What is F‑Secure Security Cloud?
F‑Secure Security Cloud is an online digital reputation and threat intelligence knowledge base as well as an analysis system. The Security Cloud is operated by F‑Secure and it powers F‑Secure's protection services. Its primary function is to spot malicious and unwanted behavior and content in our customers' environments.
With Security Cloud, F‑Secure can
- maintain an up-to-date overview of the global threat landscape and
- protect our customers against new threats the moment they are first spotted.
Our primary interest is in building great services for our customers. Our business model is based on selling cybersecurity solutions using traditional licensing and subscription-based models. We do not monetize our customers by collecting data from them.
- Security Cloud is an essential part of delivering security to our customers. Security Cloud provides object reputation and threat analysis services for F‑Secure services, with its data processing focusing solely on data relevant to detecting malicious and unwanted activities. Security Cloud analyzes files, processes, and other objects and their behavior in users' networks and devices in order to determine whether malicious or unwanted actions can or could have taken place.
- We do not know the user or owner of the protected device. The purpose of F‑Secure's cloud-based services is to detect potentially malicious computer activity originating from hostile third parties. Any identities or personal data related to them within the data file used as a malware carrier are not relevant for this purpose.
The logic is to protect the users against digital threats without sacrificing their privacy.
What data does Security Cloud collect and what do we do with it?
Executable files and cloud analysis
F‑Secure's protection services may send security-related metadata of executables to Security Cloud. Based on the return value of the query, additional metadata about the executable may be sent to support further analysis. In this document, metadata refers to information such as file size, file name, file path, observed behaviors, or name of the detection. Executables in this document means applications and interpreted content such as Flash, Silverlight, document macros, and scripts.
Most of F‑Secure's endpoint protection services (e.g. F‑Secure SAFE, F‑Secure Protection Service for Business) rely on locally installed analysis engines. In some cases, these engines may encounter suspicious files that require deeper analysis within F‑Secure Security Cloud. This use case is limited to executables. Files uploaded in this fashion are processed by automation, which may perform structural and/or behavioral analysis. Files passing through our automated analysis systems are subject to strict controls. Based on the outcome of automated analysis, the following can happen:
- Files proven to be clean are discarded, unless it can be proven that they are readily available from a public source. In particular; files deemed to be non-public, clean software are deleted.
- Suspicious files are kept for a short additional period of time to perform a deeper analysis.
- All files classified as hostile are stored for a longer period of time (possibly indefinitely).
If a malicious file is later proven to be a false alarm, it is treated as a clean file (i.e. deleted if non-public). Sample files that are submitted to F‑Secure Labs for further analysis are prioritized based on extracted metadata, after which they undergo automated analysis and are classified e.g. as clean, malware, false positives, or unknown.
URL queries and cloud analysis
F‑Secure's protection services may query the reputation of a URL before letting the user visit the site. This functionality is called Browsing Protection, Parental Control, or Web Traffic Protection in F‑Secure services. These services may, upon request from Security Cloud, send additional metadata pertaining to the queried URL. This behavior usually occurs for unknown URLs that require further analysis.
When URL information is provided to Security Cloud, a client-side algorithm strips personal information from the URL before sending it. URLs inside local networks (as determined on the client side) are not sent to F‑Secure Security Cloud.
Documents and cloud analysis
By design, F‑Secure's protection services do not send any user-generated content, such as document files, to Security Cloud. Such files are already filtered out by the client software. Document files and other user-generated content file types may contain executable payloads (metadata). Cyberattacks often utilize scripts in document files and therefore it is important to extract the executable content from document files and perform cloud analysis for such metadata.
Documents are scanned in Security Cloud only by such F‑Secure corporate services which expressly provide the document scanning feature.
Metadata on clean executable files
Metadata about clean (i.e. non-malicious) executable files may be collected from protected devices to build up the global file reputation database within Security Cloud. Understanding the uniqueness of all executable files allows F‑Secure services to provide better and faster protection against malicious and unwanted content.
The actual clean files are not collected from protected devices without the user's consent.
Data collection for anti-spam feature
The anti-spam feature in Security Cloud that is available in selected services performs queries for email features somewhat similarly to how user-generated documents are handled (see "Documents and cloud analysis"). Email-specific features such as email addresses, IP addresses, URLs, telephone numbers, etc. may be extracted as part of per-message metadata for the purpose of producing an accurate analysis of whether the message is unsolicited bulk email, phishing, part of a malware distribution mechanism, or legitimate. No message content or metadata is permitted outside of the anti-spam analysis system, nor is it retained within the system.
As outlined above, executable payloads in individual messages may be extracted and analyzed separately, without any connection to the containing message or the involved clients or user accounts.
Selected services may offer an option to permit additional information to be forwarded for detailed analysis.
Device technical data
Configuration information about the user's device (e.g. OS version) and F‑Secure service (e.g. installed program and update versions) is sent to provide users with the correct product updates.
To combat emerging threats, the Security Cloud data collection evolves constantly, and may also collect other data similar to the above that has not been expressly listed above. Such data types are treated similarly to what has been described herein.
Minimizing the collected data
F‑Secure Security Cloud is built on the principle of only collecting data that is necessary and proportionate to its purpose of providing protection to our customers. We seek to avoid processing information which could identify our users and we seek to limit the processing of information that could be considered sensitive by our users. F‑Secure automation is built to break F‑Secure's capability to link uploaded security data back to the user. Hence, we consider data in the Security Cloud as anonymized.
We do this by applying the following principles:
- Minimize data sent upstream. We filter out potentially sensitive and identifying data in each step of processing: in the software client, when uploading to Security Cloud, or when submitted to a subcontractor (see "Sharing data samples with other cyber security providers").
- Send data incrementally. Security Cloud only collects more detailed data when it cannot deduce the nature of the suspicious behavior. At the first stage, Security Cloud only does a reputation query for an object. If this is insufficient, Security Cloud submits metadata about the object. If that is still insufficient, the object itself may be uploaded to Security Cloud for in-depth analysis.
- Store only high-level IP information. The customer's full IP address is never stored. Some of our cloud analysis mechanisms collect metadata derivable from IP addresses connecting with that service, such as country and city-level geo-mapping information.
- Separate security data from user-identifying data. We keep security and user-identifying information in the system backend (e.g. license management systems) separated at all times and do not cross-reference this data.
- Threat intelligence may not include any personally identifying data. Any data collected from customer systems that will be used to provide or improve protection capabilities or will be shared within the cybersecurity industry does not include data identifying the owner of the device that it came from.
Sharing data samples with other cybersecurity providers
Threat intelligence data derived from Security Cloud is occasionally shared with a limited number of reputable and vetted providers in the cybersecurity domain to improve global cyberattack resilience. This results in faster and more accurate protection for our customers.
In agreements with our providers, we require that they only use such disclosed or transferred data for the limited purposes of providing cybersecurity services and act in a manner consistent with this policy. Furthermore, when sharing information with our vendors, we focus on sharing information about the malicious object or behavior but withhold information which could identify our users. Whenever feasible, we anonymize the origin of the data sent.
Some of our services may include settings to allow or deny the advanced investigation of samples by our providers.
Rationale and proportionality for data collection
The data processing described herein is processed to safeguard F‑Secure's customers' networks, devices, and internal services, as well as data residing therein. This helps us to detect emerging threats and security trends among all of our customers so that our protection services can keep on par with evolving threats. The results are utilized for the benefit of all of our customers in the form of a more effective security threat detection framework.
The data processing undertaken by the services is mandatory for the efficient protection of the device/network and a prerequisite for F‑Secure's capability to provide its contracted services. While the individual service's settings may enable the customer to limit the processing of security data by F‑Secure, such adjustments are not recommended as they weaken the security protection level provided by the services.
Behavior of any object analyzed by the Security Cloud is evaluated by structural and/or behavioral analysis as explained herein. Based on this, the Security Cloud enables F‑Secure's services to block, restrict and delete the malicious content and behavior. Such activities, while limiting individuals' access to content that the automation regards as malicious or otherwise unwanted, are necessary to protect our users' networks and devices.
Secure data handling
The systems that make up F‑Secure Security Cloud are designed to process and store malicious computer code. As such, these systems, and the data flow processes between them, utilize strict security measures and data access policies to avoid contamination and malware leaks. These measures include network segmentation, access controls, and encryption of data both in transit and at rest.
All collected data is stored within networks administered by F‑Secure, and it is only accessible from inside the company. Access permissions are separated between different types of collected data and are only granted to employees who need to work with it. All access to stored data occurs over end-to-end encrypted channels. Data collections are stored on separate network segments from the main corporate network.
Great care is taken to ensure that F‑Secure's software does not contain exploitable vulnerabilities. In addition to our own in-house testing, F‑Secure Corporation runs a bug bounty program that encourages the community to test our software and report bugs to us.
In order to work with stored data, employees are required to attend training courses relevant to the data they are handling.
Retention of uploaded data
The objects uploaded to F‑Secure Security Cloud for analysis are retained for 2 to 14 days depending on the uniqueness of the sample, with the exception of objects that are determined to be malicious or proven to be available from a public source, in which case the object retention does not have an upper limit.
If the uploaded object is determined to be malicious, the retention times do not apply, provided that the object retains its malicious status. If the object is later reclassified to be clean or unknown, the data retention policy applies again, and the object is deleted as soon as possible.
Object metadata that does not contain any personal identifiable information is stored as long as it is useful for the purposes described above without set time limits.
Personal data processing by F‑Secure
Our nine Privacy Principles set out the cornerstone of our promise to our customers. The processing of personally identifiable data by F‑Secure services is explained in the F‑Secure Privacy Statement and in service and case-specific privacy policies. They are available from the service interface and/or from our public web pages. Should we also collect personally identifiable data on our users, via our services or in the context of our business processes, these policies will explain the treatment of such data and respective data subject rights.
Changes to this policy
Security Cloud's capabilities are constantly extended to match the evolving global threat landscape. This policy is periodically updated to reflect those changes. The latest version of this policy is always available on our website.
If you have any further questions about F‑Secure Security Cloud, please contact:
If you are a customer of our consumer line of services, please contact us via f-secure.com/support.
If you are a customer of our corporate line of services, please contact us via f-secure.com/contact-support.
© F‑Secure Corporation - January 2019