Knowledge Center

Law Firm Leaks Celebrity DataLaw Firm Leaks Celebrity Data
June 19, 2020

Law Firm Leaks Celebrity Data

The New York law firm of Grubman Shire Meiselas and Sacks that serves some of the many well-known celebrities such as Lady Gaga, Madonna, Mariah Carey, and U2 appears to have fallen into a REvil ransomware attack. The REvil hackers are threatening to publish the stolen documents from the Grubman clients in nine staggered releases unless they fulfill the demand of $42 million in ransom.   

The attack links to a domain the law firm used with an unpatched Pulse Secure VPN server. Vulnerability data confirmed that the law firm had a vulnerable server for almost two months. Unfortunately for them, during that time, many threat actors were actively scanning for unpatched VPN servers. 

The vulnerability scan for open internet ports for vulnerable VPN servers cannot confirm that REvil hackers used it to plant ransomware and encrypt files. The REvil hackers are known for targeting unpatched VPN servers, which may have led them to Grubman. REvil is also known to use these servers to gain access to networks and steal their credentials, plant malware, and attack. 

Ransomware has two main approaches. One is to encrypt all the data in place at the victim’s site and demand ransom for the decrypt key. The second is to transfer all the data to an alternative location and demand ransom for not releasing the data to the public.  

SecureCircle Data Access Security Broker (DASB) customers who have faced similar attacks or malicious insiders only need to worry about the first ransomware approach. The case of releasing sensitive information to the public is not possible with SecureCircle. The hackers will have stolen protected data encrypted with AES-256. Even with a 100 petaFLOPS supercomputer, the hackers would need 3.67x1052 years to break a single key. With SecureCircle, each file uses a unique key.

The first type of attack which encrypts data in place is still possible with SecureCircle. The hacker would encrypt an already encrypted file. Recover from an encrypt-in-place attack by implementing a proper backup solution that isolates the backup data and keeps multiple revisions of files.

With SecureCircle, minimize ransomware attacks to annoyances similar to SPAM email. Annoying and not productive, but nothing making CNN and TMZ headlines.

Read Article
Audits Don't Solve Security ProblemsAudits Don't Solve Security Problems
March 9, 2020
June 19, 2020

Audits Don't Solve Security Problems

Audits, by nature, are rear-view facing. In many cases, that may be fine (i.e., income tax audit and process audits), but in the world of cybersecurity and data security, reliance on an external audit poses a significant business risk.

Data security and data governance, risk and compliance (GRC) goals have never aligned until GDPR. Data GRC focuses on demonstrating (reporting) the controls over who, what and when in-scope data was accessed and not primarily about securing it. Organizations need to demonstrate compliance and focus on passing an audit -- not preventing data breaches. Before GDPR, monetary fines for breaches were minor; it was more important to find ways to pass the audit so they could continue operating the business than reduce the risk of a data breach.

GDPR has shifted this paradigm by imposing substantial monetary fines in the case of a breach. As a result, organizations now focus on minimizing data loss risks rather than passing an audit. After all, there is no GDPR compliance audit like with International Organization for Standardization (ISO). The only mention of an audit within the GDPR regulation is for data processing. Compliance is self-imposed by the threat of a stiff fine that compels organizations to start thinking about compliance and security with a unified goal: to protect data.

Previous compliance standards and regulations such as ISO, Payment Card Industry (PCI), Sarbanes-Oxley (SOX), and Service Organization Control (SOC 2), to list a few, have focused on the audit.

For these regulations, organizations put in place the minimum processes and controls necessary to pass the audit. The controls may have little to no impact on data protection and privacy. The organization is solely attempting to gain compliance via a passing audit. The certificate acts as a get-out-of-jail card. If anything goes wrong, the organization says, "But we passed our audit. It's not our fault."

Read Full Article at

Read Article
Securing Source Code & Intellectual Property While Working From HomeSecuring Source Code & Intellectual Property While Working From Home
June 19, 2020

Securing Source Code & Intellectual Property While Working From Home

The Customer

One of the largest Original Design Manufacturer (“ODM”) companies in the world with design and manufacturing sites worldwide.

The Challenge

In response to the changing work environment, ODM needs to enable hundreds of hardware and software engineers to work from home while continuing to protect valuable intellectual property such as electrical and mechanical design files and software source code. 

The Solution

ODM is an existing SecureCircle customer that deployed SecureCircle to protect and segregate their client data. ODM supports many of the largest electronics brands in the world. ODM clients want to ensure that confidential information is never leaked to their competitor that is also a client of ODM. When the coronavirus outbreak starting impacting employees’ ability to physically go to work and be productive, ODM enabled employees to work from home.

The ODM had two key concerns for enabling employees to work from home. (1) Security. Client data as well as internal intellectual property must be protected. Losing sensitive client data would negatively impact their relationship with current and future clients. (2) Productivity. Employees must be able to perform their tasks with similar efficiency working from home compared to working in the office. SecureCircle believes security needs to be transparent to users and workflows. Security solutions that require user action or a change in workflow will not be effective.  

SecureCircle supports all applications, file types, and file sizes enabling employees to use all the existing design applications. Furthermore, file names and extensions are never changed. Employees can use any mechanical computer aided design (CAD) application and file size is only limited to what the operating system will support. SecureCircle doesn’t block employees from transferring large multiple gigabyte files via file sync and share applications like Dropbox, OneDrive, or Google Drive. Since files are always protected at rest, in transit, and in use, files transferred or stored in cloud locations will still be protected.

Employees develop design files and source code on many types of devices. SecureCircle supports development on Windows, Mac, and Linux. As employees work with design and source code, SecureCircle automatically protects data. Save-As and copy-paste actions will automatically protect the derivative works. Even if employees copy protected data into an unprotected file, the unprotected file will automatically be protected with the same permissions as the original protected data.

New designs are also protected automatically via MagicFolder™ and MagicProcess™ features. MagicFolder automatically protects any file placed into the folder. The folder can exist on the employee’s computer or on a central file share. MagicProcess automatically protects any file output such as all output from git.exe

All of the SecureCircle security features work regardless of location of the employee.


  • Works with existing design tools such as CAD and integrated development environment (IDE) for source code
  • Automated protection. MagicDerivative™, MagicFolder, and MagicProcess enable the automated protection of newly created and derivative works
  • Transparent data protection which doesn’t impact end users or business workflows
  • Automatically tracks protected data and protects derivative works
  • Data is always protected. Files are never decrypted
  • Revoke and change permissions in real-time. Freelancers can be quickly on-boarded or removed from a project
  • Works with Windows, Mac, Linux, iOS, and Android

The Outcome

SecureCircle enables ODM to protect intellectual property such as electrical and mechanical designs and source code regardless if the employee is working from home or working in the office. Employees use the same applications and workflows as working in the office while the ODM ensures confidential data remains safe.

Read Article
DASB Vs. DLP: Operational OverheadDASB Vs. DLP: Operational Overhead
June 19, 2020

DASB Vs. DLP: Operational Overhead

There is a very distinct and clear difference between traditional DLP and SecureCircle Data Access Security Broker (DASB). Below is a list of additional resources:

Today, I will focus on the operational overhead.  Maintaining traditional DLP rules and understanding a 2500+ page Symantec DLP administration manual is an impossible task.  Setting up rules for every application, workflow, and use case is hopeless.  Misconfigure a set of rules or forgetting to update existing rules when classifications change and data is lost.  Fines, penalties, and news headlines ensue.   IT and security teams will fruitlessly try to keep rules updated with traditional DLP.

Since SecureCircle architected DASB to be transparent to end-users and not require any changes to workflow or applications, the ongoing operational overhead is minimal.

DASB implements an opt-out, all data protected by default posture.  IT teams can create policies to allow for the egress of protected data to align with business needs.  A couple of examples:

  • Using Filezilla to FTP sensitive documents to the data owner can be set up as an application and network policy.  
  • Authorized users have permission to release files from protection such as a Sales Account Manager that needs to send proposals, project plans, and design files to customers.  

SecureCircle logs all actions for audit and compliance. Standard daily business workflow can manage itself without the need for IT to micromanage every step.

By deploying an opt-out, protect by default solution, organizations can reduce the amount of time spent on maintaining DLP solutions and reduce data breaches caused by incomplete, insufficient, outdated, or conflicting policy rules.  SecureCircle's DASB prevents data breaches and insider threats.

