Border Patrol

Network-based monitoring systems detect and block outbound traffic containing sensitive data.

It's not what's coming into the corporate network that concerns Gene Fredriksen. It's what's going out. For the chief security officer at securities brokerage Raymond James Financial Inc. in St. Petersburg, Fla., leakage of sensitive customer data or proprietary information is the new priority.

The problem isn't just content within e-mail messages, but the explosion of alternative communication mechanisms that employees are using, including instant messaging, blogs, FTP transfers, Web mail and message boards. It's not enough to simply monitor e-mail, Fredriksen says.

"We have to evolve and change at the same pace as the business," he explains. "Things are coming much faster."

So Fredriksen is rolling out a network-based outbound content monitoring and control system. The software, from San Francisco-based Vontu Inc., sits on the network and monitors traffic in much the same way that a network-based intrusion-detection system would. But rather than focusing on inbound traffic, Vontu monitors the network activity originating from Raymond James' 16,000 users. It examines the contents of each network packet in real time and issues alerts when policy violations are found. Fredriksen could also configure it to block that traffic, but he doesn't plan to use that feature right away.

Unlike security tools that protect specific applications such as e-mail or instant messaging, network-based content monitoring and control tools take a broad-brush approach, examining all traffic that crosses the network. Tools such as e-mail filters address part of the content security puzzle but only recently have begun to focus on outbound content. In contrast, network-based products offer more sophisticated linguistic analysis techniques to identify and block the transmission of protected content.

Network-based systems do more than just rule-based scanning for Social Security numbers and other easily identifiable content. They typically analyze sensitive documents and content types and generate a unique "fingerprint" for each. Administrators then establish policies relating to that content, and the system uses linguistic analysis to identify sensitive data and enforce those policies as information moves across the corporate LAN. The systems can detect both complete documents and "derivative documents," such as an IM exchange in which a user has pasted a document fragment.

Most tools offer preset compliance modules that can detect specific types of sensitive data out of the box. These cover areas ranging from sexual harassment and privacy concerns to compliance with federal regulations. The tools are designed to be used by nontechnical staff, such as the legal, governance or human resources departments. But there is one hitch: They can't identify encrypted content. Organizations need to review business processes where encryption is used and develop policies that permit the movement of encrypted files within specific contexts.

Broader Trend

These network-based compliance products, which IDC analyst Brian Burke calls multiprotocol content- filtering tools, are part of a broader category of outbound content compliance products that includes e-mail filters, secure e-mail, instant messaging security and enterprise rights management tools. While IDC expects the overall market to grow to $1.9 billion by 2009, the fastest-growing segment will be multiprotocol content filtering, with a compound annual growth rate of 70% over the next four years, Burke says.

That growth is being driven by privacy concerns and the need to comply with regulations such as the Sarbanes-Oxley Act and the Health Insurance Portability and Accountability Act. Enforcement by regulatory agencies is on the rise, says Trent Henry, an analyst at Burton Group in Midvale, Utah.

While network-based content monitoring tools have been around for several years, until recently most vendors offered only monitoring and alerting functions. Now most have added real-time blocking capabilities, a feature that some companies are experimenting with but most aren't yet using. Some vendors, including Tablus San Mateo, Calif., have added products that can also monitor "at rest" content on individual workstations.

Fidelity Bancshares Inc. in West Palm Beach, Fla., is using the message-blocking feature in PortAuthority from PortAuthority Technologies Inc. in Palo Alto, Calif. Outbound e-mail messages that contain Social Security numbers, account numbers, loan numbers or other personal financial data are intercepted and returned to the user, along with instructions on how to send the e-mail securely.

Joe Cormier, vice president of network services, says he also uses PortAuthority to catch careless replies. Customers often send in questions and include their account information. "The customer service rep would reply back without modifying the e-mail," he says.

Fear of false positives is one reason why Fredriksen started out using only Vontu's monitoring functionality. Minimizing false positives requires tuning the system, investigating the causes of false positives and developing policies to work around or avoid them. Fredriksen warns that technology alone won't succeed unless the company using them has a strong policy for handling sensitive data, as well as a response plan.

"The challenge with any system like this is they're only as valuable as the mitigation procedures you have on the back end," he says. Another key to success, says Fredriksen, is educating users about monitoring to avoid "Big Brother" implications. "[We are] making sure that the users understand why we implement systems like this and what they're being used for," he says.

Henry says real-time blocking could cause network slowdowns because all traffic must be routed through the appliance before being forwarded to its destination. For now, he says, most organizations that enable blocking avoid performance problems by using it only at the network perimeter, where bandwidth is significantly lower, rather than inside the core network.

Cormier focuses on e-mail -- all FTP, Web mail and instant messaging traffic is blocked -- so he can turn on blocking without worrying about performance. But he says false positives have been a problem at Fidelity Bancshares because some account numbers match legitimate ZIP codes or phone numbers. Creating an exception would leave those account numbers vulnerable, so users have been trained to send communications with that information as secure messages.

Mark Rizzo, vice president of operations and platform engineering at Perpetual Entertainment Inc. in San Francisco, learned in a previous job the consequences of not protecting intellectual property. "I have been on the side of things disappearing and showing up at competitors," he says. The start-up online game developer deployed Tablus' Content Alarm to remedy the problem. Rizzo uses it to look for suspicious activity, such as large files that are moving outside of the corporate LAN. Now that the basic policies and rules have been set, the system doesn't require much ongoing maintenance, he says. But Rizzo says he doesn't use blocking because he would need to spend significant amounts of time creating more policies in order to avoid false positives.

While companies in highly regulated industries can justify investing in outbound content monitoring and blocking tools, other organizations may have to sharpen their pencils to justify the cost. "These are very expensive solutions to deploy," says Henry.

Fredriksen, who built a system to support 16,000 users, says that for a setup with about 20,000 users, "you're in the $200,000 range, easily."

Prices range from $6 to $40 per user, depending on the size of the deployment, says Burke. However, companies in less regulated industries are increasingly interested despite the costs. The reason: They're aware that the consequences of intellectual property loss, releases of customer information or inappropriate leakage of financial data can be very damaging. Timing It Right

The market is currently dominated by smaller players, but other vendors are entering. For example, CipherTrust Inc. and Proofpoint Inc., which sell e-mail content filtering products, have announced new offerings, says Burke. "Any space that grows by 70% is going to attract the established security players," he says.

So, should you wait to buy? Not necessarily, says Burke. Many organizations don't want to buy different point products to protect each communication channel, he says.

Using application-specific tools isn't necessarily a bad idea, however, especially if your organization already has them, says Henry. The need for multi-protocol content-filtering tools may be at least partly mitigated by existing security mechanisms. Users that have outbound e-mail content filtering, URL blocking and instant messaging controls in place already have some protection, although such tools don't generally do the same level of linguistic analysis.

You should also consider the possibility of conflicts with other security tools. Network-based content-monitoring software can detect encrypted files and interpret them in some contexts, but it can't read the content. That puts it at odds with other outbound content management tools that encrypt documents, such as e-mail security applications and enterprise rights management software, says Henry.

Fredriksen says that although Vontu is important, it's still just one piece of a larger strategy that includes an overlapping set of controls that Raymond James uses to combat insider threats. "This augments the intrusion-detection and firewall systems we have that control and block specific ports," he says. "It's just a piece. It's not the Holy Grail."

Copyright © 2006 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon