Security tools target inside jobs

For a decade, corporations have erected perimeter defenses to keep Internet attackers at bay. Now IT managers are under pressure to deal with an even bigger challenge: keeping insiders from using the Internet to leak valuable business data.

The problem has given rise to a new generation of start-ups – including Verdasys, Vericept, Vidius and Vontu – focused on securing digital content and watching where it goes.

The latest company to enter the market is Tablus, which debuted last month and quickly picked up $7 million in venture capital from Menlo Ventures. Tablus and the other content-monitoring vendors have gateway-style products that let managers identify critical business data, including whole documents if need be, and track how this data is transmitted via e-mail, FTP or other means.

“This is a growing trend in terms of monitoring employees,” says Richard Mogull, research director in information security and risk at Gartner, which this June plans to issue its first report on the topic and advise clients they should be using content-tracking technology. “We finally have the tools to look at these insider security issues.”

This new generation of content and audit tools represents a clear change from the past. “We’ve always had network forensics tools, like those from Niksun, [Network Associates’] Infinistream or [Computer Associates’] SilentRunner, that sniff everything,” Mogull says. While great for a rear-view mirror analysis, they lack the real-time alert capabilities going into these newer content monitoring and audit products, he says.

Pressure to watch for so-called information leakage is coming from a host of laws requiring companies to safeguard financial and customer information, including the Gramm-Leach-Bliley Act, Sarbanes-Oxley Act, Health Insurance Portability and Accountability Act (HIPAA) and California’s Database Protection Act of 2003. What’s more, outsourcing is putting more business data in the hands of insiders outside the company.

Burton Group analyst Trent Henry says the content-tracking vendors “tackle a different problem than intrusion-detection systems [IDS]. They look at information flow and actual content.”

But the technology is still new, faces the same questions of false positives that dog IDS, and doesn’t yet let the transmission of unauthorized content be blocked. Regarding the latter, vendors such as Vontu say their road maps call for content blocking in the future.

As with any nascent market, customers can expect the usual rise and fall of the start-ups, with some being bought by larger network vendors and others simply dying out. “There will be shakeouts,” Henry says.

Henry and Mogull say outbound content-tracking might end up as part of multi-function gateways involved in other types of content inspection, such as anti-spam and Web monitoring.

Meeting a need

While there might not be many companies using content-tracking technologies today, such offerings clearly are answering a need.

Storage network vendor McData uses Vericept’s server-based software to look for pre-determined types of confidential information that should be restricted, which helps McData comply with the California data-protection laws and other regulations.

“It accurately monitors all communications across our network,” says Paul Brothe, director of internal audit at McData.

Many corporations are in kicking-the-tires mode. William Boni, Motorola’s chief information security officer, says his company is looking to see if any of the products would fit his global network, which supports 100,000 users and numerous business partners. “The concern is premature leakage of key forms of digital intellectual property,” he says.

Start-up Intrusic focuses on the insider threat by assuming there are compromised computers on the network so none of them should be trusted.

“A typical hacker is masquerading as an insider,” says Bruce Linton, CEO of Intrusic. The company’s server-based Zephon software ferrets out intruders – and questionable network use by employees – by copying and analyzing business traffic at the application level to spot unusual patterns.

“I found a lot of people had created outbound reverse tunnels going to their home PCs, totally bypassing the network security architecture,” says John Burke, CIO at Boston’s Caritas Christi Healthcare, which operates a chain of six hospitals. “With Intrusic, you can tell when someone is sending a lot of data out to the Internet. It identified the anomalies that need to be investigated.”

Burke says Intrusic’s technology contributes to the effort at Caritas Christi to comply with the HIPAA rules to protect patient data and keep a good audit trail, adding, “HIPAA wouldn’t exist if healthcare had taken a more stringent approach to security previously,” he says.

TNT debuts

The need to tighten access to the most important corporate data and produce an audit trail related to content is also the concern of another start-up, Trusted Network Technologies (TNT). The company, fueled by $18 million in venture capital from Charles River Ventures, Flagship and JK&B, last week announced its first product, called Identity.

President and CEO Steve Gant says the “identity-based firewall” sits in front of LAN segments holding high-value servers, letting clients running I-Host software access the resources only after their credentials have been checked.

“This was developed for the inside because there’s a shift to asset-centric security where the data resides,” Gant says.

Payment services provider Certegy has been testing Identity to use it to guard critical financial data. “It’s like a regular firewall, but it’s tied to identity in a different way,” says Wayne Proctor, chief information security officer at Certegy. “Hackers pride themselves on getting to the box, but with TNT they can’t see the box.”