Over the last few years, the general populous has encountered the proliferation of malicious software (sometimes referred to as “malware”) over the Internet. Malware has many forms including exploits, namely information that attempts to take advantage of a vulnerability in software that is loaded onto an electronic device in order to adversely influence or attack operations of that electronic device. Despite repeated efforts through advanced detection systems and software patches to address software vulnerabilities, malware continues to evade and infect electronic devices worldwide.
In combatting the spread of malware, it has become paramount that a vast amount of information associated with network traffic, which is propagating to/from/within an enterprise network over a prolonged period of time, is analyzed for malware. This stored information offers immeasurable value for incident response testing so that security personnel can better understand when and how a network breach (e.g., malware infection of one or more endpoint devices within an enterprise network) occurred within an enterprise (e.g., a company, governmental agency, or other entity) in order to address current security issues associated with the enterprise network.
Normally, incident response testing is handled by persons outside of the enterprise such as a contracted, cyber security service provider. In some cases, incident response testing may pose a security risk as well, especially when the stored information supplied for testing includes personally identifiable information (PII). “PII” is information that can be used to identify a specific user to which the information pertains. Examples of different types of PII include, but are not limited or restricted to user names, phone numbers, home addresses, machine names, and/or social media account names.
For instance, without being anonymized, the PII is now accessible to persons outside of the enterprise which, by itself, creates a security risk that such information may be used inappropriately. Another security risk is that there is no defined access hierarchy for PII that is part of the stored information. Rather, anyone with access to the stored information also has access to the PII. Lastly, as the stored information including the PII is subsequently stored for incident response testing, there is a risk that systems associated with the incident response testing may become compromised, thereby gaining unauthorized access to the PII.
Anonymization may be accomplished by obfuscating the sensitive information, such as PII for example. Such obfuscation may involve conducting cryptographic operations (e.g., encryption/decryption, one-way hashes, etc.) on the sensitive information. However, in response to various events, such as cryptographic keying material becoming compromised or customer preferences, such keying material would need to be changed. Currently, this change would require cryptographically secured information, perhaps millions or even billions of entries within stored network traffic, to be re-encrypted. Depending on the frequency in changing of the keying material, this could be a challenging task for cyber security service providers.