Part 4: A guide to buying extrusion-prevention products

Danny Lieberman, Open Solutions Israel   Today’s Top Stories   or  Other Security Stories  

Web Threats Don't Discriminate The Secure Web Gateway. Mission Critical For Business Dynamic Data Center and Virtualization Drives Operational Excellence at Emory Healthcare Fast and Simple Recovery of Your Critical Microsoft® Applications with Symantec Backup Exec" Converging System and Data Protection for Complete Disaster Recovery Learn How to Think Ahead of Attacks and Protect your Data For the Future Compterworld Technology Briefing: Intelligent Users Use Business Intelligence Computerworld Report- Large Enterprises Pay More for IPAM An Apple for Your Enterprise? Sign up to receive Security Resource Alerts

October 28, 2004 (Computerworld) -- To be able to do something before it exists,
sense before it becomes active,
and see before it sprouts.
The Book of Balance and Harmony (Chung-ho chi).
A medieval Taoist book

In my previous articles (see story), I introduced the concept of extrusion, or the unauthorized network transfer of sensitive digital assets. Here are a few true examples:

• cc'ing a supplier by mistake on a classified RFP document
  
  
• Production servers with anonymous file transfer protocol (FTP) turned on
  
  
• Break-ins, bribes and double agents (workers who spy for other groups or companies)
  
  
• The actuary who went to work for the competition

As new technologies are developed to meet the extrusion challenge, more customers are evaluating and implementing solutions. This article examines the threats that drive business makers to buy extrusion technology, and the industry players that provide the products. The shopper's guide will help you choose the product that best fits your business and your threat profile.

Who are the buyers and what drives the decision?

A common question I hear is, "Who should 'own' extrusion-prevention technology?" Is it the vice president, internal auditor, chief financial officer, CIO or CSO, or is it IBM Global Services?

The business need drives directly to the CEO and his management team, and in firms with outsourced IT infrastructure, the need for extrusion prevention becomes more acute as more people are involved with less allegiance to the firm.

To help you qualify your organization's commitment to extrusion prevention, let's look at the decision drivers, or what compels companies to buy security products, and the decision-makers, or those who sign off on the products. We'll look at seven industries: banking, credit card issuing, insurance, pharmaceuticals, telecommunications, health care and technology.

INDUSTRY TYPICAL EXTRUSION DRIVERS DECISION - MAKERS BANKING A real event, such as theft of confidential customer account information by trusted insiders Privacy regulations such as the Gramm-Leach-Bliley Act, HIPAA The Sarbanes-Oxley Act, for transparency and timeliness in reporting of significant events Vice president of internal audit who mandates a technical evaluation to the CSO or the CIO that directs the information security group to act. CREDIT CARD ISSUERS Ongoing theft of customer transactional information by customer service reps Extrusion threat to credit card numbers that haven't yet been printed on plastic cards and issued to card holders Privacy regulations, Sarbanes-Oxley , nondisclosure agreements with business partners The security officer or information security officer (many issuers have separate functions for physical and information security) INSURANCE A real event, such as theft of customer lists by competitors Fear of losing actuarial data Exposure to extrusion of credit card numbers in online systems General counsel, VP of internal audit, CFO PHARMACEUTICALS Theft of chemistry, manufacturing and control information, product formulation and genome data by trusted insiders Difficulty in preserving secrecy of sensitive intellectual property prior to patent filings Sensitivity of company records during due diligence processes General counsel, CFO, chief compliance officer TELECOM/ONLINE BUSINESS (Telecom service providers and large online operations such as Yahoo collect and aggregate huge quantities of data, and the higher up the value chain you go with data aggregation, the more valuable and vulnerable the asset.) Prepaid code files Pricing data Strategic marketing plans Call detail records (analogous to credit card transaction records, these are extrusions by customer service representatives to private investigators and difficult to detect) Customer credit card records VP of internal audit, VP of technologies HEALTH CARE Privacy regulations/HIPAA Need to protect pricing data of drugs and supplies purchased by the health care organization CSO, VP of internal audit TECHNOLOGY COMPANIES Theft of: Source code Designs, pictures and plans of proprietary equipment Strategic marketing plans CEO, CTO

What kinds of technology are there?

Now that you see why companies need technology for preventing data theft, let's take a look at the options. There are three architectures for extrusion-detection and -prevention: agent, proxy and sniffer.

Agent: An agent-based solution is similar in concept to host-based intrusion detection. The agent, which needs to be distributed to all the PCs in an organization, provides a software solution for Windows with shims to network services, file systems, Windows clipboard, removable media and CD burners. Events are generated according to a set of predefined rules, for example, copying a Word file from a file share marked as "sensitive" and then pasting text into a browser.

Proxy: A proxy-based solution is typically used for monitoring e-mail traffic. It requires placing an application-layer proxy next to your Exchange servers or installing a server agent. Events are generated according to a set of predefined rules and content profiles.

Sniffer: A sniffer-based solution is a Windows or Linux-based appliance located next to the firewall that provides off-line content profiling and online packet sniffing and TCP session reassembly. Some solutions operate in real time, while others may log the sessions first for later batch analysis. After the session payload is decoded, the content is analyzed and events are generated according to a set of predefined rules and content profiles. A good sniffer solution will send events to a database for reporting and data mining.

Shop by threat

Our shopper's guide is organized around typical threat profiles. Your profile will contain one or more threats to your company's digital assets: human error, system holes, criminal and terrorist activity, and trusted insiders.

