Security Manager's Journal: Just watching the network isn't enough

Computerworld - When I visit my company's overseas offices, I'm often asked what we can do to control USB ports and other external connectors in order to prevent the loss of intellectual property. That's a goal I'm always interested in pursuing.

I would say that at this point we have a fairly mature network data leak prevention (DLP) infrastructure. Not that it's near where I would like it to be. We don't have 100% coverage of every egress point in the organization. We're not monitoring our internal LAN traffic, and we don't have all the product divisions signed up to use our DLP tools. But I still consider the infrastructure mature, since we have processes in place for monitoring the network and conducting investigations once we do implement endpoint security technology.

A strong case can be made for doing that, but implementation can be a nightmare. I have the battle scars to prove it.

A couple of years ago, we were swept away by the sales pitch from a fairly new vendor whose offering, it turned out, was rather immature. We decided to try it, and the only good news about what happened next is that the deployment was limited.

Deploying endpoint technology is never easy, and that may be especially true in my company. With so many engineers, we can't maintain a standard operating system profile across the enterprise. And because users have administrative access to their PCs, they are free to install programs; that makes it difficult to keep up with what applications need to be tested with the endpoint DLP technology. Finally, our engineers are often engaged in computer-aided design and source code development, which are intensive applications.

In any event, thinking we had a stable release to try out, we decided to remotely deploy the start-up's technology to our development office in Moscow, where we have 50 software engineers. Many of those engineers' PCs froze or blue-screened. We lost several development cycles as a result and missed the launch date for one of our products.

Naturally, we abandoned that project, but to this day many people here get a bad taste in their mouths if endpoint DLP is brought up, and the mere mention of that vendor's name makes some of us cringe.

No Disruptions

The problem is that endpoint software is a disruptive technology, since it works by intercepting system calls and replacing other system files. It has to do this if it's going to identify, track and secure data at rest, in use and in motion, no matter what application is used. And it needs to be aware of every application in use in the enterprise, including Exchange and webmail, instant messaging, Skype and Windows File Sharing, as well as the movement of data to CD, DVD or USB devices. And the technology needs to be sophisticated enough to allow the use of benign USB devices such as keyboards and mice.

Yet another roadblock to endpoint DLP adoption is that the technology isn't one-size-fits-all; it needs to be tuned to each set of employees. Managing that sort of thing would take additional staff and new training for the help desk. So, although we're currently evaluating some DLP vendors, I'm inclined to look elsewhere for the protection we need right now.

One option I'm considering is port blocking. I'm going to start looking at vendors in that market, including Trend Micro, which is our antivirus and antispyware provider. It could be convenient if we can do it all from one Trend Micro Control Management console. But I would be remiss if I didn't check out other vendors as well.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at mathias_thurman@yahoo.com.

Read more about Networking in Computerworld's Networking Topic Center.