Part 4: A guide to buying extrusion-prevention products

Computerworld - To be able to do something before it exists,
sense before it becomes active,
and see before it sprouts.
The Book of Balance and Harmony (Chung-ho chi).
A medieval Taoist book

In my previous articles (see story), I introduced the concept of extrusion, or the unauthorized network transfer of sensitive digital assets. Here are a few true examples:

• cc'ing a supplier by mistake on a classified RFP document
  
  
• Production servers with anonymous file transfer protocol (FTP) turned on
  
  
• Break-ins, bribes and double agents (workers who spy for other groups or companies)
  
  
• The actuary who went to work for the competition

As new technologies are developed to meet the extrusion challenge, more customers are evaluating and implementing solutions. This article examines the threats that drive business makers to buy extrusion technology, and the industry players that provide the products. The shopper's guide will help you choose the product that best fits your business and your threat profile.

Who are the buyers and what drives the decision?

A common question I hear is, "Who should 'own' extrusion-prevention technology?" Is it the vice president, internal auditor, chief financial officer, CIO or CSO, or is it IBM Global Services?

The business need drives directly to the CEO and his management team, and in firms with outsourced IT infrastructure, the need for extrusion prevention becomes more acute as more people are involved with less allegiance to the firm.

To help you qualify your organization's commitment to extrusion prevention, let's look at the decision drivers, or what compels companies to buy security products, and the decision-makers, or those who sign off on the products. We'll look at seven industries: banking, credit card issuing, insurance, pharmaceuticals, telecommunications, health care and technology.

INDUSTRY TYPICAL EXTRUSION DRIVERS DECISION - MAKERS BANKING A real event, such as theft of confidential customer account information by trusted insiders Privacy regulations such as the Gramm-Leach-Bliley Act, HIPAA The Sarbanes-Oxley Act, for transparency and timeliness in reporting of significant events Vice president of internal audit who mandates a technical evaluation to the CSO or the CIO that directs the information security group to act. CREDIT CARD ISSUERS Ongoing theft of customer transactional information by customer service reps Extrusion threat to credit card numbers that haven't yet been printed on plastic cards and issued to card holders Privacy regulations, Sarbanes-Oxley , nondisclosure agreements with business partners The security officer or information security officer (many issuers have separate functions for physical and information security) INSURANCE A real event, such as theft of customer lists by competitors Fear of losing actuarial data Exposure to extrusion of credit card numbers in online systems General counsel, VP of internal audit, CFO PHARMACEUTICALS Theft of chemistry, manufacturing and control information, product formulation and genome data by trusted insiders Difficulty in preserving secrecy of sensitive intellectual property prior to patent filings Sensitivity of company records during due diligence processes General counsel, CFO, chief compliance officer TELECOM/ONLINE BUSINESS (Telecom service providers and large online operations such as Yahoo collect and aggregate huge quantities of data, and the higher up the value chain you go with data aggregation, the more valuable and vulnerable the asset.) Prepaid code files Pricing data Strategic marketing plans Call detail records (analogous to credit card transaction records, these are extrusions by customer service representatives to private investigators and difficult to detect) Customer credit card records VP of internal audit, VP of technologies HEALTH CARE Privacy regulations/HIPAA Need to protect pricing data of drugs and supplies purchased by the health care organization CSO, VP of internal audit TECHNOLOGY COMPANIES Theft of: Source code Designs, pictures and plans of proprietary equipment Strategic marketing plans CEO, CTO

What kinds of technology are there?

Now that you see why companies need technology for preventing data theft, let's take a look at the options. There are three architectures for extrusion-detection and -prevention: agent, proxy and sniffer.

Agent: An agent-based solution is similar in concept to host-based intrusion detection. The agent, which needs to be distributed to all the PCs in an organization, provides a software solution for Windows with shims to network services, file systems, Windows clipboard, removable media and CD burners. Events are generated according to a set of predefined rules, for example, copying a Word file from a file share marked as "sensitive" and then pasting text into a browser.

Proxy: A proxy-based solution is typically used for monitoring e-mail traffic. It requires placing an application-layer proxy next to your Exchange servers or installing a server agent. Events are generated according to a set of predefined rules and content profiles.

Sniffer: A sniffer-based solution is a Windows or Linux-based appliance located next to the firewall that provides off-line content profiling and online packet sniffing and TCP session reassembly. Some solutions operate in real time, while others may log the sessions first for later batch analysis. After the session payload is decoded, the content is analyzed and events are generated according to a set of predefined rules and content profiles. A good sniffer solution will send events to a database for reporting and data mining.

Shop by threat

Our shopper's guide is organized around typical threat profiles. Your profile will contain one or more threats to your company's digital assets: human error, system holes, criminal and terrorist activity, and trusted insiders.

According to your evaluation of threats, assets, network vulnerabilities and potential economic loss, you're probably shopping for a solution in one of these categories: to prevent trusted insider theft in Microsoft networks; to prevent trusted insider theft by e-mail; to prevent all extrusion threats in a heterogeneous network; or to prevent extrusion threats with a real-time network audit.

Trusted insider threat in Microsoft networks

If your organization is agreeable to installing agent software on Windows PCs, and you're mostly worried about trusted insider theft, then take a look at a vendor such as Verdasys Inc. This company's product doesn't analyze content but monitors flow of information from trusted sources (such as a Windows file share) to untrusted destinations (such as a Webmail browser session) and infers a policy violation.

Pros of agent software