According to your evaluation of threats, assets, network vulnerabilities and potential economic loss, you're probably shopping for a solution in one of these categories: to prevent trusted insider theft in Microsoft networks; to prevent trusted insider theft by e-mail; to prevent all extrusion threats in a heterogeneous network; or to prevent extrusion threats with a real-time network audit.

Trusted insider threat in Microsoft networks

If your organization is agreeable to installing agent software on Windows PCs, and you're mostly worried about trusted insider theft, then take a look at a vendor such as Verdasys Inc. This company's product doesn't analyze content but monitors flow of information from trusted sources (such as a Windows file share) to untrusted destinations (such as a Webmail browser session) and infers a policy violation.

Pros of agent software

Continued...
1 | 2 | 3 | 4 | NEXT  

Print this Story

Send Us Feedback

E-mail this Story

Digg this Story

Slashdot this Story

"The recent attacks in Mumbai were carried out by assailants using high tech methods. It’s just another way in which..." Read more... Read more Security posts or See all Blogs

Microsoft spells out Vista SP2 contents Clues point to Jan. 13 release of Windows 7 beta Transmitting data from the middle of nowhere More top stories...

Virtually every Windows PC at risk, says Secunia License server glitch exposes SonicWall users to e-mail security threats In high-tech schools of the future, Facebook in class is boosted -- not banned

Review: The new MacBook Air, now with extra SSD goodness Thin as ever, the latest Air offers up to twice the storage and snappy performance. Cool Stuff: Your 2008 Holiday Gift Guide We've got an array of economical, expensive, and just plain weird tech gifts for your friends and family. Massive botnet returns from the dead, starts spamming The spam-spewing 'Srizbi' botnet that was shut down two weeks ago has been resurrected and is again under criminal control, say security researchers. Elgan: Why you can't trust 'friends' on Facebook Facebook is popular and growing -- especially with criminals. Here's why they love it. Windows 7 Get the latest news, reviews and more about Microsoft's newest desktop operating system More Continuing Coverage Windows 7 Voting Technology Google's Chrome browser Economy in turmoil: Latest news and tips iPhone 3G Bill Gates moves on Windows Vista A to Z Mac A to Z 2008 Salary Survey Find wage data for 50 IT job titles. More Special Reports 2008 Premier 100 IT Leaders 2007 Premier 100 IT Leaders 2008 Best Places to Work in IT 2007 Best Places to Work in IT 2008 Salary Survey 2007 Salary Survey 2006 Salary Survey 2008 IT Forecast 2007 IT Forecast 40 Years of Computerworld Top 12 Green-IT Users The FAQs About Going Green IT Schools to Watch iPhone: One Year Later Global Mobile Your Next Data Center Management: Reinventing IT Stop Data Leaks Web 2.0 Security Surviving Disasters Managing Storage Virtualization The Lean Storage Machine Storage on Trial Can Web 2.0 Save BI? Bypass These BI Potholes All Zones Business Continuity Zone The File Data Management Zone Security Management Zone The SAS Zone Business Intelligence and Analytics Zone The Enterprise Search Zone Software as a Service Zone The Security Zone See your link here

Moving to Windows Vista: The Promise, The Reality Moving to Windows Vista: The Promise, The Reality View this exclusive webcast today! Go to the webcast  Computerworld Executive Bulletin: Building a Robust Antivirus Defense Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs. (Source: MessageLabs) Antivirus software alone isn't enough to prevent today's speedy, sophisticated virus attacks. Security managers should consider multitiered approaches that include behavior scanning, appliances that check e-mail for worms, and restricting user access to dangerous Web sites. Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs, to learn more. Download this executive briefing  Record Capacity for Microsoft? Exchange 2007 With VMware and IBM System x3850 M2 Download this white paper today! (Source: VMware) The more that e-mail becomes an entrenched IT infrastructure application, the more that messaging administrators face numerous--sometimes conflicting--demands in the categories of availability, flexibility and cost. Employing a virtual solution can help avoid expensive over-provisioning of server computing resources, while improving management and disaster recovery. And ultimately, it can more than double the number of supportable Exchange 2007 users, as compared to a non-virtualized environment. This whitepaper explains how to break down the scalability barrier and respond faster to your mail system needs. Download this white paper  White Papers Read up on the latest ideas and technologies from companies that sell hardware, software and services. The Importance of Application Management Dell Client Migration and Deployment Services Windows? Enterprise Data Protection with Symantec Backup Exec" View more whitepapers

• Microsoft spells out Vista SP2 contents
• Virtually every Windows PC at risk, says Secunia
• Clues point to Jan. 13 release of Windows 7 beta
• More top stories 

The Security Zone With the mobility of employees and the ease with which external devices can be brought in and out of a network, continuing to build your security plan for network servers and clients is a must. Fortunately, there is much that organizations can do to protect themselves from attacks - internal and external. Having the right policies, procedures and server configurations is critical... Learn more in The Security Zone See All Zones

Fired up about IT? Join Sharkbait and share your true tales of IT. SharkBait is the place for you to sound off about everything IT – the good, the bad, and the rest of the weird stuff you deal with every day. New baits

"Turning information into a Competitive Advantage" Companies today are realizing that competitive advantage is harder to sustain when based solely on gains in productivity and cost efficiency. The focus is shifting to invest more in business optimization initiatives which rely on trusted information to develop new insights that deliver better business results. But how can this be done efficiently in a business environment across multiple applications and processes. The answer is an Information Agenda - an innovative approach to transforming business information into a strategic asset for competitive advantage. View this webcast now!  See more Webcasts

Dan Tynan Today's Internet has been brought to you by porn YouTube and Ning are trying to shed adult-oriented content to appeal to mainstream advertisers. Will it work? ... [more]