Inside Data Loss

ANI Direct with McAfee

Data loss can devastate an organization. Penalties, recompense, and costs of legal discovery are a few of the financial repercussions. Consider also the threat to your reputation, exposure of proprietary information, and loss of trust in your partner and client relationships. Protecting your sensitive data from thieves and hackers is an obvious preventative measure, but theft by an internal source carries a sharper sting. CERT’s 2007 e-Crime Watch Survey showed that 49% of participants had experienced an insider incident. Then tack on the 17% increase in risk of insider threats recently reported by the Computer Security Institute.

The “Big Picture” of Insider IT Sabatoge Across the U.S. Critical Infrastructures, published by CERT in May 2008, says, “81% of the organizations that were attacked experienced a negative financial impact as a result of insider activities. The losses ranged from a low of $500 to a high of ‘tens of millions of dollars.’ 75% of the organizations experienced some impact on their business operations. 28% of the organizations experience a negative impact to their reputations.”

The Insider Data Loss Problem

Insider data loss can be a result of accidental exposure caused by simple oversight, or caused by malicious activity.

In February, The New York Times reporter Alex Berenson wrote a several front-page articles about pharmaceutical manufacturer Eli Lilly & Co. negotiating a settlement of a civil and criminal investigation into the marketing of its most profitable drug, the antipsychotic called Zyprexa. Berenson’s source was a legal report, which was accidentally emailed to him by a member of Eli Lilly’s outside counsel. The lawyer intended to email co-counsel Bradford Berenson, but instead sent an internal “very comprehensive document” about the $1 billion settlement to the Times’ Berenson.

Fidelity National Information Services, a major U.S. financial processing company, announced in July 2007 that a senior level database administrator at one of its subsidiaries stole 2.3 million consumer records containing bank account and credit card information as well as other personal information. According to The Register, the former employee allegedly sold the information to a data broker, who in turn sold it to marketing organizations. Of the records believed to have been compromised, about 2.2 million contained bank account information, and 99,000 contained credit card information. 

Through misuse, errors in judgment, or malicious intent, insider data loss causes financial and legal liability and public relations headaches. These losses tarnish reputations and brands, jeopardize competitive advantage, and require costly remediation. But these are preventable damages if organizations adopt a new approach to protecting customer data and intellectual property assets.

What’s Wrong with the Old Approach?

Driven by industry regulations and internal governance policies, most security programs still concentrate on limiting unauthorized access. They fend off external attacks with traditional data security measures like firewalls, intrusion prevention and anti-spyware. They rely heavily on identity and access controls and, in some cases, data encryption to limit exposure of sensitive information. These approaches leave gaps in coverage that enable an insider threat.

Identity management systems and access control lists don’t fully protect companies from data loss. Training and education can help, but the CSI/FBI survey indicated that most respondents don’t think their companies are investing enough in security awareness.

Even first-generation data loss prevention (DLP) solutions have short-falls. Operating at the gateway to prevent unauthorized transfer of sensitive data through email and the Web, these solutions don’t control actions on the desktop.

Another weakness of today’s DLP systems of today is that they only provide value based on the rules that are configured on the system. They expect you to know exactly what needs to be protected. In the case of obvious data such as Social Security and credit card numbers this is relatively easy, as the data is represented in a semi-structured and obvious form. When dealing with more complex data with numerous intricacies such as intellectual property, the data is difficult to describe using simple expressions and keywords. These DLP solutions simply evaluate content to identify rule violations, take action, and then log the violation along with the object in question. In this way, today’s DLP solutions provide little to no value regarding the rest of the data that was identified that did not violate a rule.

Getting More from DLP Solutions

To consistently prevent all types of data losses, organizations need to monitor content across its lifecycle. Sensitive data is often stored on centralized servers, but it’s created, altered, printed, and copied by authorized users. It is shared – in hard copy, on USB drives, and over networks. When they are finished, users archive it – on a local hard drive, CD, USB drive, print and store files, or by transmitting it over the network. Full protection requires consideration of these legitimate uses and needs of organizational boundaries. The right approach allows appropriate business use and timely sharing of information within and outside of the organization. The hallmarks of this new standard of DLP should include:

• Universal protection of data across network channels, applications, and physical devices.
• Granular, content-aware control that allows appropriate actions and lets normal business flow.
• Unmanaged systems protection to block content distribution by in-network and guest endpoints
• Control of data usage and transfer of mobile devices even when they’re not on the network.
• Verifiable enforcement of regulatory and governance policies.

