2021-30481
PUBLISHED: 2021-04-10
Valve Steam through 2021-04-10, when a Source engine game is installed, allows remote authenticated users to execute arbitrary code because of a buffer overflow that occurs for a Steam invite after one click.
CVE-2021-20020
PUBLISHED: 2021-04-10
A command execution vulnerability in SonicWall GMS 9.3 allows a remote unauthenticated attacker to locally escalate privilege to root.
CVE-2021-30480
PUBLISHED: 2021-04-09
Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. An attacker must be within the same organization, or an external party who has been accepted as a contact. NOTE: this is specific to the Zoom Chat softw...
CVE-2021-21194
PUBLISHED: 2021-04-09
Use after free in screen sharing in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.