Protecting trade secrets: technology solutions you can use

With the recent Waymo-Uber trade secret trial making headlines, you may find that your executives are bringing up the issue of trade secret protection.  If not, it may be a good time for you to do so.  In this last part of my four-part series on this subject, I will highlight technology controls that you should consider to help mitigate risks of trade secret theft.  In “Stopping trade secret theft in your organization,”, I explained what a trade secret is. In “Stopping trade secret theft in your organization, part 2,”, I provided an overview of trade secret law, for non-lawyers. “Understanding root causes of trade secret breaches” contained my analysis of the root causes of recent trade secret thefts.

By focusing on technology, I am not minimizing the need for process controls, training and good policies.  These all have to work together to provide a holistic security system.  I also will assume that basic security technology-based controls will have been implemented already.  Often these are focused on protecting networks and systems.  They include NGFW, SIEM, EPP, EDR, IDPS, MSSP vendors and MDR vendors.  A broad, structured overview of technology vendors is provided here.  I am going to focus on additional technologies that you may want to consider to mitigate risk of trade secret theft.  These technologies are focused on protecting data.  To secure your organization you need to tailor the mitigations to the risks.  The business upside benefit of better trade secret protection is that your organization will be better equipped to securely and effectively collaborate with business partners.

For this post, I will make use of the NIST CSF to organize the analysis.  While the CSF is titled “Framework for Improving Critical Infrastructure Cybersecurity”, it can be used for risk management of any component or subcomponent of your infrastructure.  My goal is to highlight security technologies that could support each of the basic five CSF functions.  The products I mention are only illustrative products; I don’t have any connection with any of these vendors.

The CSF can best be thought of as a gradient, because the technology products do not fit neatly into one function.  Instead vendor solutions cover more than one capability, either natively, or through partnerships with other vendors.  I assigned each vendor to a principal function.  In your selection of vendors, you still need to make sure all five functions are covered by at least one vendor.

1. Identify

In this step you need to identify and document risks.  This will require a data asset inventory, data flow diagrams and business data valuation.  The data inventory and maps should be available from your enterprise architecture teams and business owners.  The business data valuation will need to be worked out in your conversations with legal and finance.  Next you need to describe your use case.  Will you have a few insiders accessing your trade secret data?  Will you have a broad range of partners sharing the data?  Once this use case is defined, you will also need to identify misuse cases.  Each misuse case will have an attack path; these could be quite different from the commonly cited “kill chain”.  The attack paths can be highlighted using attack tree methodology.  Then outline how these risks will be blocked by the CSF framework functions and supporting technologies.

After you identify trade secret information, you need to classify it within your corporate classification schema.  Boldon James and Titus are two technology vendors that enable data classification and labelling.  Boldon James’ strategy is to enable user classification of data at the time of creation.  This can be fully automated, user assisted or manual.  Effective classification of trade secrets may be more difficult than tagging documents containing PHI or credit card information.  This is where automated assistance can be helpful.  Once the data is classified it is labelled and suitable metadata attached.  This metadata can be read by downstream solutions that will protect the data.  These downstream solutions include:  DLP, email gateways, and collaboration tools such as SharePoint and Box.

2. Protect

Once data has been classified and labelled, there are a wide range of possible protection choices, depending on your use cases.  These could include ERMS (Enterprise Rights Management System) persistent encryption, file encryption, document passwords, etc.

If your company’s “crown jewels” are created and kept within Office365, Microsoft has an extensive data protection solution, known as AIP (Azure Information Protection).  At least part of this capability stems from its purchase of Secure Islands in 2015.  Secure Islands was an innovator in the data protection space.  Its technology uses data classification, user ID, destination ID, and other parameters to define an information protection profile that then governs the automated handling of sensitive information.    Classification is applied manually, automatically or using a combination of these.  These concepts are being delivered and implemented in AIP now.

