{"id":33584,"date":"2024-07-25T14:03:30","date_gmt":"2024-07-25T12:03:30","guid":{"rendered":"https:\/\/www.kaspersky.co.za\/blog\/?p=33584"},"modified":"2024-07-25T14:03:30","modified_gmt":"2024-07-25T12:03:30","slug":"managing-cybersecurity-risks","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.za\/blog\/managing-cybersecurity-risks\/33584\/","title":{"rendered":"A shield of trust"},"content":{"rendered":"

It\u2019s been a month already since the US Department of Commerce issued its Final Determination with regard to the sales and use of Kaspersky products by US persons. The agency\u2019s decision, if you happen not to be aware of it, in general terms was to ban Kaspersky products \u2013 with a few exceptions for informational and educational products and services \u2013 from the market. The outcome is the following: users in the US can no longer access the cybersecurity software they choose based on quality and expertise.<\/p>\n

Throughout its 27-year history, our company has always been recognized as supplying the best protection on the market from all kinds of cyberthreats \u2013 no matter where they come from. Here are a few examples: earlier this year our products once again received the Product of the Year<\/a> award from a renowned independent testing lab; from year to year our solutions have been demonstrating<\/a> 100% protection against the most significant threat \u2013 ransomware; and it\u2019s Kaspersky\u2019s threat research team \u2013 respected both by the global InfoSec community and our users \u2013 that discovers, analyzes, and most importantly reveals to the world the biggest and most sophisticated state-sponsored espionage campaigns.<\/p>\n

So, what might be the reason for banning best-in-class cybersecurity solutions trusted by millions? Has the problem been defined clearly and objectively? Have you seen any evidence of those risks that the US government has been referring to for years? We haven\u2019t either.<\/p>\n

While having to deal with the outcomes of growing protectionism (and its hard-hitting effects) \u2013 like zero-evidence claims of misconduct, and accusations based purely on theoretical risks \u2013 we\u2019ve been continuously developing a universal methodology for cybersecurity product assessment, while remaining ever true to our key principle: being maximally transparent and open about how we do our work.<\/p>\n

We became the first and remain the only major cybersecurity company to provide third parties with access to our source code, and we also allow our stakeholders and trusted partners to check our threat-detection rules and software updates in an unparalleled goodwill gesture. For several years already we\u2019ve had our Global Transparency Initiative<\/a> in place \u2013 unique in its scope and practical value \u2013 which once again reflects our cooperative attitude and determination to address any potential concerns regarding how our solutions work. Nevertheless, we still faced apprehensiveness regarding the reliability of our products \u2013 usually stemming from external factors like geopolitical conjecture \u2013 and so we went the extra mile by suggesting an even more thorough framework, which would assess the integrity of our security solutions throughout their lifecycle.<\/p>\n

What I\u2019ll be describing below is a framework we\u2019ve been proactively sharing with the parties expressing concerns about the credibility of Kaspersky solutions \u2013 including those in the United States government. We believe the framework is comprehensive enough to address the most commonly expressed concerns, and is capable of forming a dependable chain of trust.<\/p>\n

The key pillars of the cybersecurity assessment methodology we\u2019ve been presenting (which, incidentally, we believe has the potential to form the basis of an industry-wide methodology) include: (i) the localization of data processing, (ii) the review of data received, and (iii) the review of both the information and updates delivered to user machines (as part of software and threat-database updates). Just as within our Global Transparency Initiative, the strategy\u2019s core aim is the engagement of an external reviewer for checking the company\u2019s processes and solutions. What, however, is new about this methodology is both the extent and depth of such reviews. Let\u2019s look into the details\u2026<\/p>\n

Data processing localization<\/h2>\n

The matter of data processing and storage has been one of the most sensitive, not only for Kaspersky, but for the entire cybersecurity industry. We frequently get reasonable questions about what data our products can process, how this data is stored and, most fundamentally, why we need this data. The key purpose of data processing for Kaspersky is providing our users and customers with the very best cybersecurity solutions: by gathering data on malicious and suspicious files that we detect on user machines, we can train our algorithms \u2013 teaching them how to detect new threats and contain their spread.<\/p>\n

