Getting started with content monitoring

When I think about content monitoring, it seems like a daunting task, because there is so much information going in and out of my network. What's the best way to get started?

Here are some of the challenges - and answers - for deploying this technology.

Technology versus Business Process

Content monitoring is not a technology problem but a business-process problem. The technology may consist of network-based appliances, desktop clients, or a combination of both. Network appliances simply plug into your network, while desktop clients are agents that communicate to a central server. In a broad sense, the basic deployment begins by simply choosing to monitor every protocol available, in both directions. Then maximize your storage options and select your most essential reports for corporate or regulatory usage for monitoring. The real challenge begins with selecting the key terms, key phrases, policies, and filters.

Policies and Filters

Choosing policies and filters to monitor is an easier problem to solve, as the content monitoring vendors usually provide a framework of canned policies and filters. These templates begin with regulation and compliance. Privacy and corporate governance are typically added as well. Finally, some basic Intellectual Property (IP) filter sets are offered. You will find that these default templates are easy to modify for your particular enterprise. The degree of ease varies from vendor to vendor, however.

Developing Key Terms and Phrases

You will spend your first six months of deployment (perhaps less, if you have professional services assistance) developing key terms and phrases because there is a high false-positive rate during initial deployment. Initially the template policies and filters will "see" all content, and your team will be overwhelmed with the sheer amount of data being presented. The first step therefore is to decide what information is most valuable to your enterprise. Your corporate information-classification policy will provide the framework for this decision process.

Let's say, for example, that your company manufactures and sells a new aspirin named HeadacheBeeGone. If I create a filter to trip every time the key term HeadacheBeeGone passes by, I will be quickly inundated with alarms. I expect that many people in the organization will send this term to suppliers, distributors, off-shore manufacturing, and remote sales offices. Therefore most of the alarms created by this term will be false positives. Some legitimate problems may be spotted, but how much effort is required to sift through all of the false positives to find that one in 1,000 that is a true problem? The better method is to find another, more specific key term or phrase related to HeadacheBeeGone, perhaps a component of your manufacturing process that is proprietary to your company. Let's call this component the ZStamp process. Very few people outside of your manufacturing teams know of this process. When your content monitoring solution sees this key term, the probability of a true positive occurring is much higher.

Now scale this example out to 100 products, in six variations each for local markets, created across the globe by 30,000 employees, and you begin to grasp the magnitude of the problem that filtering for key words and phrases can cause. For filtering to work well, the deployment team must either understand the business intimately or must engage the company's business-unit heads. In a large enterprise, I view the business-unit heads as my champions. They understand their particular portion of the business far better than I and could easily suggest key terms and phrases as a starting point. This becomes a win-win for them when the key term they suggest trips a filter and an information leak is detected within their organization. They can quickly provide remediation for a leak that they did not know existed before.


Content monitoring is not a technology problem but an issue of filters and key terms. Using canned policies and filters will provide a fast start to your deployment. However, developing the appropriate key terms and phrases is the point of greatest benefit to your organization. Minimizing false positives to allow the organization to view true information leaks is the ultimate goal of this deployment and technology. Once the leaks are found, you can use your policies on information security more effectively.

Tom Bowers is managing director, Security Constructs, LLC. Got an insider-threat question? Mail us.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10