Read Article
Avoid The High Cost Of Data Loss Prevention (DLP)Avoid The High Cost Of Data Loss Prevention (DLP)
June 19, 2020

Avoid The High Cost Of Data Loss Prevention (DLP)

Security budgets are always smaller than needed, and there is even more pressure on IT and security teams to stretch their budgets in today’s new work environment. SecureCircle helps companies get the maximum return for the budget.

Time to value:

SecureCircle measures successful implementation in days and weeks. Our customers have complained that DLP and Information Rights Management (IRM) solutions have taken quarters to years to implement, if at all.

SecureCircle’s opt-out approach protects data by default. There is no discover and classify steps, tools, or stages to prepare before deploying a DLP solution. SecureCircle integrates with classification tools, but it is not a requirement. SecureCircle reduces implementation and training time compared to alternative solutions.

Actual license cost:

SecureCircle has a simple subscription model and options for different support levels. License and support costs are low because the solution is transparent to other applications. There is no application-level integration required even for custom in-house applications.

Manage SecureCircle policies by exception when users want to remove protection. Exception management is effortless to operate and aligns with the business process. For example, a customer account manager removes protection from the data before sending it to a customer. In this case, the authorized account manager needs to remove data from protection to perform their job. The exception aligns with the business need to share the information with external parties and creates an auditable event reported for compliance and security.

Traditional DLP manages by rule. Admins create rules for every decision point. As companies add or change applications within the IT environment, IT or security must create new rules on how the new application handles the various document classifications. These rules must be maintained, and organizations end up with hundreds or thousands of rules to manage.

Replace and consolidate multiple tools:

In many cases, SecureCircle replaces various products such as disk encryption, file encryption, IRM, DLP, and even Virtual Desktop (VDI). VDI is often used to isolate sensitive data such as design files or software source code. With SecureCircle’s protect by default and persistent protection, companies can remove VDI and allow employees to work in native OS environments. SecureCircle not only saves IT costs but also improves productivity.  Read our use case regarding source code protection.

Learn more about SecureCircle to protect your data without the costs and operational overhead of DLP.

Additional related topics:

Forbes: Discover, Classify, and Protect is wrong

Forbes: Breadth vs. Depth the Cybersecurity Industry has been Focusing on the Wrong Thing

Read Article
Modern Encryption from the Beginning : The Split-KeyModern Encryption from the Beginning : The Split-Key
June 19, 2020

Modern Encryption from the Beginning : The Split-Key

Today we can experience a whole new world of encryption due to a man who led the way in cryptography. Thanks to Whitfield Diffie and his invention of public-key cryptography, we started down a path to provide privacy over digital communications and commerce.

Before public keys, cryptography systems relied on symmetric keys. The symmetric keys were unreliable and challenging because the same key passed down from person to person, which increased the chances of compromise. Because of this, Diffie forged a new path. He wanted to provide everything from his one-way authentication scheme along with uniquely delivering encryption and decryption. These two ideas merged into the invention of splitting up the key.

Diffie created two different keys, one public and one private, to ensure privacy and decrypt the messages that were encrypted. The public key would perform the job of scrambling a plain text message, which included a secret trapdoor built into it so that outsiders are not able to read it. On the other hand, the private key unlocked the trapdoor message to allow the holder to read it. This public key system provides everyone the ability to generate a unique key pair where no outsider can gain separate components.

These public-private keys started up modern-day encryption. It was able to solve many problems such as untrustworthy administrators, the privacy of communication, the authenticity of senders and documents, and electronic commerce. Whitfield Diffie’s invention of the split key was able to unlock the door to a new way of encryption and has forever transformed the way we think of encryption.

While some technologies such as Pretty Good Privacy (PGP) still rely on a public and private-key methodology, breakthroughs such as the split key have leed to innovations in encryption, including the Portable Encrypting File System (PEFS). A PEFS takes the benefits of split-key encryption even further. With the split key, the sender can safely transmit a message to the intended recipient, but the sender has no control over the recipient forwarding on the decrypted message. The sender was able to protect the data in transit but has lost control of data once the recipient decrypts it.

A PEFS integrates with any modern file system, so any data which is protected is portable to other devices allowing the data to remain encrypted at all times. In SecureCircle’s patented implementation of a PEFS, the file is never decrypted, so control over the data always remains even if recipients try to forward the file to third parties.

The SecureCircle agent monitors each request to data within the PEFS and ensures the device, users, and application are allowed access to the content. SecureCircle has a feature called Application Allowed List, which allows only specific applications to access to protected files. Applications not on the Allowed List are only allowed to copy, move, and rename files.

The original file and the protected file have the same MD5 checksum because to the host operating system and applications, the original file and PEFS protected file are identical.

Learn more about SecureCircle Features

Building upon the early innovation of split key encryption, our PEFS enables users to transparently access protected data without having to know any encryption key. Users with authorization will see no change in their workflow. Unauthorized users will see access denied errors when attempting to access protected data. The PEFS handles the operation of encryption and decryption while our Data Access Security Broker (DASB) manages access control policies that allow users to interact with the data.

Read Article
What Do Zoom, Dog Walkers, And Encryption Have In Common?What Do Zoom, Dog Walkers, And Encryption Have In Common?
June 19, 2020

What Do Zoom, Dog Walkers, And Encryption Have In Common?

Zoom has made headlines for both providing a great way to communicate and also for their lack of security.

By using a tool like Zoom, or relying on the built-in encryption of really any solution such as Whatsapp or Signal, users have given control of who can access data to the solution provider.

We give a version of this example is sales discussions all the time.

My dog walker comes to my house every day at 2 pm to let my dog out and take the dog for a walk. I give the dog walker a key to the house so they can come in at 2 pm every weekday. But what I have done is not just given the dog walker access to my house at 2 pm every weekday. I have given the dog walker full control to decide whenever to enter my home.

The secure solution to grant access to the house without giving up control requires a broker to decide when the door should be unlocked. With today’s modern physical security tools, biometrics grants access. When the dog walker approaches the door, the broker can validate the dog walker via facial recognition, for example. Then the broker can check if the dog walker has permission to access the house at this specific time. Now that identity is confirmed, and the policy is validated, the broker unlocks the door.

SecureCircle’s Data Access Security Broker (DASB) is the broker for all your data protection requirements. DASB sits within the operating system kernel, and brokers access control to encrypted/protected data. Users don’t know DASB exists if the user’s identity is verified, and all the policies rules met, the user accesses protected data in the same way as unprotected data. Users without validated identity or policy rules will get an error and will not be able to access protected data.

SecureCircle’s DASB controls data even after the authorized user opens the file. DASB can apply controls over what applications use data, send data, and also automatically protecting derivative works.

With SecureCircle, companies retain control over data at all times, and permissions can be changed or revoked at any time regardless of where the data resides, which is much better than passing out a key to dog walkers or relying on a solution providers end to end encryption.

Other Articles:

Read Article
DASB Replaces DLPDASB Replaces DLP
June 19, 2020

DASB Replaces DLP

The Customer
A privately-held financial services company (“FSC”) with financial and personal data protection requirements driven by compliance with Financial Industry Regulatory Authority (FINRA) and U.S. Securities and Exchange Commission (SEC).

The Challenge
FSC has been mandated to protect sensitive financial and personal information for mandatory compliance requirements. In particular, FSC wants to protect and track sensitive data as soon as it is accessed from their SQL databases and transformed into flat files stored on their file servers.

FSC already had Symantec DLP, but the tool’s approach of scanning file shares to identify sensitive data did not meet FSC’s needs. Scanning file shares is a painfully slow task, and error-prone as it does not protect data on creation but instead relies on blocking data using static classification tags. DLP also comes with a litany of other problems that did not meet FSC’s requirements. DLP was not able to provide visibility into all usage of the data. DLP requires a manual classification program which is error-prone and places a significant burden on all company staff. DLP is a further drain on the security team who needs to continuously tune rule sets to reduce false positives and false negatives. And DLP licenses are notoriously expensive, not to mention the laborious operational overhead. The result was a needlessly expensive and complex tool that did not meet the requirements.

The Solution
Upon purchasing SecureCircle, FSC met its initial set of FINRA and SEC data protection requirements within the first week of implementation. Although FSC intended to renew its Symantec DLP license, they were able to not renew, since data protection and audit requirements were fully met by SecureCircle.

FSC replaced Symantec DLP with SecureCircle and is protecting their data by default, enforcing a Zero-Trust framework. Employees work with protected data with no need to manually classify data, and no changes to approved applications and workflows. In fact, SecureCircle has enabled reduced workflow complexity in some areas, which has increased productivity.