The framework we\u2019ve been presenting also implies greater localization of data processing infrastructure<\/strong>, and implementation of technical and administrative controls restricting access to such processing infrastructure for employees outside a given country or region. We already implement such an approach in delivering our Managed Detection and Response (MDR)<\/a> service in Saudi Arabia, and the same mechanisms have been suggested in our discussions with the US authorities to alleviate their concerns. These measures would ensure that local data is both stored and processed in a physical environment where ultimate control over the data rests with persons under the local jurisdiction, or that of a closely allied country as deemed appropriate by these persons. Just as with the above-mentioned steps, an independent third-party validator might be invited to review the effectiveness of the measures implemented.<\/p>\n

Local data processing requires local threat analysis and the development of local malware detection signatures, and our methodology provides for just that. Data processing localization requires expansion of human resources to support local infrastructure, and we\u2019re prepared to further build up our regional R&D and IT teams<\/strong> in given countries. Such teams would be exclusively responsible for supporting the processing of domestic data, managing local data center software, and analyzing malware to identify new APTs specific to the given region. This measure would also ensure there are more international experts involved in the development of future Kaspersky product lines \u2013 making our R&D even more decentralized.<\/p>\n

Data retrieval process review<\/h2>\n

We protect the data we gather against potential risks using rigorous internal policies, practices, and controls; we never attribute data gathered to a specific individual or organization, we anonymize it wherever possible, and we also limit access to such data within the company and process 99% of it automatically.<\/p>\n

To further mitigate any potential risks to the data of our customers, we\u2019ve suggested engaging a third-party authorized reviewer to periodically review our data retrieval process<\/strong>. Such a real time reviewer would periodically assess data we receive with data analytics tools and data processing platforms to make sure no personally identifiable information or other protected data is being transferred to Kaspersky, and to confirm that data retrieved is used solely for the detection of and protection against threats, and is appropriately handled.<\/p>\n

Review of updates and data delivered to user machines<\/h2>\n

As a next step on the product side, the mitigation framework would be provided for regular third-party reviews of our threat-database updates and product-related software code development<\/strong> to mitigate supply-chain risks for our customers. Importantly, the third-party would be an independent organization reporting directly to a local regulator. This would be on top of Kaspersky\u2019s existing rigorous and secure software development process, which focuses on mitigating risks \u2013 including a scenario where there\u2019s an intruder in the system \u2013 to ensure no one can add unauthorized code to our products or AV databases.<\/p>\n

But to further enhance security guarantees, the engagement of an external real-time reviewer is intended to assess the security of the code developed by Kaspersky engineers, suggest improvements, identify potential risks, and then determine appropriate solutions.<\/p>\n

One of the scenarios of how such a check of threat-database updates can be organized is depicted below:<\/p>\n

\"One<\/a>

One of the scenarios of real-time review of threat databases<\/p><\/div>\n

It\u2019s important to emphasize that the third-party review can be either blocking or non-blocking, conducted either on a regular basis or once a critical mass of updates\/components for review is accumulated, as well as applied to all or just a selection of components. The most advanced review option proposed involves real-time blocking \u2013 enabling reviewers to fully control the code delivered to user machines. A\u00a0blocking review would stop any code during the review process from getting into a product or updates \u2013 and therefore to Kaspersky\u2019s customers.<\/p>\n

This comprehensive review process could be further enhanced by requiring the reviewer\u2019s signature on all updates delivered to user machines after the underlying code has been confirmed and built. This would ensure that the code wasn\u2019t altered after being reviewed in real time.<\/p>\n

The proposed review not only enables real-time verification of the security of newly developed code, but also provides access to the entire source code \u2013 including its history. This allows the reviewer to fully assess the newly developed code, understand its changes over time, and see how it interacts with other product components.<\/p>\n