Because compliance and governance requirements seem to continually expand, violation and usage information must be visible in risk management and reporting systems to demonstrate compliance and enable policy management.

An ideal DLP solution helps you better understand your sensitive data, who is using it, how it is being used, where it is stored, and where it is going in your environment. And it would achieve all this in days, not months.

A Universal Solution

McAfee is known for working directly with customers in security-conscious, heavily regulated industries to implement strong, effective data protection. McAfee has created a comprehensive DLP solution that helps you learn which data is sensitive and the business processes around it.

The McAfee DLP solution drives consistent, comprehensive coverage throughout the information lifecycle. It controls the insider threat by overseeing data as it is accessed, created, and manipulated to block inappropriate actions. It safeguards data being transmitted across network boundaries to prevent deliberate or inadvertent transfer. By integrating a learning application, McAfee offers a DLP solution that delivers complete, reliable, and verifiable coverage.

Instead of blocking classes of actions as a whole, the McAfee solution selectively allows or blocks the action based on content-specific keywords, text patterns, a tagging technique that associates classifications with content in a file, and network destination. To maintain performance, the content-aware technology fingerprints only the files in use. With fewer fingerprints to compare, the system can quickly and accurately determine if a file may be transferred when it is handled. The check is rapid and results in very few false positives and negatives. Controls can be imposed on a group, application, or network level to simplify deployment and maintenance.

McAfee’s intuitive search interface lets you search for documents containing terms and expressions contained within the document – even if you don’t already have a rule configured. Within seconds, McAfee presents you with:

• A view of all documents over any protocol containing your keyword;
• Who sent these documents out of the company;
• Where these documents were going by recipient or domain;
• The hosts and shares on the network where these files are stored; and
• Who owns files that are at rest on the network that contain your keyword.

With McAfee, you have complete visibility into historical information – not only for the purposes of investigating past data leaks in situations where you didn’t have rules already configured, but also to minimize the amount of time necessary to get up to speed on how these product strategy documents are being used today and how it should be protected. You can start with the data you already have and tighten from there – saving you days, weeks, or even months of time.

Make sure your rules are air tight in less time than legacy DLP solutions with McAfee. Perform a search over historical information using a rule that is already running on the system. Examine the results to see how the rule behaved using historical data, and adjust the search query for the most accurate results.

Similarly, you can start with a simple search over historical information to find sensitive data going to unapproved recipients or stored in unapproved locations. In seconds, McAfee presents you results from simple queries that you specify to help identify this sensitive data and how it is being used. Make adjustments to the search to help focus your results on a specific set of instances that may be of concern. After identifying instances when sensitive data is or has been compromised, you can transfer the search query into the construction of a new rule. McAfee’s DLP system simplifies the process of tuning existing rules and created new rules – while providing the accuracy you demand.

The McAfee DLP solution allows you levels of visibility not provided by today’s legacy DLP solutions, which helps you not only better understand your sensitive data and how it should be protected, but also perform investigations – even for things that didn’t violate a system rule. A simple query through the intuitive search interface returns information about all network flows associated with that particular user, including email, webmail, instant messenger, file transfers, and content identified through crawling the user’s laptop and files owned by that particular user.

McAfee’s comprehensive reporting engine offers a wide variety of operational, auditing, and executive reports, including special reports needed to comply with government regulations. Reports can enable forensic investigation and be preserved as evidence in cases of malicious, intentional data theft. Detailed analysis and reporting can also provide insight as to where education, training and management resources are needed to prevent inadvertent data exposure.

Using a Partner You Can Trust

ANI Direct is one of a few selected “Elite” Partners in McAfee’s world-class SecurityAlliance TM Global Partner Program. ANI Direct’s McAfee-certified security solution specialists have deep experience installing, deploying, and supporting DLP solutions. ANI Direct specializes in data protection, data loss prevention, encryption, and compliance security initiatives for financial, health care, insurance, and commercial companies nationwide. They offer comprehensive security audits without lengthy contracts or disruption to business. ANI professional services team help clients integrate this industry-leading DLP solution with existing firewall, intrusion prevention, anti-spyware, identity and access controls, and data encryption products. With full access to the McAfee DLP solution set, they customize every installation to ensure the most effective information security to neutralize insider threats.

ANI Direct understands that many customers have greater security needs than their budget allows and also offers flexible payment options for organizations that would like to pay for what they need over time.