Data is automatically protected and tracked as it moves out of the database. Files exported from the database are protected by SecureCircle’s MagicFolder TM feature, which automatically and transparently protects data with defined access policies.

When employees modify reports or create new files (derivatives) similar to already protected data, the new files are automatically protected by MagicDerivative TM , which compares digital DNA (dDNA) within the data for binary similarities. Derivative files, regardless of applications that created them, that contain similar dDNA as protected data automatically inherit the protection and access policies of the original data.


● FSC began protecting data during the first week of implementation

● Automated continuous discovery and classification of data

● Completely transparent user experience

● Data is always protected: at rest, in-transit, and in-use. Files are never decrypted.

● Derivatives of flat files, regardless of file type or the applications that created them, are automatically protected as employees modify or create new reports.

● Protect by default, removing the drain on company staff for ongoing manual discovery and classification, and the burden on the security team of doing constant DLP rule management.

● Detailed reporting beyond compliance requirements to monitor workflows and provide visibility to data, including who is sharing data, and from what locations. Other solutions require admins to identify where the data is first.

● Automate workflows such as automatically protecting all data leaving the database or SaaS applications

The Outcome
FSC’s data protection and compliance requirements were fully met by SecureCircle. All data, including financial and personal information at FSC, is protected at all times, even in-use. Protection is enabled as soon as a flat file is created from the source database, which can be stored and consumed on file servers or employee endpoints. Protected data is tracked, and every action is auditable.

SecureCircle is implemented without impacting the existing workflows or user experience. In fact, SecureCircle has enabled reduced workflow complexity in some areas, resulting in increased productivity.

Finally, FSC realized considerable cost savings by switching from Symantec DLP to SecureCircle, in terms of license cost, fast implementation time, and by removing the burden on its staff and on its security team. On many levels, the FCS CISO agrees “SecureCircle allowed us to increase protection and decrease cost.”

Read Article
Why Isn’t DLP Preventing Data Breaches?Why Isn’t DLP Preventing Data Breaches?
January 17, 2020
June 19, 2020

Why Isn’t DLP Preventing Data Breaches?

Data loss prevention (DLP), the antiquated data protection model, takes a ‘manage by rule’ approach where all data flows freely unless the security team has written a rule to specifically protect the data. Rules come in many forms – discovery and classification rules that determine what data is sensitive, rules that dictate what applications, versions and file types can be used based on DLP limitations, and rules that determine what end-users can do with the data (copy, share, etc.). Unfortunately, there is tremendous effort for security teams to devise all the rules that apply, now and in the future, and align with business units before and during implementation, and ongoing. Managing by rules is also a tremendous burden on employee productivity as more and more restrictions are imposed on their daily workflows. And despite all this effort, DLP is still highly error prone. Enterprises, even after investing considerable dollars, time and effort trying to implement and operationalize DLP, still are victim to data breaches.

SecureCircle’s data access security broker (DASB) flips the ‘manage by rule’ approach on its head and ‘manages by exception’. Instead of investing effort building a dubious set of rules that identify data and attempt to protect every potential threat vector, DASB takes an expansive approach. This is possible because DASB is completely transparent to the end-user, there is no need to modify any application and DASB does not impose any workflow restrictions. As a result, any data can be protected, without having to manually discover, classify or ask end-users to label the data. With this approach, DASB bypasses the limits of DLP.

In this article, we examine the differences between the traditional data protection technology stack centered on DLP, and contrast it with SecureCircle’s DASB, highlighting use cases derived from recent real-world breaches.

The Unfortunate Case of DLP

By default, DLP allows a file to flow freely, unless it has been specifically identified as sensitive and a rule exists to block what the user is doing to/with that file.

Some types of sensitive information can be programmatically detected such as credit cards and social security numbers that follow a predictable structure, however this is highly error prone. First, the security team must invest a lot of time in developing static pattern matching rules. Information like credit cards can take many different forms in practice, so even writing dozens of detection rules still may not catch them all, and block lots of unwanted information in the process. For example, DLP might encounter this telephone number (819661820893) and identify it as a credit card number, a false positive. An outgoing email attachment with this telephone number might be blocked causing a slowdown in the business where none is warranted. This interference with normal business operations is one of many major downsides of DLP. The more aggressively the security team adds and updates rules to regulate sensitive data, applications and user actions, the more often false positives occur, resulting in employee backlash. Employees complain and attempt to circumvent the DLP tools altogether.

DLP also fails to detect sensitive information that has been slightly altered, allowing it to pass freely, a false negative. For credit cards, classic exfiltration bypass is to spell out the credit card number (“eight one nine six…”), change the credit card number to Wingdings font, or re-write it as Roman numerals. It is easy to think up ways to get past DLP’s pattern matching.

Credit card numbers and SSNs aside, the vast majority of valuable IP and personal data do not have obvious markers that a machine can automatically detect (source code, trade secrets, internal designs, M&A activity, health information, the list goes on). The result is that DLP ends up focusing on the smallest, most obvious subset of sensitive information like credit card numbers, while reams of truly sensitive data is left entirely unprotected.

To make matters worse, the implementation of DLP is laborious, lengthy, and highly restrictive. DLP forces the business to require specific applications, versions and specific file types based on DLP limitations, for example, a specific version of Microsoft Office, Adobe, or a specific engineering application. However, if the supported version of the application is discovered to have a security vulnerability, it can’t be upgraded or downgraded to a secure version until the DLP environment is updated to work with that new version. Well-intentioned employees and partners are thus penalized having to work with DLP, meanwhile malicious actors still easily bypass DLP’s attempts at protection. Depending on the DLP vendor and what rules have been set, a user who has read access to a file might simply breach the data by converting it to a different file type, saving as a different file name, copy/pasting the data, or taking a screenshot of the data. With DLP, security teams need to think through every exfiltration pathway and explicitly build a rule for each one – this requires a tremendous amount of manual time and effort and is extremely error prone.

As a result, security teams are simultaneously criticized from the executive suite and the business for not protecting data effectively and under pressure from the executive suite and the business to get out of the way of usability and productivity. Fed up organizations resort to setting DLP to “monitoring mode”, silently logging accesses and shares of data, however not making any attempt to stop breaches. At this point, all sensitive and personal data is unprotected and flows freely inside and outside of the organization. There is no application control/process restriction. Data is fully vulnerable to malware, breaches, and bypasses logs.

In recent years, companies have explored alternative ways of detecting sensitive information, such as asking employees to manually classify their data. This can take the form of every employee in the company filling out a small form every time they send an e-mail or save a file, a major investment in time. However, your colleagues are not security professionals, and their incentive is to get their work done, so the accuracy of their classification is in doubt. Since insiders are known to be the largest threat vector, giving employees the power to classify whether data is sensitive or not is handing insiders the keys to the kingdom. In practice, classification ends up being a crutch to enable the most obvious DLP scenarios, and usually only on newly created data, while years of valuable data already housed in the enterprise remain unclassified and therefore unprotected and unaudited. A more recent trend attempts to apply machine learning to detect sensitive data, requiring a huge investment in training the algorithms, with a lot of hype, however little measurable gain has been reported to date.

Given the amount of effort required of the security team to devise rules that detect sensitive data, and the overhead incurred by employees classifying their own data, using only prescribed applications and file types, the DLP approach ends up being opt-in to the least amount of data to be protected as possible. This is the old paradigm, this is DLP.

DASB – A New Data Protection Paradigm

DLP’s protect by rule approach imposes limits at every turn – limits on what data can be protected, limits on file types, unwanted limits on application types and versions, limits on workflows. DASB’s ‘manage by exception’ allows for a limitless approach where any data can be protected transparently, with no obstacles to protection or productivity. A truly Zero-Trust data protection program.

Limitless data protection – contrary to DLP’s reductive approach of opting in to only the smallest subset of data to protect, DASB takes an expansive approach to data protection. We recognize that most, if not all, enterprise data contains sensitive or valuable information and this data should not be allowed to leak. DASB achieves persistent protection, delivering it completely transparently to end users. DASB protects any and all data without impact to the end-user experience.

DASB is based on a patented portable, virtual, encrypting file system that inserts a transparent layer between the read and write processes of applications and their storage systems. Access to the storage systems through DASB is identical to how the data is accessed today. If data protected by DASB is accessed by an authorized user, device or process, the access control policy will allow the process, device, user to read decrypted bytes. If protected data is accessed by an unauthorized user, device or process, the access control policy will not serve the process, device, user decrypted bytes, only encrypted bytes get accessed. As a result, users are not even aware of DASB’s existence, unless they attempt to access data they should not be accessing.

