New ways to protect data from insider attacks

The toughest security problem is the insider attack. These emerging tools promise to eliminate the threat

A disgruntled employee here, a careless one there, and just about any enterprise can find itself facing a mountain of trouble from confidential information made public. Help is at hand. Armed with increasingly sophisticated outbound-content monitors, information security officers finally have the weapons they need to conquer the threat of data leakage.


Does the IT staff represent a bigger security threat than business unit employees? Read the story, place a vote and share your opinion.


Outbound-content monitoring - also known as data- or information-leakage prevention - came of age in the past year. The devices "have reached a state where they can be a fundamental part of everyone's network," says Josh Levine, managing director at Kita Capital Management, former CTO at E*Trade Financial and board member for device start-up Securify.

Scott Mackelprang, vice president of security and compliance for Digital Insight, an online banking services company in Calabasas, Calif. (now part of Intuit), agrees. And he's no pushover. "When I first saw technologies that were filtering at the perimeter to catch things on the wire, I was pretty skeptical, and I left them alone," he says. "For the longest time, I just watched the technology."

Then he discovered Tablus' Content Sentinel, which can find sensitive data even when the data is not moving but resting in odd and unexpected places, such as crummy old laptops and beat-up computers. He uses Content Sentinel plus Tablus Alert to look for sensitive data on desktops and as it moves across the network. Securing the network from the data's origination point - rather than from the firewall - is evolutionary, he says.

Maturing technology

Early outbound-content monitors typically focused on finding sensitive data from a single data source - for example, e-mail - as it was trying to cross the perimeter. But today's versions can scan just about any type of datastream, including Web traffic, e-mail, FTP, electronic faxes and instant messages. Some monitors also detect stored sensitive data squirreled away in Word documents, spreadsheets, PowerPoints - just about anywhere. In addition, they're much more linguistically sophisticated than earlier products, says Trent Henry, a senior Burton Group analyst.

"Rather than just being able to search for simple keywords - like the name 'Trent' - or a particular Social Security number, they can do conceptual analysis," Henry says. For example, they can understand when a mergers-and-acquisition memo needs to be flagged because it still contains sensitive information even though it has been paraphrased or rewritten. "Using language analytics, they're able to detect things that in the past would have slipped by," he says.

Outbound-content monitoring generally comes in the form of an intelligent network appliance that enforces policy-driven controls and in some cases uses behavioral analysis to determine whether an employee might be putting confidential data at risk. These appliances issue alerts, put suspect outbound content in a holding tank or block actions outright that could place sensitive data at risk.

When enterprises aren't really sure what type of content poses a threat, there are products that can help figure that out, too. Reconnex's iGuard Appliance, for example, captures all traffic, indexes it and makes recommendations about what content to protect, says Faizel Lakhani, a vice president at the company. IGuard also runs the kinds of search that competitive appliances use. These typically rely on prebuilt rules that look for policy violations across all content types. They seek out specific data or use keyword searches to make sure sensitive files with those keywords are not in the possession of any employee who should not have access to them.

Besides Reconnex, Securify and Tablus, vendors of outbound-content monitors include Dolphin SecureWare, PortAuthority Technologies, Vericept and Vontu (see "Buyer's guide to data-leakage protection").

Where to find data-leakage protection
Click here for an online buyer's guide to outbound content monitors that block sensitive data from leaving the corporate network. You’ll find detailed information on 14 network-based products for monitoring data in motion and at rest.

Users find outbound-content monitors increasingly important to their layered security architectures. That's true for Tom Bowers, managing director of Security Constructs, a small, independent security think tank, and previously senior manager of information security operations for a $25 billion global pharmaceutical company. Before he left in October 2006, Bowers developed a layered, integrated architecture for protecting content, including the intellectual property the company routinely shares with outsourcers running its clinical trials. He describes the first content-protection challenge for the information security team, which manages data at 120 offices globally: "Even as smart as we were about the research cycle, we had no way of knowing where information was, which information was valuable, what research data was old, what research data was new. We had no way of tracking all that."

Solving that problem meant trolling the network for sensitive data with a content-monitoring appliance, in this case Reconnex's iGuard. Bowers' team selected iGuard from among four content-monitoring products because it best met four criteria: It could find information using key terms and phrases, provide forensic analysis, store data in a secure manner from a forensics perspective, and support regulatory and compliance initiatives, he says. The pharmaceutical company ended up being a beta tester for the product, which it deployed on the production network in June 2006.

