Skip Links

Security Manager's Journal: Did DLP tool prevent an assault?

A data loss prevention tool flags keywords that lead to the discovery of a possible conspiracy to commit a crime.

By Mathias Thurman, Computerworld
February 11, 2013 06:37 AM ET

Computerworld - The plain view doctrine allows law enforcement officials to seize, without a search warrant, evidence or contraband perceptible during a lawful observation. As an example, if a police officer who is exercising a warrant to search a house for illegal weapons sees drugs on the kitchen counter, in plain sight, then the officer can confiscate the illegal drugs and charges could be filed, even though the search was for weapons.

Trouble Ticket

DLP monitor instigates an investigation that uncovers what seems to be an employee's plan to attack his wife's lover.Action plan: Bring the evidence to HR and Legal and go from there.

I mention this doctrine because it intersects to a certain extent with a company policy that states that employees have no expectation of privacy when using company computers and networks. We are basically saying that we will judge anything on them as being in plain view.

This policy is what allows my analysts to monitor network activity for security breaches and other illegal activity. Naturally, we are mostly interested in detecting attempts to leak any sensitive company information. To that end, we have indexed a fairly small set of key documents for our data loss prevention (DLP) tool to look for. But we also look for certain number sequences and keywords suggesting credit card numbers, Social Security numbers or other personally identifiable information, and we look for keywords that might indicate illegal activity such as downloading child pornography. That's because we don't want to be surprised someday with a search warrant that could disrupt our business and result in some bad press for us. It's better to be on top of such things and alert law enforcement anytime we come across anything suspicious.

And sometimes we do find something. The other day, one of my analysts sent me data he was investigating that suggested someone in the company might be involved with child pornography. Our DLP monitor had flagged some traffic containing keywords that we had included in the rules we use to turn up anything that might be related to such activity. Soon enough, we found out that this wasn't a child pornography case, but something else that we needed to bring to the attention of law enforcement.

The analyst had uncovered an instant-messaging chat between one of our employees and someone from outside the company. The chat rather baldly outlined a conspiracy between the two men to assault a third man that our employee suspected was having an affair with his wife. In that conversation, our employee discussed a plan to use his wife's cellphone to text the man and persuade him to visit a park for what he thought would be a meeting with the employee's wife. At the appointed time and place, the two conspirators would attack him.

Incriminating Details

The discussion was incredibly detailed and incriminating: They talked about the type of weapon that would be best for the attack, their alibis and even the best way to wash blood off clothing and hands.

Originally published on www.computerworld.com. Click here to read the original story.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News