Computerworld - To be able to do something before it exists,
sense before it becomes active,
and see before it sprouts.
The Book of Balance and Harmony (Chung-ho chi).
A medieval Taoist book
In my previous articles (see story), I introduced the concept of extrusion, or the unauthorized network transfer of sensitive digital assets. Here are a few true examples:
As new technologies are developed to meet the extrusion challenge, more customers are evaluating and implementing solutions. This article examines the threats that drive business makers to buy extrusion technology, and the industry players that provide the products. The shopper's guide will help you choose the product that best fits your business and your threat profile.
Who are the buyers and what drives the decision?
A common question I hear is, "Who should 'own' extrusion-prevention technology?" Is it the vice president, internal auditor, chief financial officer, CIO or CSO, or is it IBM Global Services?
The business need drives directly to the CEO and his management team, and in firms with outsourced IT infrastructure, the need for extrusion prevention becomes more acute as more people are involved with less allegiance to the firm.
To help you qualify your organization's commitment to extrusion prevention, let's look at the decision drivers, or what compels companies to buy security products, and the decision-makers, or those who sign off on the products. We'll look at seven industries: banking, credit card issuing, insurance, pharmaceuticals, telecommunications, health care and technology.
INDUSTRY
TYPICAL EXTRUSION DRIVERS
DECISION - MAKERS
BANKING
A real event, such as theft of confidential customer account information by trusted insiders
Privacy regulations such as the Gramm-Leach-Bliley Act, HIPAA
The Sarbanes-Oxley Act, for transparency and timeliness in reporting of significant events
Vice president of internal audit who mandates a technical evaluation to the CSO or the CIO that directs the information security group to act.
CREDIT CARD ISSUERS
Ongoing theft of customer transactional information by customer service reps
Extrusion threat to credit card numbers that haven't yet been printed on plastic cards and issued to card holders
Privacy regulations, Sarbanes-Oxley , nondisclosure agreements with business partners
The security officer or information security officer (many issuers have separate functions for physical and information security)
INSURANCE
A real event, such as theft of customer lists by competitors
Fear of losing actuarial data
Exposure to extrusion of credit card numbers in online systems
General counsel, VP of internal audit, CFO
PHARMACEUTICALS
Theft of chemistry, manufacturing and control information, product formulation and genome data by trusted insiders
Difficulty in preserving secrecy of sensitive intellectual property prior to patent filings
Sensitivity of company records during due diligence processes
General counsel, CFO, chief compliance officer
TELECOM/ONLINE BUSINESS
(Telecom service providers and large online operations such as Yahoo collect and aggregate huge quantities of data, and the higher up the value chain you go with data aggregation, the more valuable and vulnerable the asset.)
Prepaid code files
Pricing data
Strategic marketing plans
Call detail records (analogous to credit card transaction records, these are extrusions by customer service representatives to private investigators and difficult to detect)
Customer credit card records
VP of internal audit, VP of technologies
HEALTH CARE
Privacy regulations/HIPAA
Need to protect pricing data of drugs and supplies purchased by the health care organization
CSO, VP of internal audit
TECHNOLOGY COMPANIES
Theft of:
Source code
Designs, pictures and plans of proprietary equipment
Strategic marketing plans
CEO, CTO
What kinds of technology are there?
Now that you see why companies need technology for preventing data theft, let's take a look at the options. There are three architectures for extrusion-detection and -prevention: agent, proxy and sniffer.
Agent: An agent-based solution is similar in concept to host-based intrusion detection. The agent, which needs to be distributed to all the PCs in an organization, provides a software solution for Windows with shims to network services, file systems, Windows clipboard, removable media and CD burners. Events are generated according to a set of predefined rules, for example, copying a Word file from a file share marked as "sensitive" and then pasting text into a browser.
Proxy: A proxy-based solution is typically used for monitoring e-mail traffic. It requires placing an application-layer proxy next to your Exchange servers or installing a server agent. Events are generated according to a set of predefined rules and content profiles.
Sniffer: A sniffer-based solution is a Windows or Linux-based appliance located next to the firewall that provides off-line content profiling and online packet sniffing and TCP session reassembly. Some solutions operate in real time, while others may log the sessions first for later batch analysis. After the session payload is decoded, the content is analyzed and events are generated according to a set of predefined rules and content profiles. A good sniffer solution will send events to a database for reporting and data mining.
Shop by threat
Our shopper's guide is organized around typical threat profiles. Your profile will contain one or more threats to your company's digital assets: human error, system holes, criminal and terrorist activity, and trusted insiders.
According to your evaluation of threats, assets, network vulnerabilities and potential economic loss, you're probably shopping for a solution in one of these categories: to prevent trusted insider theft in Microsoft networks; to prevent trusted insider theft by e-mail; to prevent all extrusion threats in a heterogeneous network; or to prevent extrusion threats with a real-time network audit.
Trusted insider threat in Microsoft networks
If your organization is agreeable to installing agent software on Windows PCs, and you're mostly worried about trusted insider theft, then take a look at a vendor such as Verdasys Inc. This company's product doesn't analyze content but monitors flow of information from trusted sources (such as a Windows file share) to untrusted destinations (such as a Webmail browser session) and infers a policy violation.
Pros of agent software
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
