The information security officer for a network of healthcare centers in New York found an employee sending confidential payroll information to a recruiter. A California-based semiconductor manufacturing technology provider caught a worker e-mailing PowerPoint slides detailing product plans to a former colleague at a competitor to show off the “cool things” he was working on. A network administrator for a school district in Indiana nabbed a student trying to finagle school lunch account information stored on an off-limits server.
These are just some of the things you can learn when you take a good look at what goes on inside your network.
“Oh, you’d be surprised,” says Mark Moroses, senior director of technical services and information security officer with Maimonides Medical Center in Brooklyn, who found an employee instant-messaging payroll information – including social security numbers – to a recruiter.
That discovery came about three years ago when Maimonides was looking for a way to better control who was accessing what on its network, per HIPAA specifications and also because the company has to give network access to users who aren’t employees, such as referring doctors. Maimonides brought in security vendor Reconnex, which set up a risk assessment test that monitored the network for 48 hours.
“It’s an eye-opening experience,” Moroses says of the test. Having found numerous instances of questionable employee productivity (extended visits to Myspace.com, for example) as well as some policy breaches, the company installed Reconnex’s electronic risk protection offering to monitor employee interaction with the outside world, and is now leveraging the product to ensure that employees are only accessing the internal information that they are authorized to view.
“We’ve gone through an awakening in stages, we put [Reconnex] at all our egress points because we wanted to know what’s going out, what’s coming in…it leads you to ask questions about what’s going on internally, people accessing internal data,” Moroses says. “We’ve looked at the edge, now we’re looking internally.”
Reconnex is one of a handful of vendors that make up a relatively new area in the security market that also includes vendors such as Oakley Networks, Vontu, Vericept, PortAuthority Technologies, Securify, Tablus, and others.
Called a variety of terms including network content filtering/control, network leak prevention, extrusion prevention, and risk protection, this category is largely defined by products that monitor multiple network protocols with sophisticated word analysis and automated data discovery techniques to alert administrators when sensitive information is being accessed by unauthorized employees and/or sent outside of the network. As these products mature, the facility to block sensitive information from being viewed or sent out of the network is being added.
While having such a view into your network sounds as good as a superpower, there are trade offs.
First, there are the upfront costs; typical configurations for these tools – most of which are appliances loaded with specialized software – generally start between $25,000 and $50,000. In the defense-in-depth model that’s become a popular way to describe the need for multiple layers of information security required in and around an organization, these tools are secondary to the perimeter products such as firewalls and intrusion-detection systems required to keep unauthorized users off a network.
Then there’s the time and energy required to customize these tools so that they understand what an organization deems sensitive.
“In advance of using this kind of tool, you really have to decide what to use it for, what nuggets [of information] are you looking for, because these tools really will give you everything,” says Tom Scocca, investigator and global security consultant for a large provider of microprocessor manufacturing technology, which has about 17,000 users on its network. The company uses Oakley Networks’ CoreView appliance, and Scocca says the vendor was very helpful in tuning the product to meet its needs.
But still the company needed to decide what its crown jewels were before the tool could be effective, Scocca says.
“If you don’t have any idea about what’s important to your company’s bottom line, then this is just a fancy tool to let you know what’s traveling across the wire,” he says.
There’s also a question of need surrounding these products. While the benefits of being able to closely track network events may be clear to IT professionals, articulating the cost justification to others in an organization can be challenging, especially since no one can guarantee 100 % security. And the feature sets of these tools bleed into other product categories, which can cause management to scratch their heads wondering if all these layers of security are truly necessary.
“It’s a risk management question,” says Trent Henry, senior analyst with the Burton Group, of whether every company needs such intense network monitoring. “I’ve seen a number of organizations that didn’t even have [these tools] on their radar. But these vendors have emerged to streamline the process of gathering what’s sensitive, create policies and automate the process of where sensitive information lies, so it’s increasingly becoming a more standard part of the infrastructure.”
Others say these tools are indispensable in this day and age where protecting information means protecting assets.
“Information has a dollar value [today], whereas 10 years ago no one knew how to equate it,” says Sharon Finney, information security administrator at Dekalb Medical Center in Decatur, Ga., which uses Vericept to monitor is 3,500-user network. “Now, because you can tie all this [personal] information together into a meaningful picture of a person, then that information does have a dollar value, and it’s important that it be protected.”
Then there’s the privacy issue. While in the United States there are no laws against a company claiming rights to everything an employee does when using the corporate network, the same isn’t true in some European and Asian countries, where the notion of an individual’s privacy trumps corporate policy.
Of the handful of organizations interviewed for this article, only one had informed its employees that it was using a network content monitoring tool; the remainder rely on their corporate policies that they believe give them the latitude to monitor network use.
But for credit agency Equifax, just telling employees about its plans to use Vontu’s content monitoring tool had an effect on behavior.
The company was testing Vontu’s product and debated whether to inform employees. When the company saw how many policy violations were made just during the test period, it decided to apprise its staff, says Tony Spinelli, senior vice president of information security at Equifax.
“When we said `we have a product we’re using to monitor you’ we saw events drop by 90%,” Spinelli says. “If you communicate it in the right way and are a little more honest and open by saying `here’s what we’re doing and here’s why’ I think it helps to change user behavior.”