Enterprise security, analytics, and hardware management tools - the very tools used to keep data safe - are collecting and sharing far more information than customers might think.
So says the team from ExtraHop, an analytics firm that studied the networks of its customers and found that in many cases their security and analytic software was quietly uploading information to servers outside of the customer's network without their knowledge.
While not naming names, ExtraHop's report out today outlines four different use cases where it found enterprise security tools were sending out data without first alerting administrators. These included endpoint security software, device management software for a hospital, surveillance cameras, and security analytics software used by a financial institution.
In each case, ExtraHop said the software was transmitting data off-site. In some cases (such as the hospital's device management and the financial firm's analytics tool) there were also potential legal risks from exposing sensitive information to third parties.
"Enterprise organizations put massive volumes of data into the hands of third-party vendors. In some cases, like SaaS applications, it’s explicit that enterprise data will live within a third-party environment," the ExtraHop dossier explains.
"With other products, particularly those that live within the enterprise data center or cloud infrastructure, exactly how much data those vendors “phone home” to their own environment for things such as analysis can be a lot less clear."
The report notes that simply collecting and transmitting data is not in itself illegal or risky behavior, so long as it is done right and with the customer's knowledge. In these cases, however, the dangerous behavior was clear.
Dutch cheesed off at Microsoft, call for Rexit from Office Online, Mobile apps over Redmond data slurpingREAD MORE
The security camera, for example, was found to be transmitting data to an IP address in China that was flagged for hosting malware, and the analytics software may have violated the US Gramm-Leach-Bliley Act by transmitting personally-identifiable information overseas. In another case, staffers found software that had supposedly ended its trial period without purchase was still collecting information for at least two months afterwards.
ExtraHop notes that while there may not be any malicious activity in these cases, they each underscore the need for administrators to keep an eye on what applications are moving data over the network and periodically take stock of the software running and what information it is accessing.
"To be clear, we don’t know why these vendors are phoning home data. The companies are all respected security and IT vendors, and in all likelihood, their phoning home of data was either for a legitimate purpose given their architecture design or the result of a misconfiguration," the report notes.
"But the fact that large volumes of data are traveling outbound from a customer environment to a vendor without the customer’s knowledge or consent is problematic." ®