New ways to protect data from insider attacks

A disgruntled employee here, a careless one there, and just about any enterprise can find itself facing a mountain of trouble from confidential information made public. Help is at hand. Armed with increasingly sophisticated outbound-content monitors, information security officers finally have the weapons they need to conquer the threat of data leakage.

Does the IT staff represent a bigger security threat than business unit employees? Read the story, place a vote and share your opinion.

Outbound-content monitoring - also known as data- or information-leakage prevention - came of age in the past year. The devices "have reached a state where they can be a fundamental part of everyone's network," says Josh Levine, managing director at Kita Capital Management, former CTO at E*Trade Financial and board member for device start-up Securify.

Scott Mackelprang, vice president of security and compliance for Digital Insight, an online banking services company in Calabasas, Calif. (now part of Intuit), agrees. And he's no pushover. "When I first saw technologies that were filtering at the perimeter to catch things on the wire, I was pretty skeptical, and I left them alone," he says. "For the longest time, I just watched the technology."

Then he discovered Tablus' Content Sentinel, which can find sensitive data even when the data is not moving but resting in odd and unexpected places, such as crummy old laptops and beat-up computers. He uses Content Sentinel plus Tablus Alert to look for sensitive data on desktops and as it moves across the network. Securing the network from the data's origination point - rather than from the firewall - is evolutionary, he says.

Maturing technology

Early outbound-content monitors typically focused on finding sensitive data from a single data source - for example, e-mail - as it was trying to cross the perimeter. But today's versions can scan just about any type of datastream, including Web traffic, e-mail, FTP, electronic faxes and instant messages. Some monitors also detect stored sensitive data squirreled away in Word documents, spreadsheets, PowerPoints - just about anywhere. In addition, they're much more linguistically sophisticated than earlier products, says Trent Henry, a senior Burton Group analyst.

"Rather than just being able to search for simple keywords - like the name 'Trent' - or a particular Social Security number, they can do conceptual analysis," Henry says. For example, they can understand when a mergers-and-acquisition memo needs to be flagged because it still contains sensitive information even though it has been paraphrased or rewritten. "Using language analytics, they're able to detect things that in the past would have slipped by," he says.

Outbound-content monitoring generally comes in the form of an intelligent network appliance that enforces policy-driven controls and in some cases uses behavioral analysis to determine whether an employee might be putting confidential data at risk. These appliances issue alerts, put suspect outbound content in a holding tank or block actions outright that could place sensitive data at risk.