Security Manager's Journal: Did DLP tool prevent an assault?
A data loss prevention tool flags keywords that lead to the discovery of a possible conspiracy to commit a crime.
Computerworld - The plain view doctrine allows law enforcement officials to seize, without a search warrant, evidence or contraband perceptible during a lawful observation. As an example, if a police officer who is exercising a warrant to search a house for illegal weapons sees drugs on the kitchen counter, in plain sight, then the officer can confiscate the illegal drugs and charges could be filed, even though the search was for weapons.
I mention this doctrine because it intersects to a certain extent with a company policy that states that employees have no expectation of privacy when using company computers and networks. We are basically saying that we will judge anything on them as being in plain view.
This policy is what allows my analysts to monitor network activity for security breaches and other illegal activity. Naturally, we are mostly interested in detecting attempts to leak any sensitive company information. To that end, we have indexed a fairly small set of key documents for our data loss prevention (DLP) tool to look for. But we also look for certain number sequences and keywords suggesting credit card numbers, Social Security numbers or other personally identifiable information, and we look for keywords that might indicate illegal activity such as downloading child pornography. That's because we don't want to be surprised someday with a search warrant that could disrupt our business and result in some bad press for us. It's better to be on top of such things and alert law enforcement anytime we come across anything suspicious.
And sometimes we do find something. The other day, one of my analysts sent me data he was investigating that suggested someone in the company might be involved with child pornography. Our DLP monitor had flagged some traffic containing keywords that we had included in the rules we use to turn up anything that might be related to such activity. Soon enough, we found out that this wasn't a child pornography case, but something else that we needed to bring to the attention of law enforcement.
The analyst had uncovered an instant-messaging chat between one of our employees and someone from outside the company. The chat rather baldly outlined a conspiracy between the two men to assault a third man that our employee suspected was having an affair with his wife. In that conversation, our employee discussed a plan to use his wife's cellphone to text the man and persuade him to visit a park for what he thought would be a meeting with the employee's wife. At the appointed time and place, the two conspirators would attack him.
The discussion was incredibly detailed and incriminating: They talked about the type of weapon that would be best for the attack, their alibis and even the best way to wash blood off clothing and hands.
I printed out a transcript, along with information about the employee, and met with our legal department and human resources. HR's impulse was to give the employee the benefit of doubt, but our general counsel, concerned that we could be charged with negligence if an assault occurred, disagreed and said we needed to contact law enforcement immediately. I then told the employee's manager to confiscate his laptop until the matter is resolved.
I checked in the other day to find out what is happening and learned that the police investigation is ongoing and that HR has put the employee on administrative leave. There is still a chance that the entire thing was a hoax, but the incident nonetheless provides further justification for our investment in DLP.
All in all, though, I'd be happier with other sorts of justification for such a valuable initiative.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at email@example.com.
Join in the discussions about security! Computerworld.com/blogs/security
More by Mathias Thurman
- Security Manager's Journal: Virtual machines, real mess
- Security Manager's Journal: Stopping vendors from making us a Target
- Security Manager's Journal: Thousands of dollars in phone calls? Management hates that.
- Security Manager's Journal: Another step toward eliminating data loss
- Security Manager's Journal: Siccing MDM on personal mobile devices
- Security Manager's Journal: An admin surfing on a server? That's a big no-no
- Security Manager's Journal: Time to tweak the security policies
- Security Manager's Journal: Found: 30 unmanaged servers that shouldn't be
- Security Manager's Journal: The ins and outs of extending DLP
- Security Manager's Journal: Move to hosted email opens new vulnerabilities
Read more about Security in Computerworld's Security Topic Center.
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts