F‑Secure Security Cloud is an online digital reputation and threat intelligence knowledge base as well as an analysis system. The Security Cloud is operated by F‑Secure and it powers F‑Secure’s protection services. Its primary function is to spot malicious and unwanted behavior and content in our customers’ environments.
With Security Cloud, F‑Secure can
Our primary interest is in building great services for our customers. Our business model is based on selling cyber security solutions using traditional licensing and subscription-based models. We do not monetize our customers by collecting data from them.
The logic is to protect the users against digital threats without sacrificing their privacy.
F‑Secure’s protection services may send security-related metadata of executables to Security Cloud. Based on the return value of the query, additional metadata about the executable may be sent to support further analysis. In this document, metadata refers to information such as file size, file name, file path, observed behaviors, or name of the detection. Executables in this document means applications and interpreted content such as Flash, Silverlight, document macros, and scripts.
Most of F‑Secure’s endpoint protection services (e.g. F‑Secure SAFE, F‑Secure Elements Endpoint Protection) rely on locally installed analysis engines. In some cases, these engines may encounter suspicious files that require deeper analysis within F‑Secure Security Cloud. This use case is limited to executables. Files uploaded in this fashion are processed by automation, which may perform structural and/or behavioral analysis. Files passing through our automated analysis systems are subject to strict controls. Based on the outcome of automated analysis, the following can happen:
If a malicious file is later proven to be a false alarm, it is treated as a clean file (i.e. deleted if non-public). Sample files that are submitted to F‑Secure Labs for further analysis are prioritized based on extracted metadata, after which they undergo automated analysis and are classified e.g. as clean, malware, false positives, or unknown.
F‑Secure’s protection services may query the reputation of a URL before letting the user visit the site. This functionality is called Browsing Protection, Parental Control, or Web Traffic Protection in F‑Secure services. These services may, upon request from Security Cloud, send additional metadata pertaining to the queried URL. This behavior usually occurs for unknown URLs that require further analysis.
When URL information is provided to Security Cloud, a client-side algorithm strips personal information from the URL before sending it. URLs inside local networks (as determined on the client side) are not sent to F‑Secure Security Cloud.
By design, F‑Secure’s protection services do not send any user-generated content, such as document files, to Security Cloud. Such files are already filtered out by the client software. Document files and other user-generated content file types may contain executable payloads (metadata). Cyberattacks often utilize scripts in document files and therefore it is important to extract the executable content from document files and perform cloud analysis for such metadata.
Documents are scanned in Security Cloud only by such F‑Secure corporate services which expressly provide the document scanning feature.
Metadata about clean (i.e. non-malicious) executable files may be collected from protected devices to build up the global file reputation database within Security Cloud. Understanding the uniqueness of all executable files allows F‑Secure services to provide better and faster protection against malicious and unwanted content.
The actual clean files are not collected from protected devices without the user’s consent.
The anti-spam feature in Security Cloud that is available in selected services performs queries for email features somewhat similarly to how user-generated documents are handled (see "Documents and cloud analysis"). Email-specific features such as email addresses, IP addresses, URLs, telephone numbers, etc. may be extracted as part of per-message metadata for the purpose of producing an accurate analysis of whether the message is unsolicited bulk email, phishing, part of a malware distribution mechanism, or legitimate. No message content or metadata is permitted outside of the anti-spam analysis system, nor is it retained within the system.
As outlined above, executable payloads in individual messages may be extracted and analyzed separately, without any connection to the containing message or the involved clients or user accounts.
Selected services may offer an option to permit additional information to be forwarded for detailed analysis.
Configuration information about the user’s device (e.g. OS version) and F‑Secure service (e.g. installed program and update versions) is sent to provide users with the correct product updates.
To combat emerging threats, the Security Cloud data collection evolves constantly, and may also collect other data similar to the above that has not been expressly listed above. Such data types are treated similarly to what has been described herein.