Limitless productivity – DASB’s transparency allows it to expansively protect all data. DASB imposes no limits on applications, versions, file types, file sizes, repositories, developer tools, workflows, or anything else in the environment, no matter how complex or enterprise-specific.

DASB can be implemented enterprise-wide, or with a phased approach, selecting the most important use cases first (source code, CRM, trade secrets, finance, PCI/PHI, etc.) and protecting all data related to those use cases. For data that is permitted to be shared externally, such as marketing material or sales quotes, role-based permissions allow users to securely collaborate with external stakeholders without giving up any control, protection, visibility or accountability.

Limitless control – with DLP, control is only persistent if the DLP rules have been configured to exactly the specific application, version, file type and migration path (copy/paste, file copy, cloud-to-cloud, etc.). These scenarios are almost impossible to configure in the required depth and nuance, resulting in workflow interruptions more than actual data protection. DASB moves access control policies from the storage system of the data to the data itself – from device-centric to data-centric. No matter where data is created, consumed, modified and stored, it is persistently protected by DASB. Data can be migrated from on-premise to cloud or from cloud-to-cloud and remains protected in all states: at rest, in transit, during migration, at the new storage location and even in-use. This is because the protection and access control follow the data and any and every action that touches the data.

Let’s look at four core data protection capabilities of DASB that make this limitless protection possible. These can be used individually, or in combination, to protect against data exfiltration, whether inadvertent or intentional.


With DASB, users or administrators can target a location to protect with MagicFolder. Any data within a magic folder is automatically and immediately protected. This includes all subfolders and directories. Any filesystem can be a magic folder – a user’s desktop, documents folder, even C:\. File servers and everything within them can be magic folders. Even an Amazon S3 bucket, commonly involved in data breaches, is simply a cloud file system that can be protected automatically, as is any Azure Blob storage, Google cloud storage bucket , etc.

From there, any data that already exists in the folder, or is downloaded, dragged, copied, created, etc. in the folder is protected instantly and automatically.

Following the DASB paradigm with the ability to protect everything, most enterprises protect entire filesystems and storage repositories, opting out of protection for the very small subset of specific data that needs to be managed by an exception.

In the real world: The issue of S3 bucket security has come to a head in recent years with prominent data breaches affecting companies like Capital One, Uber, Accenture and the United States Department of Defense. These breaches keep happening for the same reasons, again and again. S3 buckets are convenient for collaboration, however are often misconfigured, leaving their contents open to the public. Victims of these high-profile breaches had DLP, yet no DLP rule successfully blocked the exfiltration pathway. Even worse, in several instances, the data had never been discovered and the enterprise only became aware when the breach was disclosed. In contrast, DASB would protect sensitive data automatically before it even reached S3, preventing the breach altogether.

Another real-world use case is protecting data generated by legacy client/server web applications. Legacy client/server web applications are notorious for having outdated data protection capabilities, yet enterprises often have entire lines of business built around them. Imagine a legacy CAD editor that produces an enterprise’s key industrial designs, however the editor is no longer supported by the vendor. Or a home-grown content authoring tool that no longer has an in-house development team. These legacy applications are so entrenched in business workflows that changing to another application for security reasons is unrealistic. With DASB, MagicFolder protects the legacy web application’s data folder, with the web application as the only process allowed to access that folder. This enables the encryption of data output by the legacy application, with zero change to the application, and no impact to any existing integrations or workflows.


With DASB, administrators can also specify a “magic process” from which any data that comes out of the process is protected or unprotected. This could be a web browser, Microsoft Word, Outlook, Adobe Acrobat – any process at all. Following the DASB paradigm with the ability to protect everything, enterprises set all processes to be protected by default. DASB also allows for protecting only certain processes to support specific protection use cases, for example making only the HR or accounting application a magic process.

In the real world: Source code has become one of the most valuable forms of intellectual property. However, we’ve seen numerous technology giants, including AWS, Tesla, Waymo, breached due to a single employee exfiltrating hundreds of thousands of lines of source code. Historically, source code protection was limited to when it was stored in a repository, however as soon as a developer takes code from the repository, DLP and other traditional tools are not configured to protect the source code or may fail to identify it altogether. Now with DASB, this breach is not possible as the tools to access the repository are made a ‘magic process’ and upon checkout of any source code, through any approved process, the source code is automatically and transparently protected.

Source code is a poignant example, however the use cases for magic process are far reaching, including the malicious employee who logs in to the company CRM and downloads all of the company’s contacts or pipeline to a CSV file, or the external threat who compromises an internal account and attempts to download personal and financial data from the ERP. In all of these cases, DASB prevents the data breach.


With DASB, enterprises control how data in the clipboard can be pasted. Users might be allowed to copy and paste from protected processes to other protected processes, or certain data can be copied from an unprotected source to a protected source under certain conditions, depending on the policy that is set.

In the real world: a too-often overlooked source of leaks is copy/paste of sensitive data to collaboration applications like Slack, Skype, or simply e-mail. This has led to headlines such as Beware! Slack leaks are the new email leaks documenting the impact of email leaks that happened to The New York Times, Breitbart and Reddit through the “laughably simple means of copying and pasting internal conversations” . Magic Clipboard protects against these leaks, where traditional technologies typically are not able to protect this increasingly common threat vector.


No matter how careful a company plans and targets its data protection policies, some data is sure to be missed, either now or in the future. This is where DASB’s MagicDerivative has your back. Whenever unprotected data is accessed, DASB’s patented similarity detection engine understands the DNA of the data (dDNA) and looks for a match to dDNA that is already protected. If there is a match, MagicDerivative applies protection to this data automatically, with the same access policies as the originally protected data. This means that even if you did not ‘ discover’ the sensitive data, or your colleagues create or import new sensitive data down the road, DASB will automatically recognize that data as sensitive and protect it.

In the real world: Large enterprises can have tens of thousands of servers or more, too many of which are unknown or contain unknown data. And we have all seen the infographics that show how fast ‘new’ data is being created. What of this data is sensitive and needs to be protected? What is relevant? And what is legacy and can be discarded? The market for data discovery tools is very active, yet the only thing those tools can do is minimally provide clues as to what data exists within a company’s walls. However, MagicDerivative works with all data, even “unknown” data that has not been discovered or classified. MagicDerivative encounters company data as it’s being accessed (when it’s most vulnerable), and protects it automatically, whether the security team is aware of that data or not. Over time it spreads like a “benevolent virus”, protecting all data with the correct policies, according to its dDNA.

MagicDerivative even works with non-text data such as images. If a user copy/pastes your protected photo into a PowerPoint file, the PowerPoint is recognized as having the same dDNA as the image and is automatically protected with the same access controls.

Putting It All Together

Breaches are happening at extraordinary rates, making it a matter of when, not if, your data will be exploited. ‘Managing by rule’ has proven to be ineffective and modern businesses demand a paradigm shifting approach to data protection.

With SecureCircle’s Data Access Security Broker, data breaches are eliminated. End-users are none the wiser and business does not need to contort to the limitations of DLP.

Contact a DASB expert to learn more about how we can help your organization eliminate breaches and mitigate insider threats.

Read Article
Cyber HygieneCyber Hygiene
March 26, 2020
May 1, 2020

Cyber Hygiene

Washing your hands for 20 seconds is excellent to prevent getting the cold or flu, but what are some cyber hygiene practices businesses can put in place to protect their IT systems and, more importantly, their data.

While many SecureCircle customers tend to be larger Fortune ### organizations with existing security practices in place, today, I'm going to focus on the smaller organizations that won't have the National Institute of Standards and Technology (NIST) or International Organization for Standardization (ISO) 27001 certifications.

Human error was responsible for 90% of the data breaches in 2019.  Here are some cyber hygiene habits that can help.

