Clamp down on security leaks

Your organization’s Sarbanes-Oxley audit is scheduled for this summer. Will you be able to show who has access to financial records and what they’re doing with that data? Just as important, can you prove you’re equipped to take immediate action when policy violations occur?

If regulatory incentives aren’t compelling enough to make you keep a tab on the data flowing within and from your network, consider this: Studies from the Computer Security Institute/FBI, U.S. Congress, Gartner, and others estimate that as much as 75 percent of the $200 billion in measured annual security losses comes from within organizations.

Currently, IT security chiefs allocate the majority of their budgets to protecting network perimeters with firewalls, patch management, anti-virus applications, and intrusion-detection systems. But a new breed of security products guard intellectual property and protect organizations from the public humiliation of lawsuits, fines, and jail time for executives.

One approach for these solutions is to inspect network traffic in real time to ensure that confidential assets are not sent out of the enterprise, intentionally or otherwise. For example, an HR employee may not realize that the new employee’s spreadsheet he just e-mailed to an outside vendor has a hidden column containing private account log-ins.

Inspecting network traffic in real time may seem easy, but it’s extremely difficult to do quickly and accurately. Consider the scope and magnitude of the content-monitoring task: SMTP

e-mail and Web mail, HTTP requests, peer-to-peer file sharing, IM, and FTP, for starters. Plus, there are hundreds of file formats to examine. For each message and file, sophisticated contextual analysis and NLP (natural language processing) must determine whether the content is allowable.

But it’s not just compliance reporting at stake here. The key step is to act immediately against activities that violate policies and put organizations at risk. But this is even harder to accomplish, because companies must not block legitimate communications; doing so would impair productivity. Exceptional reporting is a necessity and must go beyond an executive dashboard; reports should help determine if your security strategy is working and detail breaches and their resolution so you can satisfy legal requirements.

I evaluated five data-loss-prevention solutions that follow this general model. Reconnex, Tablus, Vericept, and Vontu provide real-time monitoring of most Internet communications. Only Vontu’s product innately blocks messages. iLumin’s solution performs intelligent content inspection of e-mail and instant messages and also stops privileged content from leaving organizations through these two channels, making it appropriate to include in this roundup.

In my tests I generated network traffic using various protocols (HTTP, IM, FTP, and e-mail) and sent a variety of content (plain text files, Microsoft Office documents, PDF files, compressed Zip archives, images, and rich media files). To judge accuracy, I embedded C++ source code, credit card numbers, Social Security numbers, and patient health information within messages and attachments. I then made certain the solutions recognized them. Furthermore, I sent e-mails and instant messages containing wording that would likely cause compliance problems such as violations of corporate governance guidelines.