WithSecure™ Security Cloud Purpose, Function and Benefits

Traditional cyber security products rely mainly on malware analysis engines installed locally on the device. Our latest product offerings combine traditional approaches to local analysis coupled with real-time analysis in the Security Cloud. The Security Cloud utilizes advanced technology and data that is unavailable on products locally, due to the computing resources required to perform machine learning on big datasets and dynamic analysis. This technology provides up-to-date information about new threats before they have been incorporated into commonly used threat databases.

Since WithSecure™ partners with numerous Fortune 500 companies, our consultants have the unique advantage of gaining access to the very cutting edge of malware when it is used – unsuccessfully– against our customers. This data is also fed into the Security Cloud, further increasing its value to other companies and users.

We understand that users are very sensitive to any kind of negative effects protection has on their devices. This is why mobile protection needs to be battery-efficient without sacrificing the quality of protection. The Security Cloud can operate as the sole engine for lightweight products that only requires users to give their consent when uploading certain files for analysis. Only a fraction of the files from users are uploaded, as in most cases the safety of the file can be analyzed with existing data. This behavior is resource-saving and optimal for mobile devices.

IoT devices in the home network can be protected with security software embedded on the router, providing browsing protection, tracking protection, botnet protection, and smart home security – all provided by the Security Cloud. Smart home security blocks malicious or compromised connections to and from smart home or IoT devices based on the URL or host name reputation. Tracking protection prevents tracking sites from following surfing habits and collecting data about users.

Botnet protection blocks traffic from compromised devices to an attacker’s Command and Control center, adding another layer of detailed information about an infection. In addition, IoT devices can be protected with more advanced features such as advanced smart home security. This type of advanced feature blocks traffic from smart home or IoT devices based on the behavior analysis carried out on network activity in case anomalies are detected.

Products that provide cloud-based collaboration for corporate customers rely heavily on the Security Cloud to carry out multi-stage analysis of the content. The analysis is a layered process that is triggered by the suspiciousness of the content, such as an email or calendar invite in the Microsoft Office 365 environment. Suspicious or unknown files are subjected to a deeper analysis with our cloud sandboxing technology, designed to prevent zero-day malware attacks and other advanced threats. The cloud sandbox runs the file to analyze its behavior. By focusing analysis on malicious behavior rather than static identifiers, the cloud sandbox can identify and block even the most sophisticated zero-day malware and exploits. 

The Security Cloud includes a comprehensive archive of files and web addresses. This collection is updated by several independently sourced sample feeds. Malicious and suspicious files uploaded for analysis by users of Security Cloud-enabled products form a part of this collection. A limited collection of common clean files is also included in this collection. The Security Cloud makes its final assessment based on multiple independent data sources and methods for dynamic and static analysis. This method makes it robust and less vulnerable to false positives than an anti-malware solution from a single source. The Security Cloud also periodically reanalyzes frequently encountered samples by using the latest information available to ensure continued accuracy.

Real-time, global threat maps help us conduct timely and precise malware mitigation. With every client that communicates with the Security Cloud, we gain a granular, real-time view of how malware is distributed across the world, down to individual neighborhoods and devices. We can act quickly and perform targeted counter measures with our partners, without compromising the privacy of our users and the operations of business customers.

The Security Cloud provides various services that individual security components on the client side can connect to. These client-side components are developed by WithSecure™. Products using the Security Cloud are mainly developed by WithSecure™, but some third parties may have an agreement with WithSecure™ to utilize one or more of these services in their own products and services.

One of the core components of the Security  Cloud is WithSecure™ Karma™, the object reputation service, which assesses the safety of objects, thus avoiding a need for deeper analysis. Karma enables clients to query the reputation of computer networks, files, and web addresses. Files are checked by calculating their cryptographic hash and sending them to the reputation service. Web address es are anonymized before sending them to the reputation service. As site categorization is included for web addresses, the contents of the website can be identified. This allows for enhanced online banking security and parental controls, for example. The Security Cloud may request additional metadata or a sample of the previously unseen content for further analysis. Clients respond to such requests according to their user preferences and privacy policies.

Lightweight products rely mainly on WithSecure™ Mind™ for malware analysis. Mind, which is the Security Cloud’s sample  analysis service, works in conjunction with the reputation service Karma. If the reputation of a file is previously unknown, the client may be asked to upload the sample-related metadata to the Security Cloud for analysis. The results of the analysis may cause the sample to be flagged as suspicious and to be uploaded for further processing. Once the potentially heavy analysis, including the behavioral analysis, is done, every Security Cloud client subsequently benefits from the analysis and avoids waiting for the results.

WithSecure’s sample archive contains files that the Security Cloud has received from a variety of sources. Both malicious  and suspicious files may be present in this collection. Malicious files are generally archived permanently, whereas suspicious files are removed once they are not deemed malicious. A collection of highly common clean files is also maintained. Clean files from customer devices are not stored permanently. 

Today’s rapidly developing threat landscape requires a highly automated approach to malware analysis. Files and web addresses classified as suspicious are received from many sources and go through multi-layered analysis. This includes, but is not limited to, metadata analysis, structural analysis, statistical analysis, and behavioral monitoring. For example, software executables can be both statistically analyzed for malicious patterns, as well as executed in isolated sandboxes where their real behavior can be tracked for suspicious activity. The Security Cloud’s algorithms examine sample metadata and analysis results, and either perform further analysis, or classify the object as either clean or malicious. Rare unclear cases can be flagged for manual inspection and may be examined by human experts for research purposes.

Privacy is one of WithSecure’s core values for all development and operations of the Security Cloud. We only ever collect the minimal amount of data required for providing the service. Our principle is that every transferred bit must be justifiable from a threat-fighting perspective, and that data is also never collected for presumed future needs. The following table documents our privacy principles in full detail. 

WithSecure™, formerly F-Secure Business, is cyber security's reliable partner. IT service providers, MSSPs and businesses – along with the largest financial institutions, manufacturers, and thousands of the  world's most advanced communications and technology providers –trust us for outcome-based cyber security that protects and enables their operations. Our AI-driven protection secures endpoints and cloud collaboration, and our intelligent detection and response are powered by experts who identify business risks by proactively hunting for threats and confronting live attacks. Our consultants partner with enterprises and tech challengers to build resilience through evidencebased security advice. With more than 30 years of experience in building technology that meets business objectives, we've built our portfolio to grow with our partners through flexible commercial models. WithSecure™ Corporation was founded in 1988, and is listed on NASDAQ OMX Helsinki Ltd.