  1. Passwords - When everyone has a key to the front door, it is easy to understand why someone stole the TV.  Ensure users are forces to utilize unique passwords. Hackers reuse the user id and stolen passwords from compromised sites to see what information they can gather on other websites.  Require complex passwords.  If you are a high-value target such as an executive or government official, a complex password prevents a brute force password attack.  Enable multi-factor authentication (MFA) whenever possible.  MFA would require hackers to gain access to your initial credentials and a secondary device like your phone text messages.  Users can also utilize a password manager, which creates very long, complex, and unique passwords.  The downside of a password manager is you need to trust the password manager company since they have all your passwords.
  2. Phishing - Phishing is a specific type of attack meant to trick users into providing the login details of your account.  An example attack is below.  The victim receives an email that looks real.  Due to all the data breaches, hackers may know which companies you transact with so the emails look legitimate.  To prevent this, users can install anti-malware/phishing software.  Your email provider may already scan inbound emails for phishing attempts.  You can also buy additional 3rd party solutions.  Users can also educate themselves on phishing attacks.  Phishing is just the modern-day version of a physical letter from Nigeria asking to wire money
  3. Protect data at all times - Data shouldn't be susceptible to errors such as uploading a file to the wrong folder which doesn't have any access control, emailing a sensitive document to the wrong person, or stealing internal documents in the case of a malicious employee.  Many solutions protect data at rest, but organizations should be looking for a solution that protects data at rest, in transit, and in use.

SecureCircle is a data loss prevention (DLP) replacement that persistently protects data at rest, in transit, and in use.  Legacy DLP solutions never worked because the solutions focused on depth and not the breadth of coverage.

Read the Forbes article: Breadth vs. Depth: The Cybersecurity industry has been focusing on the wrong thing.

SecureCircle also removes the operations burdens of legacy DLP by not requiring a traditional 'Discover, Classify, Protect' model.

Read the Forbes article: 'Discover, Classify, Protect' is wrong

By focusing on these three cyber hygiene habits, organizations can reduce their risk of ransomware, IT downtime, and data loss.

Read Article
Security Risks From Employees Working From HomeSecurity Risks From Employees Working From Home
March 16, 2020
June 19, 2020

Security Risks From Employees Working From Home

More employees are working from home and causing additional security challenges. 

In a recent Wall Street Journal article citing information concerning Apple, "In recent days, software developers sent home by Apple Chief Executive Tim Cook have complained of slow download speeds and mounting confusion over still-evolving new internal rules about what work they are allowed to perform, staffers say. Some workers can't access crucial internal systems from home due to strict security policies meant to fend off outsiders—which now includes off-site employees."

Additionally, "Though Apple has encouraged staff to stay away from the office for health reasons, many engineers say they continue to come into headquarters, heeding company policy that forbids unreleased products from being removed from campus. The company has loosened some security restrictions but maintains them on any software that might reveal the nature of off-limits projects, staffers say."

Organizations such as Apple built security processes and tools around a secure network, i.e., the corporate network.  The good guys are allowed inside the network, and the bad guys blocked from entering the network.

This approach works when the organization controls every aspect of a project.  However, many organizations rely on cloud services like JIRA, GITHUB, etc.  For the cloud-centric organizations, the line between the internal network and external network blurs.  

As organizations adopt a cloud-centric approach, they need to utilize security principles such as Zero-Trust and data-centric.  Read Forbes article End Insider Threats without Impacts Users or Business Workflow for four things to things when adopting a data-centric approach and three tips to kick start your data-centric journey.

COVID-19 highlights that security needs to be data-centric.  A data-centric security posture is not dependent on location, user, or device.

Read Article
Is 'Discover, Classify, Protect' Wrong In Cybersecurity Today?Is 'Discover, Classify, Protect' Wrong In Cybersecurity Today?
March 9, 2020
June 19, 2020

Is 'Discover, Classify, Protect' Wrong In Cybersecurity Today?

Data protection has followed the same paradigm for years: discover, classify and protect. That paradigm exists because years ago, protection solutions were extremely painful to implement. Administrative overhead was high. The end-user impact was high.

The only way organizations would consider implementing protection tools without a riot was to execute protection on a small amount of data. Historically, organizations wanted to discover all the locations of data first. Then they decided which data was essential to protect by classifying the data. This paradigm creates a small, manageable amount of data to protect.

Again, the legacy paradigm exists because protection solutions such as file encryption, information rights management (IRM) and data loss prevention (DLP) were too complicated to deploy, administer and operate. Many data loss guides span into the thousands of pages.

Protection solutions like DLP are too fragile. They rely on classification, which always changes over time. What is critical to protect today is not sensitive tomorrow, and more troubling is that what organizations don't consider important today becomes vital in the future. Classification is also very user dependent. Users make mistakes, and malicious users are hard to identify.

A new category of data-centric data protection is now available that works in the background, where users only see notifications when users access files they don't have permission. It's a similar approach to antivirus and malware. Users are only interrupted when something needs attention.

Read Full Article at

Read Article
Breadth Vs. Depth: Cybersecurity Industry Has Been Focusing On The Wrong ThingBreadth Vs. Depth: Cybersecurity Industry Has Been Focusing On The Wrong Thing
February 21, 2020
June 19, 2020

Breadth Vs. Depth: Cybersecurity Industry Has Been Focusing On The Wrong Thing

The cybersecurity industry's approach to data protection has only ever resolved the depth of security problems. There are data loss prevention (DLP), information rights management (IRM), encryption and many solutions available that can only protect a few pieces of data well.

What companies, organizations and governments need is a security approach that enables a massive breadth of protection. It's critical to protect as much data as possible at all times. A breadth-of-security model has not been possible with legacy solutions because all depth-of-security features interfere with end-user workflows.

The cybersecurity industry's approach to data protection has only ever resolved the depth of security problems. There are data loss prevention (DLP), information rights management (IRM), encryption and many solutions available that can only protect a few pieces of data well.

A depth-of-security approach doesn't prevent any of the massive data breach examples mentioned previously.

What companies, organizations and governments need is a security approach that enables a massive breadth of protection. It's critical to protect as much data as possible at all times. A breadth-of-security model has not been possible with legacy solutions because all depth-of-security features interfere with end-user workflows.

As a result, companies and users protect as little data as possible — which is why many security professionals implement a “discover, classify and then protect” model. This paradigm doesn’t protect massive amounts of data against large beaches. It protects as little data as possible.

Read Full Article at

Read Article
Third Party VendorsThird Party Vendors
February 17, 2020
June 19, 2020

Third Party Vendors

The Achilles Heel of Data Protection

Health Share of Oregon, the state's largest Medicaid coordinated care organization, exposed personally identifiable information (PII) of 654,362 of its members, including names, addresses, phone numbers, dates of birth, Social Security numbers, and Medicaid ID numbers. The breach did not occur at Health Share of Oregon itself, however. The office of one of its suppliers, GridWords IC, a medical transportation company, was burglarized and a laptop with this data was stolen.

When it comes to data protection, a company’s third party vendors are too often its Achilles heel. A company can reinforce its own security posture with the latest and greatest technology, but it still has to provide access and share information with its suppliers, and its suppliers’ suppliers, and so on up the chain. With each degree of separation, the company has less control over its suppliers’ security – especially small suppliers with modest security programs. But when there is a data breach, no matter how far along in the supply chain, the company (Health Share of Oregon, in this case) is still accountable.

“No one’s personally identifiable information (PII) is safe. Companies can’t count on the integrity of their suppliers’ and partners’ security capabilities”, CSO Online says. Expect more companies to demand security audits of their partners, suppliers, and service providers. Third-party breaches are becoming more common, and it shows that any organization’s security is only as good as its extended network.”

Third Party Vendor Breaches on the Rise
In one of the biggest data breaches in history, hackers stole 40 million credit cards from Target. The hackers were able to access this data by going through its third party HVAC supplier. Nobody remembers the HVAC company’s name, but everyone remembers Target. The breach cost Target over $200 million, plus on-going continued reputational damage to this day.

Today, high-profile data breaches are an almost daily occurrence, and if you read the details, often the root cause is a third party vendor breach. A recent survey found that nearly 60% of companies in 2018 were the victim of third-party data breaches, a notable increase over the previous year. Greatest hits include: 

  • Quest Diagnostics
  • LabCorp
  • DoorDash
  • Walmart
  • Verizon
  • Scottrade Bank
  • Italian bank Uni Credit
  • The Republican National Committee
  • Deloitte
  • Accenture

The last two examples, Deloitte and Accenture, highlight that while the weak- ink can be your mom-and-pop HVAC supplier, large suppliers are also a risk. Deloitte and Accenture are widely regarded as experts in data protection and are both paid handsomely to advise on security. The egregious breaches that they suffered were the pinnacle of embarrassment in third party security.

No Good Solution? 
CIOs agree that supplier security breaches are one of the biggest problems in data protection today, however, to date, this appears to be a problem without a no good solution. 