3. Detect

Detection tools employing behavior analytics and deception have gotten more visibility recently.  UEBA’s (User and Entity Behavior Analytics) visibility has increased since Gartner coined the category around 2015.  UEBA capability can be stand alone or part of SIEM or other tools.  UEBA will not be a broadly applicable detection process.  The challenges are that networks change too fast, users move and get new assignments, mergers and acquisitions happen, etc.  Under these circumstances it will be hard to define a stable network baseline.  In addition, security analysts will need careful training on what to do with findings from these tools.  However, where the data asset is well defined and the users are carefully described and not constantly changing, UEBA may be a valuable tool.  This can be the case for protecting trade secrets. 

Securonix has been an innovation leader in incorporating UEBA into its next generation SIEM product.  Advanced statistical behavioral baseline profiles are generated, based on context and time series events.  Context information includes which group the user is in, what assets are being accessed, etc.  Event data includes information from systems, applications, cloud sources, databases, etc.  The baseline profile is also aged out over time.  This process comprises a “machine learning” step.  Then, statistical deviations from the baseline are tagged when they occur and categorized as to likelihood of threat.

On the deception side, Thinkst has popularized and simplified the application of “honey pots” and “honey tokens”.  The Canary tools can enable you to detect intruders attacking trade secret data.  Canary is a honeypot technology engineered to an easily configurable form factor (i.e. router, end point, etc.).  The free honey tokens are imbedded into word documents, spreadsheets, etc. and send you a notification whenever the object is accessed.   The Canary can be used to proactively detect reconnaissance activity, while the Token can be used to detect possible intrusions.  Both of these would be especially applicable in a distributed environment, where you have trade secret data located at multiple locations on multiple platforms.

4. Respond

Security automation and orchestration (SAO) is critical for mitigating trade secret breaches.  Stolen data must be retrieved immediately.  You do not have a 45-day breach notification option.  If there is a trade secret breach you will have hours to days to block the leak.  Once the data is out, it is lost forever, and the information ceases to be a trade secret. Newer tools from firms like Phantom, Demisto and Swimlane can help speed up the process in several ways.  They can reduce routine work by analysts; automatically orchestrate response, such as deactivating user access; and provide playbooks for detailed incident handling, such as responding to a malicious insider attack.  Another interesting feature is a secure communications channel, such as ChatOps from Demisto.  In addition to helping to remediate technical aspect of incident response, your GC and even CEO may need to be part of the breach response conversation, sooner rather than later.  In responding to a trade secret theft, you will not have time for conventional hierarchical communications. This and other aspects of the incident response plan must be regularly exercised in a table top simulation.

If you are not large enough to implement SAO tools, you can automate processes yourself.  Several process automation tools are out there including:  Nintex, KissFlow (for Google apps) and others.  Nintex is an enterprise class click and drag workflow tool, with interfaces to Office 365, Dropbox, Dynamic CRM and many other software environments.  It’s only possible disadvantage is that it does not directly support users, choosing to work with partners instead.  KissFlow, on the other hand can be downloaded from the G Suite Marketplace and be up and running in a few hours.  Its primary focus is automation within Google GSuite.

5. Recover

Legal action…forensics… if you are a victim of trade secret theft, you will likely need to take some type of legal action.  To prove anything in court, reliable logs must be kept.  The recent Waymo-Uber trial has pertinent information on this topic.  Reading through the incident timeline, it appears that Waymo was alerted to large file downloads from its systems some six months after the fact.  These files had been downloaded by employees allegedly misusing their network access.  Had this been detected immediately, the matter might have resolved at that time, without loss of trade secrets and costly trial preparation.  We will never know exactly what happened or didn’t happen since the case settled out of court.

That’s it for this four-part series.  If you are looking for more detailed information on protecting trade secrets I can recommend three books. “Positively Confidential” (2011), by Naomi Fine, is one.  Fine’s book is a good overview of business, legal and process issues associated with protecting trade secrets.  The same can be said for “Secrets” (2015), by James Pooley.  The classic book on insider threats is “The CERT Guide to Insider Threats” (2011), by Dawn Cappelli, et al.

Although this is the final post in this series, the business and economic problems associated with trade secret theft continue.  It was recently addressed in the State of the Union speech on January 30, 2018.