Has your sensitive data leaked into the wild?

Data leak detection picks up where DLP leaves off

Most organizations have data security policies designed to keep sensitive information from becoming publicly available. Still, you’d be surprised at the kind of information that makes its way out into the open, either accidentally or intentionally. Financial records, customer account information, product plans and roadmaps. Do you know what information your company is exposing? New “data leak detection” (not prevention) technology from Exobox Technologies can tell you what is in the public eye, and where it is.

Every organization has sensitive information that it does not want the public to see. Nevertheless, this information often makes its way to the public Internet, either by accidental or intentional exposure.

For example, in 2007 payment records for more than 30,000 patients of Sky Lakes Medical Center in Oregon were viewable on the Internet for nearly a month when a contractor copied the records from one server to another to perform maintenance. When the unintentional leak was discovered by a patient of another hospital, the Sky Lakes online payment system was shut down until the problem was resolved.

Unfortunately, this kind of thing happens every day, and the organizations whose information is exposed have no idea. Could this happen to your company? The truth is, you’re probably exposing much more than you know, according to executives at Exobox Technologies.

Exobox is a relatively new data security company whose leaders bring deep security expertise to the table. They have chosen to focus on an untapped area of data security they call “data leak detection.” Instead of trying to prevent your sensitive data from leaving the network confines, the Exobox SaaS solution called ExoDetect tells you what has already escaped. If this sounds a bit like closing the barn door after the horses have run off, let me assure you, there’s still plenty of value in knowing where the horses have gone.

ExoDetect runs a scan on the public areas of the Internet and finds documents and emails containing the sensitive data elements you ask it to search for. The live demo I saw turned up confidential product roadmaps, competitive information and sensitive financial information for an actual company. This information was in PowerPoint files, emails and Word documents, as well as posted to blogs and other places that are all publicly accessible. ExoDetect identifies where the leaked data is located and presents the list of places and documents in an easy to read format.

I imagine it would be a shock to most CISOs to see such a report. Even companies that think they have a pretty good defense against data leaks have seen their ExoDetect scans turn up previously unknown postings of sensitive data.

The thing about data leak prevention is that you don’t really know if it’s working 100%. With ExoDetect’s data leak detection, you can see just how effective your prevention policies and technologies are. If (when) you see your company’s leaked data on the Internet, you can take action to minimize the damage and plug the holes that allowed the data to get into the wild. What’s more, used in conjunction with system logs, the ExoDetect reports help with data leak forensic investigations.

The Exobox executives emphasize that all the data that is found is publicly available. ExoDetect does not search behind firewalls. You could use a search engine such as Google or Bing to find the data, but the search would take you much longer and the results would not be well organized. In fact, this type of manual process would probably take weeks, during which time even more eyes can be perusing your confidential financial data or M&A plans. ExoDetect returns its results in minutes.

ExoDetect has been available since June 2009. There are numerous users of the product but few want to talk about their experiences since the subject matter is sensitive. I did, however, talk to Tim Proffitt, supervisor of technical security at Administaff. His company has used ExoDetect for about a month.

The first time Administaff ran a report, “I was surprised at the sheer number of documents that were found,” Proffit says. “There were the typical documents you would expect, where analysts were talking about the company and how the stock is doing. What surprised me was seeing information that some of our network administrators and support staff put on blogs and tech support forums. While I wouldn’t consider that information very confidential, it does raise awareness that these are potential avenues for data leaks.” Proffitt is using this knowledge to make upper management aware of the threats. “This is an area of great risk that management needs to be able to handle.”

Administaff hasn’t had to change any security policies as a result of viewing their data via ExoDetect. “We have pretty good data protection policies in place today,” says Proffitt. “The value of ExoDetect is in validating that our policies are being followed.” He says ExoDetect would make a good complement to data leak prevention tools, to validate that the DLP tools are working and to see how to better tune the parameters of the applications.

ExoDetect is available as a service, so there’s nothing to install. Scans are reasonably priced, making it affordable for even the smallest companies. It’s worth it to run a scan just to see how good (or bad) your data security practices are.

Exobox just announced another service called ExoWatch that is focused on scanning a company’s own corporate website. The idea is companies have thousands or tens of thousands of pages on their sites and can’t possibly know what information is posted on all those pages. ExoWatch scans the pages of that domain, looking for inappropriate postings of sensitive data.

We all know information is hard to keep contained. Exobox is one tool that might help reduce your security risks by automating the discovery of sensitive data that is available in places where it shouldn’t be.

Linda Musthaler is a Principal Analyst with Essential Solutions Corporation. You can write to her at mailto:LMusthaler@essential-iws.com.

Learn more about this topic

Data Leak Prevention On The Cheap

CA to buy data-leak prevention vendor

Podcast: RSA upgrades data leak prevention; Entrust to be acquired
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:
Now read: Getting grounded in IoT