Contractual Terms, Auditing, and Compliance
As a first line of defense, enterprises are demanding stronger contractual terms with suppliers, in terms of the security they require of their vendors, and the legal and financial consequences of a breach. This transition is occurring at a glacial pace. Large enterprises already have thousands of vendors and are not in a position to easily re-negotiate contractual terms with all of them. At best, enhanced contractual terms might provide some financial and legal compensation, although even this is highly dependent on the size of the vendor and the jurisdiction in which they would be held accountable. Ultimately, the responsibility of a breach is still borne by the enterprise itself, particularly including the lasting reputational harm (the public remembers your brand, no one remembers the vendor).

Contracts and good-will aren’t enough. Moreover, just because a supplier is agreeable and willing, that doesn’t mean their data protection measures are up to par. Enterprises are spending more than ever to audit their partners, suppliers, and service providers, but this is extremely costly, and the great irony is that audits today assume antiquated security measures are in place such as disk encryption and DLP, which are far from a guarantee that a data breach would not occur. 

To streamline the certification and auditing of vendors, third party registries have emerged that audit and certify vendors for you. One example is Vendorpedia that certifies third party vendors comply with standards such as GDPR, NIST, and ITAR. The idea is that as an enterprise, you would not have to audit all of your suppliers yourself, but simply require any supplier to show proof of certification and audit from one of these registries. But there are many problems here. A third party registry is only useful if it reaches a critical mass of vendors, which will take a long time and may never happen. And even then, at best vendors are attesting to a certain level of compliance, however as any junior security analyst can tell you, compliant does not mean secure. 

Technology Options
In terms of technology, some enterprises ship secured laptops to their third parties and require the third parties to only work on those laptops. Others require that their suppliers work in a virtual space using VDI. These solutions are burdensome, slowing down productivity, and simply don’t scale across thousands of suppliers. 

Digital rights management (DRM) has had a resurgence of lately because it offers an attractive thesis – protect your sensitive e-mails and files and wherever they go. Even if they fall into the wrong hands, they are still protected. The notion is not wrong. Rather than implementing endless levels of audit, compliance and perimeter security, it is reasonable to assume that data will flow into your partners hands, and eventually into the wrong hands, and that the solution is protection that follows the data wherever it travels. Unfortunately, DRM remains a theoretical idea at best, just as it was 20 years ago. In practice, DRM suffers from significant user experience problems, as users are required to classify their data, and access is limited to certain file types, special applications, plug-in’s, authentication mechanisms, access controls, etc. Managing this at scale is unwieldy, and nearly impossible once the data starts flowing into suppliers’ hands who have different operating systems, applications, versions, and plug-in’s. After 20 years of DRM, there are very few success stories.

If only there was a way to protect your data wherever it goes, but with an invisible user experience that does not slow down productivity?

DASB: Protection That Follows Your Data, With A Transparent User Experience
Data Access Security Broker (DASB) is a limitless data protection solution, delivering transparent and persistent data protection. DASB moves access control policies from the storage system of the data to the data itself – from device-centric to data-centric.  Data is automatically protected by default, and this protection follows the data and every action that touches the data, even when it moves into a vendor’s hands. 

Whether inside your company or at partner, vendor, or customer site, a user can only access the data if they have appropriate privileges per the security policy. An administrator can revoke access to the data and change permissions at any time. Malicious or accidentally shared data cannot be accessed by unapproved parties.

In the case of Health Share of Oregon, its vendor GridWorks IC would not have had access to its members PII unless Health Share of Oregon had authorized this on its policy. As soon as it was known that the laptop with this information was stolen, an administrator would have remotely cut access to all protected data, and the malicious actor would have only had access to encrypted blobs, nothing more. Health Share of Oregon would have also had an audit trail of every access attempt on the data, even the stolen, protected, data that was now in the malicious actor’s hands, giving them further insight into the incident.  

But unlike DRM technology, DASB is completely invisible to the end user, making it fast to implement and easy to scale. DASB imposes no limits on applications, versions, file types, file sizes, repositories, developer tools, workflows, or anything else in the environment, no matter how complex or enterprise specific. Users don’t even realize it is there.

DASB Secures Your Enterprise and Your Supply Chain 
Companies who rely on third party vendors and suppliers are exposed to a greater level of data breach risk. Unfortunately, all modern companies today fit this description, and the trend is only increasing. The modern enterprise is highly interconnected with a myriad of suppliers, and no matter how strongly you fortify your own security posture, your Achilles heel will always be those third parties with whom you share information. 

DASB eliminates this risk. Whether you’re a media enterprise like HBO that collaborates with hundreds of suppliers big and small during the production of a series, whether you’re a financial services enterprise the leverages third party services from the Deloitte’s and Accenture’s of the world, a commerce giant like Target that needs HVAC, or a health provider like Health Share of Oregon, DASB persistently protects data by default so that you remain in control, even when information flows into your vendors hands. Even when it inevitably flows into the wrong hands. DASB covers you and your entire supply chain, all while providing a completely transparent experience.

Let's Chat

Read Article
The Rise Of DASB, Sunset Your DLPThe Rise Of DASB, Sunset Your DLP
February 17, 2020
June 19, 2020

The Rise Of DASB, Sunset Your DLP

5 Reasons Why Organizations Are Switching

1. Manage by exception

DASB manages by exception

DASB persistently and transparently protects data, with no impact to end-user experience, applications, and business workflows. DASB flips the traditional data protection model from one of opting into the least amount of data to protect, to an expansive, opt-out model. This opt-out model enables organizations to protect any and all data and manage exceptions around collaboration. 

DLP manages by rule

DLP requires rules to be written for every scenario.  Whether the scenarios are trying to identify every possible exfiltration pathway or map to acceptable business use, these rules need to be continuously tuned to decrease alerts, false positives and false negatives.  

2. Identify data by DNA

DASB expands its protection through dDNA matching 

DASB’s patented similarity detection engine understands the DNA of the data (dDNA) and looks for a match to dDNA that is already protected. If there is a match, Magic Derivative applies protection to this data automatically, with the same access controls as the originally protected data. This means that even if you have not discovered or classified all your sensitive data, or if your colleagues create or import new sensitive data down the road, DASB will automatically recognize this “unknown” data as sensitive and protect it.

DLP’s data identification is like using a fingerprint

DLP might encounter this telephone number (819661820893) and identify it as a credit card number, a false positive. An outgoing email attachment with this telephone number might be blocked causing a slowdown in the business where none is warranted. This interference with normal business operations is one of many major downsides of DLP. The more aggressively the security team adds and updates rules, the more often false positives occur. Employees are measured on their productivity. When security tools slow them down they complain and try anything they can to circumvent the blocker, DLP. DLP also fails to detect sensitive information that has been slightly altered, allowing it to pass freely as a false negative. For credit cards, a classic exfiltration bypass method is to spell out the credit card number ("eight one nine six..."), change the credit card number to an unreadable font like Wingdings, or re-write it as Roman numerals. It is easy to think up ways to get past DLP's pattern matching.

3. Protect First

DASB protects any and all data

DASB protects any data transparently. This allows for organizations to protect data first and then work on discovery and classification. DASB’s methodology for discovery and classification enables organizations to identify and administer the appropriate access controls to unknown data. This includes all the information your employees are creating every day and all the unknown data stored in location (on-prem, cloud, on endpoints, etc.) across your enterprise. 

DLP requires tedious discovery and classification

DLP’s obtrusive nature requires discovery and classification as a necessary crutch to achieve even the most basic protection scenarios. Manual classification can depend on every employee in the company filling out a small form every time they are about to send an email or save a file, a major drain on employee time. Worse, your colleagues are not security professionals, and their incentive is to get their work done, so the accuracy of their classification is in doubt. Insiders are known to be the largest threat vector, so giving employees the power to classify whether data is sensitive or not is a critical flaw. 

Discovery is known to be highly ineffective as discovery tools are not equipped for the volume of data and the varied locations (public or private cloud, on-prem) in which this data is stored . Automated discovery is also highly error-prone, leading to the wrong policies applied to the wrong data.

4. Expansive Protection

DASB data protection is expansive

DASB takes an expansive approach to data protection. We recognize that most, if not all, enterprise data contains sensitive or valuable information and this data should not be allowed to leak. DASB continuously discovers, classifies and protects previously unknown data. DASB achieves zero-trust, persistent protection that is completely transparent to end users. DASB protects any and all data without impact to the end-user experience. 

