Clamp down on security leaks

Your organization’s Sarbanes-Oxley audit is scheduled for this summer. Will you be able to show who has access to financial records and what they’re doing with that data? Just as important, can you prove you’re equipped to take immediate action when policy violations occur?

If regulatory incentives aren’t compelling enough to make you keep a tab on the data flowing within and from your network, consider this: Studies from the Computer Security Institute/FBI, U.S. Congress, Gartner, and others estimate that as much as 75 percent of the $200 billion in measured annual security losses comes from within organizations.

Currently, IT security chiefs allocate the majority of their budgets to protecting network perimeters with firewalls, patch management, anti-virus applications, and intrusion-detection systems. But a new breed of security products guard intellectual property and protect organizations from the public humiliation of lawsuits, fines, and jail time for executives.

One approach for these solutions is to inspect network traffic in real time to ensure that confidential assets are not sent out of the enterprise, intentionally or otherwise. For example, an HR employee may not realize that the new employee’s spreadsheet he just e-mailed to an outside vendor has a hidden column containing private account log-ins.

Inspecting network traffic in real time may seem easy, but it’s extremely difficult to do quickly and accurately. Consider the scope and magnitude of the content-monitoring task: SMTP

e-mail and Web mail, HTTP requests, peer-to-peer file sharing, IM, and FTP, for starters. Plus, there are hundreds of file formats to examine. For each message and file, sophisticated contextual analysis and NLP (natural language processing) must determine whether the content is allowable.

But it’s not just compliance reporting at stake here. The key step is to act immediately against activities that violate policies and put organizations at risk. But this is even harder to accomplish, because companies must not block legitimate communications; doing so would impair productivity. Exceptional reporting is a necessity and must go beyond an executive dashboard; reports should help determine if your security strategy is working and detail breaches and their resolution so you can satisfy legal requirements.

I evaluated five data-loss-prevention solutions that follow this general model. Reconnex, Tablus, Vericept, and Vontu provide real-time monitoring of most Internet communications. Only Vontu’s product innately blocks messages. iLumin’s solution performs intelligent content inspection of e-mail and instant messages and also stops privileged content from leaving organizations through these two channels, making it appropriate to include in this roundup.

In my tests I generated network traffic using various protocols (HTTP, IM, FTP, and e-mail) and sent a variety of content (plain text files, Microsoft Office documents, PDF files, compressed Zip archives, images, and rich media files). To judge accuracy, I embedded C++ source code, credit card numbers, Social Security numbers, and patient health information within messages and attachments. I then made certain the solutions recognized them. Furthermore, I sent e-mails and instant messages containing wording that would likely cause compliance problems such as violations of corporate governance guidelines.

For usability I evaluated each solution’s overall navigation, its ease of creating custom policies and rules, and its incident reports. Additionally, I reviewed forensic functions, such as the type of information archived for compliance auditing and the ability to retrieve historical data.

Several companies make a compelling argument for securing data at the origin, in contrast to the network-sniffing approach. Client agents prevent people from moving files to removable media or both copying and pasting data from the source to, say, an IM session. This host-based approach is initially more expensive to acquire and administer, yet it delivers strong security to complex enterprise environments (see Securing data at the point of use and ITM peers inside the inside threats).

iLumin Assentor Compliance 3.3
iLumin’s Assentor Compliance solution is a mature product that was first used by the financial industry to monitor e-mail and IM. Thus, many of its more than 1,000 recognized violation patterns relate to broker communications and therefore meet Securities and Exchange Commission selective-disclosure and insider-trading rules. However, the latest version branches out, spotting and halting more general communication problems, such as harassing messages that should be acted upon by HR. Although it doesn’t ship with formal policies to meet specific governmental regulations, iLumin’s custom policies could be made for, say, HIPAA or European Union data-protection directives.

Compliance’s administration and user interfaces lack polish, but they become understandable after minimal training. Web forms kept me from fumbling when I updated the dictionary of words, stock symbols, and phrases to be tagged and the words to be excluded from scans. In the same way, I registered documents that lawyers in a legal department had approved for public viewing so the documents would not be flagged.

This solution works in two modes, pre-event and post-event. When the software finds unacceptable or suspect content in pre-event mode, it stops the correspondence and routes the message to a quarantine queue for review by an appropriate supervisor. When it finds suspicious content in post-event mode, Assentor Compliance allows the message through and simultaneously routes a copy to a supervisor for later action.

After streaming test messages through the server, I used the Web interface to check the results. A single window display clusters problem e-mails or instant messages, shows the actual message with the problem areas tagged, and then lists the suspected violations. The NLP did a good job discerning intention (“I am going to sue you”) from a person’s name (Sue), which minimized false positives.

Threshold Management allowed me to improve efficiency by adjusting the tolerance and quarantine action for each problem category. For example, an inappropriate joke might not warrant a manager review, but every attempt at passing insider information should be stopped and subject to review. iLumin’s language understanding was accurate enough to usually discern between these two situations. In the few cases where the software wasn’t certain about a message’s intent, it played it safe and blocked the message.

