Extrusion-detection, the plus and minus

By Ellen Messmer, NetworkWorld.com, 03/06/06

Reconnex, which makes products that detect unauthorized transmission of sensitive data, recently brought together three security managers using its iGuard and iController gear to perform that ancient ritual of bravery, talking to the press. The three managers--Mark Butler, chief information security officer at H&R Block; Chuck Shmayel, vice president of infrastructure and security at Sirva; and Mark Moroses, senior director technical services and security officer at Brooklyn, N.Y.-based Maimonides Medical Center--described where extrusion-detection using Reconnex works well, and where the main challenges still lie.

H&R Block has 13,000 full-time and about 120,000 seasonal workers during tax season, relocation-services firm Sirva has with 7,500 employees and Maimonides Medical Center has a few hundred doctors and other staff to support a 705-bed hospital with a speciality in heartcare. Ostensibly, they have little in common in terms of the business each is in.

But the three security managers were so concerned about the possibility employees might transfer sensitive customer data, inadvertently or not, across the Internet, they decided to install an extrusion-detection monitor--in this case, the Reconnex product--to watch for it. They described the experiences they had using the Reconnex product during a meet-the-press session at the recent RSA Conference.

In addition to just detecting and alerting about any possible unauthorized transmission, Reconnex iGuard has given Sirva greater visibility into network traffic, said Sirva's Schmayel.

He added the legal and human resources departments were involved in the decision to use Reconnex, and when the extrusion-detection product iGuard detects a possible policy violation, it is up to the legal and H.R. departments to get involved in any discussion with employees. "I don't want the IT department to be the executioner here," noted Shmayel.

H&R Block, Maimonides Medical Center and Sirva have all found monitoring for unauthorized transmission of content to be worthwhile as a security practice and in meeting regulatory-compliance obligtations.

However, there are still obstacles in using Reconnex. One of the main ones is that it can't look into encrypted data to discover unauthorized content.

At H&R Block, for instance, there are rules to encrypt data in some instances, says Mark Butler. "We use PGP for this," he added. The Catch-22-like problem is that data has to sometimes be encrypted but the extrusion-detection system can't see through it to determine if it's unauthorized data.

However, Reconnex does help in enforcing encryption policy by monitoring for data that should be encrypted, but isn't.

Interestingly, the three security managers appeared to have only slight interest in blocking unauthorized transmisssion of content at this point (something the Reconnex product doesn't do). Concern about false positives, even through the Reconnex product doesn't seem to generate a lot of them, makes blocking transmissions something they don't particularly want to undertake at this point.

Back to Security Notes

Comments

Post a comment

Name:


E-mail address:


URL:


Comments:


Remember info?