Setting technical criteria for outbound content monitoring

Yet another term describing products that monitor the transmission of data out of your network is "Exfiltration Detection System" (EDS). This term is predominantly used in the military, but it is the most explanatory in use today for this class of products.

EDS wares are supposed to detect violations of regulatory, legal or corporate data-transmission rules. If they work properly, people will get reprimanded at best and prosecuted at worst. Therefore, they must stand up under microscopic scrutiny to influence the jury if the situation warrants it.

Because the consequences of EDS monitoring can be grave, the technology must be carefully examined before deployment to make sure the information it provides is completely accurate. Before you buy, be sure you drill the vendors hard on how the following issues would impact the validity of a claimed policy violation. If you don't, the witness chair could well become your own hot seat.

1.) What is the scope of detection?

Find out what kinds of data the EDS detects. Ask for documentation on the types of protocols, data formats and data format combinations the EDS supports. You need to have this as separate documentation, not just an online help screen, so you can show an auditor or external authority in hard copy. If you don't have this information in hand, you can't make a verifiable claim as to what sort of information is monitored over time.

2.) What is the measurable efficacy?

How effective is the EDS at detecting violations? Is the level of efficacy consistent with your requirements? If the product claims to detect U.S. vehicle driver's license numbers, does it cover all 50 states? If it claims to detect Social Security numbers, does it report a false positive when 000-00-0000 is transmitted? Make sure you have a clear description of what it will detect, and make sure it can be tested during maintenance or an audit.

Be careful of tunable parameters. If an EDS can detect leakage of credit card numbers, make sure you know when it will report the leakage. If it waits for 200 or more credit cards to leak and you thought it would report every individual violation, you are not really protecting the information as you claimed.

Check the efficacy before you look at performance or blocking capabilities, because if a product can't detect things, it doesn't matter how well it is at blocking. And if it can't detect properly at low speeds, then there is no point in attempting to deploy it in a high performance environment.

3.) How is the EDS managed?

An EDS, like any other critical infrastructure device, must be manageable in a sound and secure manner. Perhaps, because of the possible implications of the EDS output, it is even of higher importance here. The management interface should be secured, using SSL or Secure Shell or some sort of encryption mechanism that cannot be compromised by an impostor. Self-signed digital certificates are not sufficient, because a man-in-the-middle attack can be used to compromise the administrator account and allow an attacker to modify the EDS configuration to allow illegitimate traffic to get through, and you cannot assure that administrator access to the EDS is controlled properly.