F‑Secure Security Cloud is built on the principle of only collecting data that is necessary and proportionate to its purpose of providing protection to our customers. We seek to avoid processing information which could identify our users and we seek to limit the processing of information that could be considered sensitive by our users. F‑Secure automation is built to break F‑Secure’s capability to link uploaded security data back to the user. Hence, we consider data in the Security Cloud as anonymized.
We do this by applying the following principles:
Threat intelligence data derived from Security Cloud is occasionally shared with a limited number of reputable and vetted providers in the cyber security domain to improve global cyber attack resilience. This results in faster and more accurate protection for our customers.
In agreements with our providers, we require that they only use such disclosed or transferred data for the limited purposes of providing cyber security services and act in a manner consistent with this policy. Furthermore, when sharing information with our vendors, we focus on sharing information about the malicious object or behavior but withhold information which could identify our users. Whenever feasible, we anonymize the origin of the data sent.
Some of our services may include settings to allow or deny the advanced investigation of samples by our providers.
The data processing described herein is processed to safeguard F‑Secure’s customers’ networks, devices, and internal services, as well as data residing therein. This helps us to detect emerging threats and security trends among all of our customers so that our protection services can keep on par with evolving threats. The results are utilized for the benefit of all of our customers in the form of a more effective security threat detection framework.
The data processing undertaken by the services is mandatory for the efficient protection of the device/network and a prerequisite for F‑Secure’s capability to provide its contracted services. While the individual service’s settings may enable the customer to limit the processing of security data by F‑Secure, such adjustments are not recommended as they weaken the security protection level provided by the services.
Behavior of any object analyzed by the Security Cloud is evaluated by structural and/or behavioral analysis as explained herein. Based on this, the Security Cloud enables F‑Secure’s services to block, restrict and delete the malicious content and behavior. Such activities, while limiting individuals’ access to content that the automation regards as malicious or otherwise unwanted, are necessary to protect our users’ networks and devices.
The systems that make up F‑Secure Security Cloud are designed to process and store malicious computer code. As such, these systems, and the data flow processes between them, utilize strict security measures and data access policies to avoid contamination and malware leaks. These measures include network segmentation, access controls, and encryption of data both in transit and at rest.
All collected data is stored within networks administered by F‑Secure, and it is only accessible from inside the company. Access permissions are separated between different types of collected data and are only granted to employees who need to work with it. All access to stored data occurs over end-to-end encrypted channels. Data collections are stored on separate network segments from the main corporate network.
Great care is taken to ensure that F‑Secure’s software does not contain exploitable vulnerabilities. In addition to our own in-house testing, F‑Secure Corporation runs a bug bounty program that encourages the community to test our software and report bugs to us.
In order to work with stored data, employees are required to attend training courses relevant to the data they are handling.
The objects uploaded to F‑Secure Security Cloud for analysis are retained for 2 to 14 days depending on the uniqueness of the sample, with the exception of objects that are determined to be malicious or proven to be available from a public source, in which case the object retention does not have an upper limit.
If the uploaded object is determined to be malicious, the retention times do not apply, provided that the object retains its malicious status. If the object is later reclassified to be clean or unknown, the data retention policy applies again, and the object is deleted as soon as possible.
Object metadata that does not contain any personal identifiable information is stored as long as it is useful for the purposes described above without set time limits.
Our nine privacy principles set out the cornerstone of our promise to our customers. The processing of personally identifiable data by F‑Secure services is explained in the F‑Secure privacy statement and in service and case-specific privacy policies. They are available from the service interface and/or from our public web pages. Should we also collect personally identifiable data on our users, via our services or in the context of our business processes, these policies will explain the treatment of such data and respective data subject rights.
Security Cloud’s capabilities are constantly extended to match the evolving global threat landscape. This policy is periodically updated to reflect those changes. The latest version of this policy is always available on our website.
If you have any further questions about F‑Secure Security Cloud, please contact:
If you are a customer of our consumer line of services, please contact us via f-secure.com/support.
If you are a customer of our corporate line of services, please contact us via f-secure.com/contact-support.