DLP data protection is reductive

Contrary to DASB, DLP's approach to data protection is reductive. DLP depends on discovering and classifying data, with the goal of opting into only the smallest subset of data to protect. By default, DLP allows a file to flow freely unless it has been specifically identified as sensitive and a rule exists that can dictate how users can interact with that file.  This is an ongoing, tremendously time consuming, never-ending effort for security teams. It is nearly impossible to devise every possible rule to block exfiltration pathways, while aligning with the business and acceptable business use cases. Managing by rules is also a huge burden on employees, as more and more restrictions are imposed on their daily workflows. Given the amount of effort required of the security team to devise rules that detect sensitive data, and the overhead incurred by employees classifying their own data, using only prescribed applications and file types with workflow pop-ups, errors and overhead along the way, the DLP approach ends up being to opt-in to the least amount of data to protect as possible.

5. Time to Value in Hours

DASB is implemented in hours

With DASB, deploy the agent, target a location, and you are transparently protecting data. DASB is implemented enterprise-wide, or in a phased approach, selecting the most important use cases first (source code, CRM, trade secrets, finance, PCI/PHI, etc.) and protecting all data related to those use cases.  DASB imposes no limits on applications, versions, file types, file sizes, repositories, developer tools, workflows, or anything else in the environment, no matter how complex or enterprise specific. 

DLP takes months, if not years to implement

DLP requires a comprehensive discovery and classification program, with buy-in and assistance from the business before even starting to write rules. As the discovery and classification program is continuous and manually conducted, rules need to be written, false positives and false negatives need to be constantly tuned. Once the discovery and classification programs are underway and tuning progress has been made, we are now able to move to monitor or test mode to see how the DLP program will impact end-user experience. Once the business and security sign off on acceptable impact to the business, and staff have been trained on the manual classification and data usage policies, DLP might be ready to start protecting data. 

DLP is the old paradigm. DASB is the New New. Based on the Zero Trust philosophy, DASB allows all data to be protected transparently, without impacting workflows or applications. 

Download our whitepaper, The Rise of DASB, to learn how to protect your organization's data against breaches and insider threats.

Read Article
AWS Source Code LeakAWS Source Code Leak
February 4, 2020
June 19, 2020

AWS Source Code Leak

On January 13, an AWS employee stole nearly a gigabyte’s worth of data, checking it into a personal GitHub repository. This included data that had already been discovered and classified as “Amazon confidential”. Even worse, the criminal was also able to steal RSA key pairs marked “admin” and “root key” (suggesting it provides privileged access control), passwords, authentication tokens and API keys. Luckily for AWS, they were alerted to the theft by a third party and took corrective action. 

Source code breaches are occurring daily with damaging consequences. Uber and Google made headlines when a former Google engineer easily exfiltrated 9 GB of source code and hundreds of Waymo trade secrets. Tesla source code was breached by an employee, exfiltrating over 300,000 files for personal gain. Apple and Samsung suffered similar high-profile source code breaches.

Source code used to be something only tech geeks had to worry about, however today with the rise of the digital enterprise, source code is some of the most valuable corporate assets. Unfortunately, protecting source code in a way that doesn’t impede development is one of the harder efforts in cyber security. 

Source Code Protection requires Defense-in-Depth & Breadth

Protecting source code requires a defense-in-depth & breadth approach. The cybersecurity industry's traditional approach to data protection has focused on resolving the risks in depth. There are data loss prevention (DLP), information rights management (IRM), encryption and many other solutions available that can only protect a few pieces of data well. What organizations need is a security approach that enables a massive breadth of protection in addition to depth. It's critical to protect as much data as possible at all times. A breadth-of-security model has not been possible with legacy solutions because depth-of-security features interfere with developer tools and workflows.

Protecting the minimum amount of data, for the minimum amount of time, with the most restrictive workflows has hurt productivity and morale. Developers often find themselves fighting against security controls which slowdown their ability to accomplish the tasks they were hired to do. This leaves organizations particularly vulnerable to:

  • Human error. This is the most common. Quite simply, data protection needs to make sure that developers can’t accidentally check their source code into the wrong repository (a shockingly common problem given how most repositories work), or into an open source project.  The AWS source code breach may also have been a form of human error, as a public statement by the company stated that the majority of the files leaked by the employee were personal in nature Regardless of intent, a breach is still a breach.
  • Insider threat. As in the Waymo and Tesla examples, a common threat vector can simply be a malicious employee or ex-employee who is motivated to breach the source code for personal gain. This can take several forms, including checking out the source code from the repository, and emailing it to a personal account, or moving it to a USB device.
  • Nation state attacker. This happened recently to McAfee, Symantec and Trend Micro. Their source code was stolen by the Russian cyber criminal group Fxmsp.

Secure the Repository

For a solution to work at breadth, it needs to work at scale without limits. A complete defense-in-depth & breadth strategy ensures:

  • All file types can be protected
  • No file size limits
  • Any application is supported
  • Transparency to end users and no change to user workflows
  • Portability across all devices and cloud
  • Automatic tracking and protection of data as it moves
  • Data is always protected, at-rest, in-transit and in-use
  • Every derivative of the data is automatically protected

Developers Have Free Reign

Your source code is constantly being accessed by automated tool chains, internal developers, QA, 3rd party developers, and anyone or anything that has access to those associated systems. Even if all source code is stored in a repository with the appropriate data protection settings, your source code and copies of it are always in other locations. Even with properly configured repositories, the AWS, Waymo, and Tesla breaches occurred because source code must exist outside the repository.  Without persistent data protection, once the data has been accessed, it’s vulnerable to breach.

One of the reasons that source code protection is typically limited to the data at-rest, in the repository, is that development require specialized tools to create, build, and test code. Modern organizations have no tolerance for any additional workflow steps that will slow down productivity or force them to use anything, but the specialized tools required to get the job done. Business needs are fundamentally juxtaposed to the approach antiquated technologies, including DLP, DRM, and VDI, take. These approaches paralyze productivity with manual discovery and classification, limits on what tools can be used, and false positives that stall productivity.

Data Loss Prevention (DLP) requires a tremendous effort to build up and maintain rules which explicitly list what data to protect, when, how, etc. As a result, DLP is notorious for protecting only the bare minimum set of obvious data, such as predictably formatted credit card numbers, and even then, it is error-prone. The result is that DLP ends up focused on very basic and specific protection scenarios and is rarely able to protect source code. Which is just as well, as DLP imposes a heavy burden on employee productivity that engineers struggle to accept. We document the shortcomings of DLP at length in our white paper.

Digital rights management (DRM), such as Microsoft AIP, is not capable of protecting the majority of business data or something as complex as source code. DRM is too restrictive. DRM supports limited applications found in a normal business and is extremely limited in support for engineering environments. 

Virtual Desktop Infrastructure (VDI) is quite secure. So secure that it’s a burdensome solution for developers. VDI imposes too many restrictions and is very costly. 

The result is that most companies simply do not implement data protection solutions to protect their source code. Those that do, introduce significant friction with developers, productivity is lost, and protection is highly error prone.

DASB: Transparently Protect Source Code at All Times

The Data Access Security Broker (DASB) platform provides extensive defense-in-depth and breadth for any data, even source code. When data leaves the repository, it is immediately and automatically encrypted. Data protected by DASB is transparently accessible to any IDE and development tools used. Protection is persistent no matter where the data goes or how it is accessed. The AWS, Waymo, and Tesla breaches would not have been possible with DASB. Moreover, once DASB is aware of some of your source code, it automatically protects any other similar data it comes in contact with, expansively extending DASB’s protection automatically. 

DASB operates transparently behind the scenes. Developers are not even aware that DASB is protecting the source code, unless they attempt to violate business policy. The organization has persistent access control over this valuable intellectual property and any derivatives which have been made. DASB tracks every action taken on protected data and reports it to your SIEM, turning every action into an auditable event. 

Source code breaches are on the rise, and even the biggest players, like AWS, are not safe. AWS got lucky, but others like Waymo and Tesla suffered damaging losses. DASB would have prevented every one of these breaches, while providing a completely transparent experience to everyone involved. Don't get breached. Don't rely on luck. Rely on DASB.

Read Article
End Source Code TheftEnd Source Code Theft
January 28, 2020
June 19, 2020

End Source Code Theft

Case Study

The Customer
A publicly traded Cyber Security Company (CSC) located in Silicon Valley, with 50+ in-house software developers and 100+ contract developers from several 3rd party consulting firms. CSC is also a Gartner Magic Quadrant leader, with over 3,000 customers in more than 80 countries.