Bowers says he was sold on iGuard instantly. Within the first five minutes of its installation, the iGuard appliance captured a spreadsheet listing all the sales of all of the company's consumer products that had been e-mailed to a Yahoo account. Even worse, he says, the spreadsheet was auto-updating by pulling data from a host of external - that is, unprotected - Web sites.

If this example wasn't frightening enough, Bowers says the appliance also immediately discovered that a document containing the clinical research for a brand-new product was being e-mailed to an MSN Hotmail account. The destination Hotmail account wasn't even that of an employee but of an employee's friend, he says, and adding insult to injury, stamped on the cover page in big, bold type was this mandate: NOT TO BE DISTRIBUTED OUTSIDE THE COMPANY.

Next up: rights management

Outbound-content monitoring is proving its worth at the pharmaceutical company, but it's only one piece of a content-protection architecture. "What you're really doing with content monitoring is providing passive protection," Bowers says. "Next, you need to be able to give business units a way to actively protect the information." This is why the insider-threat arsenal must include enterprise rights-management software, which is made by such vendors as Authentica (acquired by EMC), SealedMedia and Liquid Machines, he says. He terms these vendors worthy of enterprise deployment because they can protect just about any file type - AutoCAD, JPEG, MPEG, PDFs and so on - and work with any version of Office. Among other companies providing enterprise rights-management products are Adobe, Microsoft and Stellent (acquired by Oracle).

When applied to a confidential Word document, enterprise rights-management software strips off its metadata wrapper and encrypts the content. Then it puts the wrapper - with new controls - back around the file. The new controls, managed from a central policy server, dynamically allow or disallow such functions as cut, copy, paste, edit and print. Anyone trying to get at protected content must have the correct user name and password, as well as access rights. If users' access rights are revoked after they download content, that content is still safe, because it's encrypted. "So now you've got an active content-protection scheme," Bowers says.

Content-monitoring appliances and enterprise rights-management software could pack a knockout punch if combined, Bowers says. He describes how the combination would work:

A company uses the secret code word "nellsworth" for a product under development, and directs the content monitor that any data type containing that word must be protected. The content monitor uses its linguistic engine to detect instances of that word or contextual references that signal a document might be about that word, retains any suspect document, and notifies the enterprise rights-management system that the document needs protection. Before sending the document to its destination, the enterprise rights-management software encrypts the data and puts the control wrapper around the file.

Burton Group's Henry agrees that the idea has merit. "If we have a multiprotocol network-monitoring solution that's linguistically aware and can understand when data is sensitive, and we tie that to a rights-management system and automatically protect data as it moves outside the perimeter, that could be interesting," he says.

Such integration would be like the method such outbound-content-monitor vendors as Vontu and Vericept are working on with encryption vendors to protect e-mail streams, Henry says. When they detect data that would trigger a policy violation if it left the network, they forward the message to an encryption engine to provide security or thwart delivery altogether, he explains. However, these devices aren't coupled well enough yet. And this doesn't bode well for integration between content monitors and enterprise rights-management products, which use more sophisticated and complex policies, he says.

Still, vendors are working to solve such problems. The opportunity is to apply uniform enterprise rights-management policies based on rules used by the content monitor, Reconnex's Lakhani says. For example, Reconnex integrates with EMC's Documentum content manager, has plug-ins to rights management technology from Authentica, also now an EMC company, and is working with other enterprise rights-management vendors on integration.

Eventually, integrated products could help assuage IT concerns about blocking data to the detriment of doing business. Such hesitation is common to content monitoring, much like the early experience with intrusion-prevention systems, Henry says. Information security officers are looking for "that warm, fuzzy feeling" that the data their content monitors call out is truly sensitive, so most don't allow the products to take defensive action automatically.

At Digital Insight, for example, Mackelprang receives alerts but doesn't let the content monitor quarantine the data. Sometimes, stopping a transaction can be more harmful than letting sensitive data pass over the wire, he says. "I need to have my processes better formulated before I can quarantine business communications."

Layering in enterprise rights management and content monitoring could provide the answer, says Bowers, adding that the pharmaceutical company that formerly employed him has begun testing enterprise rights-management software with an eye to such integrated content protection: "You'd get a much more dynamic process, and . . . you'd be enabling the business to work securely."

And that is the real gating factor. As Mackelprang says, content monitoring has changed the business. "It makes your policies around information protection real. Before, they were just words that people could ignore," he says. "Now you can effect a cultural change - and that's the whole story."

< Next story: Armed with open source >

Learn more about this topic

Is the IT staff your biggest security threat? Read the story,

Insider Tip: 12 easy ways to tune your Wi-Fi network
Join the discussion
Be the first to comment on this article. Our Commenting Policies