Register here for your free Internet.com membership to download your Justifying and Funding Infrastructure Investments report. This independent report will help you make the case for your IT investments. Topics covered include: Measuring Infrastructure Value Justifying New Investments Establishing an Infrastructure Value Chain and More. Register now for your free Internet.com membership to download your complimentary Forrester report. Limited Time Offer!

Security Products • Message Classification / Document Classification (Titus Labs) • IronKey (IronKey, Inc) • Mazu Profiler (Mazu Networks, Inc) • MHZ2 CJ Series (Fujitsu Computer Products of America, Inc) • Secure Mail / Secure DOX (Echoworx Corp) • Enterprise Security Reporter (ScriptLogic Corp)

Completing the Enterprise Security Puzzle with Content Monitoring

Email Print Digg This Add to del.icio.us

By Vasu Murthy, Senior Product Manager, Reconnex Corporation

There has never been a time in history when information was more important for businesses than now. At the same time, the workplace is more connected with the outside world via the Internet and communication tools like email, Instant Messaging (IM), and file sharing.

So what is the probability that employees with access to critical information such as sensitive customer data or intellectual property will leak it? Results of Reconnex electronic 48-Hour e-Risk Rapid Assessments done at a number of Fortune 1000 corporations have yielded surprising results.

Over 89 percent of enterprises were leaking Social Security numbers of either employees or customers, and an equal number had high usage of Webmail such as Gmail or Yahoo Mail. About 78 percent of enterprises had rogue P2P applications and unauthorized IM running over their networks. Even worse, 67 percent of enterprises assessed were leaking credit card numbers!

Insider leaks are usually due to ignorance and naiveté rather than maliciousness. At a Fortune 1000 corporation, for example, a caller convinced a call center associate to send the entire corporate address book to an off-company Yahoo email account. The caller skillfully posed as a company executive who forgot to take his laptop home.

The Insider Threat

In the past decade, enterprises have invested heavily in building an impregnable fortress around their perimeter. Firewalls, IDS, IPS, anti-virus, patch management, and other security mechanisms are designed primarily to safeguard corporate assets from external attack, and many still have an unguarded door open for outbound traffic.

Inadvertent or malicious actions by insiders can cause as much damage as an army of outsiders attacking an organization. Independent research has confirmed that insiders such as employees or contractors cause more than 80 percent of corporate security breaches.

Why Content Monitoring?

Today, enterprises can protect against the insider threat with content monitoring solutions, electronic safeguards that can protect the enterprise’s ‘electronic doors’ to the outside world by identifying the sensitive information and business-critical digital assets that could potentially flow out of an organization. In essence, content monitoring provides security teams with x-ray vision for identifying valuable content through layers of protocol and data formats.

These products enable organizations to set policies for finding critical information in the gigabytes of data entering and leaving the enterprise. Because risk might come from email, IM, or other traffic, the ideal content-monitoring tools are protocol, port, file name, and file format agnostic, instead focusing on the data exiting the network.

Organizational Risk Areas

Content monitoring products can protect against a variety of risks. Reconnex has identified the following common risks, which incidentally lead to the development of pre-defined policies in its own iGuard appliance to guard against them.

• Competitive risks: Intellectual property such as source code, trade secrets, formulas, and business processes is leaked to competitors.

• Compliance risks: Critical information such as social security numbers and credit card numbers are inappropriately disseminated in violation of regulations such as the Sarbanes-Oxley Act (SOX), Payment Card Industry (PCI) Data security standards, the Healthcare Information Portability and Accessibility Act (HIPAA), the Family Educational Rights and Privacy Act (FERPA), and others.

• Corporate governance risks: Inappropriate network usage such as viewing adult or copyrighted content, shopping, and gambling can have a negative impact on an enterprise’s reputation, public image, brand, and productivity. It can also have legal consequences.

• Critical infrastructure: Security holes such as rogue port hopping, P2P, or voice applications such as BitTorrent or Skype cannot be recognized by traditional security infrastructure and create needless vulnerabilities.

Moving Beyond Policies

Many content monitoring technologies are narrowly focused on only known threats, such as the exposure of credit card numbers. True policy definition and risk protection is an evolutionary process. Successful policy definition requires that all data on past information transactions be available; it also requires as advanced mining tools so the enterprise can identify and address new and emerging threats in real-time.

This allows the enterprise to use historical information to identify and protect against insider risks it could not anticipate. Unanticipated events might include a key employee resigning and an investigation of his or her actions in the last weeks before departure. Worse yet, a public company may need to analyze an unexpected drop in stock price possibly related to an insider leak prior to an earnings announcement.

Multiple Classification Technologies

The ideal solution provides multiple ways of identifying sensitive information. These typically include statistical and linguistic processing, as well as registration of known sensitive content that can be fingerprinted and checked against traffic flow. More sophisticated tools also provide advanced features such as anti-plagiarism support, which enables the enterprise to identify sensitive content even when it has been modified slightly before dissemination.

Content Monitoring and Network Topology

Content monitoring devices typically reside on a network tap alongside IDS/IPS and firewall systems. They monitor enterprise traffic to generate incident dashboards that security personnel can view from management consoles. They can also provide integration points for incident propagation to event loggers or Security Information Management (SIM) platforms.

Advanced content monitoring features include integration with data repositories such as file servers and Content Management Systems (CMS). Some CMS can look for sensitive information that resides in non-secure locations, e.g., file shares in an enterprise. The right solution should provide a single view into all of sensitive information in the enterprise network as well as into all contents transiting the electronic egress points.

Content monitoring can also work in tandem with other network elements to actively prevent dissemination of sensitive information. For example, Mail Transfer Agents (MTAs) and web proxies can be configured to work with content monitoring via standard interfaces such as Internet Content Adaptation Protocol (ICAP). This extends monitoring into preventive actions, which might include bouncing an email or blocking a blog posting. Also, routers can be used to reset FTP and other TCP connections once they are triggered by a content monitoring event.

Content monitoring products can also be deployed inside the enterprise when to monitor transactions between or related to specific departments or groups, such as contract or outsourced employees that might reside offshore. Some may even offer additional capabilities, including monitoring print jobs or even remote desktop hosts.

Future Outlook

The next several years will see an interesting intersection between Digital Rights Management (DRM) and content monitoring. DRM locks individual pieces of data, whereas content monitoring attempts to see through these locks. Much like post-9/11 airport security screenings, DRMs may have to provide ways for content monitors to unlock and more closely inspect content before allowing it to be sent out.

Content monitoring clearly has a critical and growing role in enterprise networks, from basic outbound content control to stop data leakage and enforce policies, to products that integrate more closely with a broad range of IT elements for more comprehensive security, and eventually to solutions that will connect with DRM technologies in the future.

Vasu Murthy is the Senior Product Manager at Reconnex Corporation, makers of the Reconnex iGuard appliance, which provides enterprises with content monitoring capabilities that include built-in multi-vector classification technology and a streaming search engine.

Email Print Digg This Add to del.icio.us

eBook: Evaluating Software as a Service for Your Business. Sponsored by Webroot
Increase your reach with unlimited Webinars for one low rate. Try GoToWebinar FREE.
Trend Micro InterScan Trial – Block Spam and Viruses Today
Sophos Security Threat Report 2008
14-Day Qualys Trial: Find Out in Minutes if Your Network is Vulnerable!