The Challenge
CSC needed to ensure that their source code was not stolen or lost. A costly virtual desktop infrastructure (VDI) solution, was implemented to prevent misuse and add accountability for developers working with source code. This was met with resistance from their developers. They were extremely limited by VDI. Developers struggled with simple tasks like copying/pasting, taking screenshots, and collaborating. Despite employing VDI and other defense in depth strategies, source code was still lost. The scale of misuse is still unknown.

See how SecureCircle's DASB was able to solve this customers issue.

Download Case Study

Read Article
SecureCircle Data Access Security Broker (DASB) Selected By Quanta Storage To Eliminate Insider ThreatsSecureCircle Data Access Security Broker (DASB) Selected By Quanta Storage To Eliminate Insider Threats
January 14, 2020
May 4, 2020

SecureCircle Data Access Security Broker (DASB) Selected By Quanta Storage To Eliminate Insider Threats

SANTA CLARA, Calif. January14, 2020 – SecureCircle, the world's first Data Access Security Broker (DASB),today announced an agreement to eliminate insider threats such as accidental sharing and malicious users to Quanta Storage Inc. (QSI). QSI, a worldwide leader in OEM and ODM services to the world's leading consumer electronics brands and based in Taoyuan City, Taiwan, is adopting SecureCircle's DASB to eliminate insider threats. SecureCircle's data-centric access control persistently protects customer data without impacting applications, workflow,or end-user experience.

"SecureCircle was selected because their technology applies to data regardless of where the data is stored or what applications are used," said Luis Chuang, Associate Manager. "Two critical requirements for QSI is support for all platforms including Windows, Mac, and Linux and to support any application and file type, including native design files."

"SecureCircle allows QSI to protect confidential information coming from QSI's customers," said Eric Hsu, NetBridge Technologies general manager."The customer data is protected from insider threats such as malicious users or accidental sharing." NetBridge Technologies is the exclusive value-add distributor for SecureCircle in Taiwan.

"Quanta Storage Inc. is a great showcase customer because they have many different security use cases including protecting data through a chain of custody, protecting the manufacturing process, and securing software source code," said Jeff Capone, SecureCircle CEO. “Per recent reports, insider threats account for 34% of data breaches.”

Quanta Storage Inc. is using SecureCircle to:

  • Ensure sensitive customer intellectual property (IP) is protected when customers share data with QSI
  • Transparently secure data from internal and external threats including accidental sharing, lost/stolen devices, shadow IT, and rogue employees
  • Segregate customer data from other customers so data cannot leak from one customer to another
  • Secure software source code throughout the development process
  • Protect QSI internal confidential information including business, design, and manufacturing data

Due to the sensitive and competitive nature of the OEM and ODM industry, QSI strives to achieve the highest level of data protection to ensure internal IP, as well as customer and partner IP, is always protected.

To learn more, visit or contact NetBridge Technologies.

About Quanta Storage Inc.

Quanta Storage Inc., founded in 1999, is devoted to the development and manufacture of consumer electronic products for global leading companies through OEM and ODM business models. For more information, please visit

About SecureCircle

SecureCircle eliminates insider threats by delivering data-centric access control without the need to modify applications running on endpoints or in the cloud. It works with any application any persistently protects data at rest, in-transit, and in-use. No matter how data is stored, consumed, transformed, or shared, it remains protected without impacting existing workflows or end-user experience.Access is granted, leveraging existing identity management tools, and easy to administer policies. SecureCircle is the first Cloud-Delivered Data Access Security Broker. For more information, visit or follow us on Twitter and LinkedIn.

Read Article
Press Releases
Organizations Should Bulk Up Cybersecurity In Case Of Iranian Cyber AttackOrganizations Should Bulk Up Cybersecurity In Case Of Iranian Cyber Attack
January 7, 2020
June 17, 2020

Organizations Should Bulk Up Cybersecurity In Case Of Iranian Cyber Attack

Immediately after the United States assassinated Iranian Maj. Gen. Qassim Suleimani, the leader of Iran, Ayatollah Ali Khamenei, warned the world of an impending Iranian retaliation. Experts suspect that the country will likely respond with a cyber warfare campaign rather than traditional warfare efforts. SecureCircle recommends that all organizations assets and strengthen their cyber defenses to protect sensitive data and secure intellectual property in preparation for an Iranian cyber-attack.

What U.S.  organizations can expect from an Iranian cyber attack

Iran has spent years developing its cyber warfare capabilities. In late-2011, Iran invested at least $1 billion in cyber technology, infrastructure and expertise.In March 2012, the Islamic Revolutionary Guard Corps (IRGC), a branch of the country’s military, claimed it had recruited around 120,000 personnel over a three-year period to combat "a soft cyber war against Iran."

In 2013, a general in the IRGC stated that Iran had "the fourth biggest cyber power among the world's cyber armies.” The Institute for National Security Studies confirmed Iran’s cyber security strength in 2014, identifying the country as "one of the most active players in the international cyber arena."

The impacts of Iran’s investment in cyber warfare soon became apparent worldwide. In 2017, The Conversation reported the United States had indicted seven Iranian hackers for working on behalf of the IRGC to conduct attacks against major American banks. These attacks, which may have been retaliation for “economic sanctions that had been imposed on Iran or the Stuxnet cyber attack on Iran’s centrifuges,” purportedly resulted in the loss of tens of millions of dollars.

The U.S. financial sector isn’t the only victim. Vice reported that “Tehran's state-backed hackers have targeted banks, casinos, the city of Atlanta, and a dam just outside New York as part of its campaign of cyber attacks against U.S. targets."

How to defend against cyber warfare

Experts expect that Iran will lash out at any mark with the intent to disrupt the world economy and steal intellectual property. In the past, Iran has been identified as being involved in attacks against Las Vegas Sands Corp., Bank of America, Citigroup, Wells Fargo, U.S. Bancorp, PNC, Capital One, Fifth Third Bank, BB&T and HSBC. The upcoming cyber attack may target U.S. companies in key sectors (not just the financial sector), the U.S. government and American allies.

Businesses from the United States and around the world should evaluate their current cyber defenses and shore up any gaps before they become a target of retaliation.Future attacks most likely will aim to cripple systems and steal data. Most organizations have policies, processes, and technologies to detect and remediate when systems are running sub-optimally, but many have historically lagged in protecting data from everyday cyber attacks, let alone advanced attacks. 

Organizations need to focus on new strategies to thwart Iran and similar combatants.Detecting and preventing intrusion or traditional data protection is not enough; preventing next-generation attacks requires next-generation technologies that provide persistent protection in addition to visibility. To ensure that organizations remain productive, this persistent protection must not impede business.

In our opinion, a robust protection strategy that can defend against modern Iranian attacks, malicious insiders or any data breach include protection that is:

  • Transparent
  • Follows the data, not just the file
  • Supports any file type and size
  • Always protects the data: in use, in transit and at rest
  • Automatically identifies and protects derivative works

Review your organization’s policies, programs and people for preparedness against potential data breaches arising from Iran or other malicious parties. Then, contact us for a customized technology audit of your organization.  

Review your organization’s policies, programs and people for preparedness against potential data breaches arising from Iran or other malicious parties. Then, contact us fora customized technology audit of your organization. 

Read Article
Case Study
The Evolution of Data ProtectionThe Evolution of Data Protection
December 29, 2019
May 22, 2020

The Evolution of Data Protection

Data protection solutions are finally evolving to the current state of data: distributed, cloud-centric and always-on. Data used to only exist within the corporate network on devices that never left the physical protection of the company.

Data loss prevention (DLP) has been the default solution for protecting data. It's literally in the name. What countless organizations have determined is that DLP doesn't stop breaches, but it does generate extremely high operational overhead. The same is true for other legacy solutions such as pretty good privacy (PGP) and information rights management (IRM).

DLP is only as good as the classification rigidity enforced by the organization. Classification is always too rigid and can't keep up with fluid data movement. For DLP to prevent data from egress, data must be classified correctly. Classification is complicated and fragile. What is sensitive today is not sensitive tomorrow and vice versa. Classification turns into an endless battle of users trying to manage the classification of data. Ultimately, classification and DLP deteriorate over time. DLP adds an extremely high operational overhead, as it requires users to be classification superstars, and even then, mistakes will happen. Desjardins Group, a Canadian bank, recently made news for a malicious insider who obtained information on 2.7 million customers and over 170,000 businesses.  The exact details of the breach haven't been made public yet, but DLP solutions are standard in all financial institutions.

A New Approach to Data Protection

A new wave of solutions has appeared in the market to significantly shift the focus of data protection. Here are four criteria to measure data protection in the solutions you're currently considering:

Read Full Article at

Read Article