Such an absolute code review would also be accompanied with access to a copy of the company\u2019s software build environment, which mirrors the one used in Kaspersky \u2013 including compilation instructions and scripts, detailed design documentation, and technical descriptions of the processes and infrastructure. Hence, the real-time reviewer could build\/compile code independently and compare binaries and\/or intermediate build objects to shipped versions. The reviewer would also be able to verify build infrastructure and software for changes.<\/p>\n

In addition, a trusted independent third-party could be provided with access to the company\u2019s software development practices. Such independent analysis would aim to provide further guarantees that Kaspersky\u2019s applied measures and processes match leading industry practices. The access would cover all relevant security documentation \u2013 including but not limited to: defining security requirements, threat modeling, code review, static and dynamic code verification, penetration testing, etc.<\/p>\n

The bottom line is that, in our judgement, the aforesaid strategy can address most ICT supply-chain risks relating to product development and distribution in an effective and verifiable manner. And as I mention above, these are in fact the mitigation measures we\u2019ve submitted in a proposal for discussion to the US Department of Commerce \u2013 once again confirming our openness to dialogue and determination to provide the ultimate level of security assurances. However, our proposal was simply ignored. This leads me to believe that the reason is based on the Department\u2019s preconceived ideas. It seems that instead of assessing our proposal for its effectiveness in addressing the risks, it was examined to find an excuse to reject it.<\/p>\n

While we have to admit that once again we\u2019re having to deal with an act of digital protectionism, I know for a fact that the world is in acute need of a global cybersecurity risk-management strategy. It\u2019s crucial to be able to address the evolving threat landscape effectively and ensure a unified approach to managing cybersecurity risks across diverse IT security domains. This approach could also help prevent short-sighted decisions depriving millions of users of their freedom of choice regarding credible cybersecurity protection and the creation of artificial restrictions on the exchange of data among cybersecurity professionals. Let\u2019s allow these experts to focus on their important work without the additional burden of geopolitics \u2013 whose influence only benefits cybercriminals.<\/p>\n

In an interconnected world where cyberthreats transcend borders, a global strategy is vital for bolstering cybersecurity defenses, enhancing trust, and promoting a more secure digital ecosystem. Our framework opens the door to a discussion within the industry about what a universal supply-chain cybersecurity assessment should look like \u2013 with the ultimate goal of building a reliable shield of trust and, consequently, a safer world.<\/p>\n

And finally, for those seeking answers regarding the drastic new limitations on their freedom of choice, don\u2019t forget that you can \u2013 and should \u2013 still have your say, by asking your questions directly, here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

Managing cybersecurity risks through an evidence-based approach.<\/p>\n","protected":false},"author":13,"featured_media":33586,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3020,3021,1789,2670],"tags":[3006,28],"class_list":{"0":"post-33584","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"category-smb","10":"category-technology","11":"category-threats","12":"tag-global-transparency-initiative","13":"tag-kaspersky"},"hreflang":[{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/managing-cybersecurity-risks\/33584\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/managing-cybersecurity-risks\/27775\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/managing-cybersecurity-risks\/23106\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/managing-cybersecurity-risks\/11987\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/managing-cybersecurity-risks\/30458\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/managing-cybersecurity-risks\/27986\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/managing-cybersecurity-risks\/27573\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/managing-cybersecurity-risks\/30259\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/managing-cybersecurity-risks\/29135\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/managing-cybersecurity-risks\/51786\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/managing-cybersecurity-risks\/22090\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/managing-cybersecurity-risks\/22846\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/managing-cybersecurity-risks\/31517\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/managing-cybersecurity-risks\/36919\/"},{"hreflang":"nl","url":"https:\/\/www.kaspersky.nl\/blog\/managing-cybersecurity-risks\/29273\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/managing-cybersecurity-risks\/33919\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.za\/blog\/tag\/kaspersky\/","name":"kaspersky"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/33584","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/comments?post=33584"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/33584\/revisions"}],"predecessor-version":[{"id":33587,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/33584\/revisions\/33587"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/media\/33586"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/media?parent=33584"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/categories?post=33584"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/tags?post=33584"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}