IT 'Big Brothers' trying to keep internal users under control

Activity-monitoring tools may be able to help stop rogue insiders from compromising data. But they aren't being widely adopted yet.

When it comes to protecting his company's data, Tom Scocca doesn't mind that he might be seen as something of a Big Brother by internal end users.

Scocca, who is a global security consultant at a large company that supplies products to the semiconductor industry, thinks that threats from within businesses require as much attention from security managers as external threats do.

So in addition to the usual network perimeter defenses, Scocca has put monitoring tools on end-user PCs and internal networks to help guard against inadvertent or malicious data breaches.

"There is a bit of a Big Brother syndrome attached to it," he acknowledged. But IT managers need to get over their trepidation about being called snoops, added Scocca, who asked that his employer not be named.

"These tools are not there to spy on people," he said. Rather, they're designed to "make sure the things that keep the revenues rolling in aren't compromised."

The issue of rogue insiders surfaced in a high-profile way last month, when the U.S. Department of State disclosed that three contract workers with access to its systems had improperly viewed the passport records of presidential candidates Hillary Clinton, John McCain and Barack Obama. The activities of the contractors were detected by a security-monitoring system designed to alert administrators whenever flagged passport files are accessed.

But technologies that can keep a close eye on the activities of internal users have yet to be widely adopted. For example, Gartner Inc. analyst John Pescatore estimates that less than 30% of Fortune 5,000 companies have installed such tools.

The lack of active monitoring of end users is a big reason why some insiders have been able to pull off spectacular data heists without getting caught -- at least not right away.

A prime example is the case of Gary Min, a former research scientist at DuPont who in 2005 downloaded about 22,000 document abstracts containing confidential information about most of the company's major products. Min was caught only after he gave his notice; at that point, an internal investigation showed that he had accessed about 15 times more data than the next-highest user of DuPont's electronic document library.

In another prominent insider case, Certegy Check Services Inc. disclosed last summer that a database administrator had sold the personal and financial information of 8.5 million consumers to data brokers over a five-year period. The check-processing firm didn't nab the DBA until a retailer reported a link between check transactions and marketing solicitations that some of its customers had received.

To try to avoid becoming the next DuPont or Certegy, Scocca's company is using a pair of tools from Raytheon Oakley Systems Inc. One is a desktop agent called SureView that monitors all activity on an end user's system to make sure that no data or computer usage policies are violated. If a violation does occur, the agent issues an alert to the company's security team and begins collecting data for further review.

The tool features a video-like playback feature that lets security administrators view precisely what a user was doing before, during and after a policy violation was flagged, Scocca said. That can help the admins determine almost instantly whether the violation was an accident or the result of deliberate action, he added.

Complementing the desktop agent is a monitoring tool called CoreView that keeps an eye on all internal network traffic for sensitive or inappropriate material.

Other vendors that sell products designed to help companies stop insider threats include Symantec Corp., Vericept Corp., Websense Inc., Tizor Systems Inc., Fidelis Security Systems Inc., Tripwire Inc. and Reconnex Inc. Other vendors, such as Guardium Inc. and Imperva Inc., offer tools that monitor database activity and check for improper access and other abuses.

Tampa International Airport is using system-log monitoring and analysis software from LogRhythm Inc. as part of its effort to comply with Florida's data retention laws and the Payment Card Industry Data Security Standard. And because the software can quickly correlate log events from practically every IT system, it also serves as both a real-time alerting system and an after-the-fact forensic tool, said Katherine Mullin, the airport's IT systems security manager.

Pasadena Federal Credit Union has set up a log management product from TriGeo Network Security Inc. to take actions such as quarantining a computer when it detects a policy violation. Mike McDannel, the Pasadena, Calif.-based credit union's IT security manager, said his team is also using a companion tool that can send alerts when users insert unapproved USB devices into their computers.

Gartner's Pescatore said he expects the adoption of user-monitoring tools to pick up, largely because of regulatory compliance needs. But such technologies have their limits. For one thing, tools that are designed to restrict user actions, such as downloading data onto USB drives, may require far too many built-in rules in order to distinguish between legitimate and illegitimate activities. "It's hard to describe authorized to a computer," Pescatore said.

And if tools are set up to generate real-time alerts about data leaks, there's a danger of being overwhelmed by false positives if the rules aren't set properly. That's particularly true, Pescatore said, when monitoring software is used to track data that may not be well defined, such as intellectual property.

Prat Moghe, chief technology officer at Tizor, which sells data-auditing software, acknowledged that many of the tools available for protecting data from inside threats remain unfamiliar to most IT managers. "These are still early days for this industry," Moghe said. "There's a lot of confusion."

Copyright © 2008 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon