Risk-discovery engines mitigate threats

Most companies are not prepared for the CEO's worst nightmare: insiders disseminating sensitive data electronically. It only takes one insider to expose a company's most vital assets, destroying its brand, reputation and shareholder value.

Network content-monitoring hardware appliances equipped with risk-discovery engines can provide visibility into the data entering and leaving a network. They can help enterprises protect, for example, customer data and intellectual property, and help organizations comply with regulations.

Risk-discovery engines passively monitor inbound and outbound traffic at wire speed, flowing over a network regardless of protocol or port. TCP flows are captured, reassembled and analyzed in real time to identify threats and send alerts.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Most companies are not prepared for the CEO's worst nightmare: insiders disseminating sensitive data electronically. It only takes one insider to expose a company's most vital assets, destroying its brand, reputation and shareholder value.

Network content-monitoring hardware appliances equipped with risk-discovery engines can provide visibility into the data entering and leaving a network. They can help enterprises protect, for example, customer data and intellectual property, and help organizations comply with regulations.

Risk-discovery engines passively monitor inbound and outbound traffic at wire speed, flowing over a network regardless of protocol or port. TCP flows are captured, reassembled and analyzed in real time to identify threats and send alerts.

Pre-defined and custom policies that perform pattern matching can be applied to traffic to identify information. An engine also can be configured to store traffic that violates policies, as well as traffic that does not trigger them, and can make the latter available for querying over historical datastreams.

Content-traffic profiles and business and IT stakeholder dashboards are presented through a secure browser connection to provide an incident's context. An administrator or user with role-based permission can view original content, such as a PDF, and its associated transmission metadata, such as source and destination IP and user.

One example would be Social Security numbers leaked via an outbound e-mail. A risk-discovery engine would detect the Social Security numbers in the e-mail and alert security and compliance personnel. It could then reveal, for example, that the data was being e-mailed in error reports generated by a misconfigured application server.

IT personnel could reconfigure the application server and firewall to stop outbound e-mail from unauthorized mail gateways.

As TCP flows were reconstructed, the risk-discovery engine would identify the protocol and content type. Even if the protocol was unknown, the risk-discovery engine would continue to scan until it identified the content object. For example, "port-agnostic" support means no content transmission would be missed if SMTP e-mail was sent over ports other than Port 25, from which it is usually sent.

Content objects would be written and temporarily stored to an onboard file system. Matching metadata would be stored in a relational SQL database for subsequent data-mining operations. Alerts would be produced in real time as violations were identified.

In addition, conceptual analytics, which uses pattern-matching techniques to detect trends and anomalies in data sets, enables users to gain greater insight into streamed and historical data flows.

For example, say a defense contractor conducts an audit of electronic information transmitted to other countries to ensure compliance with international regulations. Investigators discover that FTP transmissions to China have been bypassing their perimeter security controls. A risk-discovery engine would detect and record transmissions to China, then reveal that the information was classified and the source was a rogue FTP server. IT personnel could then dismantle the FTP server and provide electronic evidence of remediation.