To streamline and lessen auditors’ work, Assentor provides next to each message icons that quickly invoke commands including Audit Trail, Add Comments, and Send Warning. Other time-saving functions include Mass Approve and Mass Reject.

The system accurately scanned the text of most attachments, including PDFs, and then allowed me to open the files to verify there was a problem. Plus, Assentor detects and quarantines encrypted e-mail.

Version 3.3 has improved reporting. For example, compliance reviewers now get information such as the percentage of messages approved or rejected, plus a list of problem messages organized by groups or employees. Importantly, using the Admin Console, I was able to configure different archive times for different groups, accounting for varying retention periods among employees and subsidiaries.

At a higher level, compliance executives can generate reports that summarize message problems of each type. Additionally, I could audit the system to make certain no one had changed thresholds on content analysis without approval. This additional measure of accountability could prove valuable in an investigation.

Assentor Compliance is a workable solution for monitoring e-mail and IM. Its open lexicon gives the product enough flexibility to handle typical business compliance needs and meet requirements of specific industries such as finance and health care. It stops short of handling all types of communication used to distribute sensitive data. Web mail, for example, isn’t handled. Furthermore, administrators must build policies for specific data-protection regulations.

Reconnex iGuard 3300, Version 1.4
Reconnex offers strong network traffic coverage, comprehensive policies, and above-average reporting. Yet this solution does one better than other solutions in an important way: iGuard’s custom file system writes all communications data at gigabit line speed. In addition to banishing network lag, this feature captures unknown attachments, allowing examiners to do complete forensic analysis. However, iGuard doesn’t block communications that violate policies.

iGuard units typically install below an outbound firewall using network taps, or they connect to SPAN (switched port analyzer) ports on switches.

You get predefined polices and rule sets (filters) for all the top violations, including violations of Gramm-Leach-Bliley, HIPAA, and Visa CISP (Cardholder Information Security Program). Business users can edit these policies and create basic new ones by picking and choosing options from the Web GUI.

There wasn’t a business circumstance I couldn’t accommodate. For instance, I defined policies for specific network exit points, document type, and both inbound and outbound traffic. However, creating intricate policies (such as those monitoring full regular expressions) entails using a command line interface, and this requires some expertise. But I appreciated the ability to easily rerun a changed policy on captured data, which helps ensure nothing is missed.

Like Tablus, iGuard is port agnostic: Because it looks for the structure of the protocol, it had no problems monitoring all types of e-mail traffic, IM, and FTP file transfers. Additionally, the system had no difficulty cracking open encrypted messages sent using SMTP, chat, and Web mail.

This solution doesn’t identify attachments by extension. Instead, it uses a special process to look for binary signatures. In my testing, iGuard quickly decrypted compressed .zip and .tar archives, reviewed Microsoft Office documents, checked PDFs, and scanned source code for violations. It also properly identified files purposely renamed with a wrong extension. Although Reconnex’s philosophy is to remain passive (it doesn’t block messages), its alert mechanism worked as well as the alert mechanisms in the other products. In real time (less than 40 microseconds), iGuard sent a message to designated managers when it sensed a violation. Also, the software will send a trigger to your mail server so any existing quarantine technology is invoked.

The supplied reporting engine allowed me to drill down from executive reports on policy violations to details about an incident along with the object that triggered the event. I wished iGuard would highlight the offending part of an attachment, a feature planned for a later release. Reconnex said it will soon offer an offline monitoring console so administrators can view incidents from all appliances in aggregate and also perform forensic searches of data at rest. Currently you need to jump to each individual appliance for reporting, which you can do from one browser.

As with the other products, I could generate reports based on the policy violated or other search parameters, such as sender e-mail address. I also subscribed to incidents that matched a custom filter and scheduled e-mail delivery of these reports. Workflow rules, which aren’t in all such products, saved me a lot of effort in reviewing incidents. I set up iGuard so that, upon detection of source-code violations, it would gather and zip all the evidence and then send it with a summary to the appropriate investigator.

Reconnex’s storage of all traffic (as much as the 1.5TB disk space in each appliance) benefits forensic investigations. For example, you can search past violations, not just for a particular sender, recipient, or IP address, but also for all objects in the same classification, even if they were not involved in past violations. This data store is also handy for making sure testing policies behave as expected before they’re used against live traffic.

Reconnex iGuard does a fine job of analyzing traffic in real time and has the uncommon ability to store everything to disk for post-analysis. Policies address all necessary compliance and data-security needs. Add in high accuracy and incident workflow, and the solution gets high all-around marks. Keeping it from the top spot is the lack of certain features, planned for future releases, including inline blocking, quarantine (which are now accomplished by integrating with third-party applications), and improved usability.

Tablus Content Alarm NW 2.1
Tablus’s turnkey solution has a lot in its favor, including strong structured content analysis augmented by integrated ILM (information lifecycle management), which automatically maintains a catalog of confidential documents, and by multiple scanning engines, which review unstructured data for compliance issues. The system lacks formal policies for specific legislation, but you can comply with regulations by building pattern-matching and related rules. E-mail blocking and quarantine features will be added later this summer.