Plugging information leaks

Headlines over the past year include an alarming number of information leakage incidents. In one example, personal and confidential information on 185,000 current and former patients of San Jose Medical Group were lost; in another, 800Mb of source code was stolen from Cisco Systems’ Internetworking Operating System; elsewhere, the details of 1.4 million credit cards were obtained from transactions at DSW Shoe Warehouse.

So what can IT leaders do to ensure that their organizations’ digital assets are well protected? Business Management spoke with Timothy Sullivan, CEO of Fidelis Security Systems, to find out.

BM. It seems that we are hearing about information leaks almost daily. Is the number of incidents actually going up, or are the incidents just being disclosed more often?
TS. Truthfully, it’s both. Incidents of data leakage (or extrusions) from large organizations – including commercial, government and educational institutions – are up sharply in recent years. The statistics in publications like the annual CSI/FBI Computer Crime and Security Survey show that the increase year over year is real and substantial. And we can expect this trend to continue.

The likelihood of an extrusion incident being reported in the news has also increased. An organization that ‘loses’ valuable intellectual property or protected private information can suffer intensely negative market, brand, legal, operational and financial consequences. Managing the risk of extrusions and preventing them from occurring is critical in order to comply with regulations, instill good corporate governance and safeguard brand identity and intellectual property.

BM. What factors are contributing to the increase in information leakage?
TS. There are two technical factors driving the higher incidence of extrusions. One is that organizations have converted a huge amount of information to digital formats in recent years, with resulting productivity gains. But increased digitization brings with it the increased risk of exposure. This risk is compounded by the second technical factor behind increased leakage – the growth of available technology channels (such as instant messaging and webmail) over which information moves. So the combination of more digital information moving over a greater variety of channels has lessened organizations’ ability to control the exposure of information.

However, companies today are also dealing with a non-technical driver – the internal threat. The Gartner Group estimates that “70 percent of security incidents that actually cause loss to enterprises – rather than mere annoyance – involve insiders.” A financially stressed or disgruntled employee or contractor has the motive and the means to leak valuable data. Moreover, a black market for information like credit card and financial account information has evolved, making it easier to turn information into a financial profit.

As organizations rely more heavily on rapidly evolving technology to accomplish their mission, the likelihood of extrusions and their attendant negative impact will continue to increase.

BM. How can an organization deal with the risk of extrusions?
TS. Most organizations are seeking to reduce their risks, or at worst hold them constant over time. The rise in vulnerabilities from unmanaged communication channels increases the expected value of information leakage risk, forcing the organization to make a decision on how to handle it.

Generally there are four ways to manage a risk: accept it, avoid it, mitigate it or transfer the risk through insurance. For information leakage, most of these methods are not an option.

It is very difficult, if not actually impossible, to transfer this risk. The majority of insurance companies will not insure against the loss of confidential or sensitive information. Avoiding the risk altogether is also not an option. Your employees (and many contractors, customers, suppliers and business partners) require access to information. Avoiding the risk would require ceasing operations.

This leaves the organization with two options. The organization can accept the increased risk delivered by these additional unmanaged communication channels – but most organizations do not really consider this an option. Their only choice is to take action to mitigate the risk through the implementation of processes, technology or a combination of the two.

BM. What specific ways can an organization ‘take action’ against the risk of extrusions?
TS. Mitigating the risk of extrusions requires a different approach than the traditional control used to mitigate technology-based threats. Rather than looking at the network itself – at technical infrastructure, patch levels, account configuration and packets – focus must shift to examining the content of the information flowing across the network. This is a significantly different challenge.

Previous approaches have allowed or disallowed technologies, not the content flowing inside of them. The traditional approach is to allow a communication method regardless of its content. For example, users are allowed to use e-mail, HTTP(s), instant messaging and FTP but are not allowed to use peer-to-peer technologies. While this is a good start, it does not prevent an allowed technology from being used for unauthorized purposes. In order to prevent the unauthorized use of approved channels, the solution needs to actually inspect the content flowing across channels and analyze it based on its content rather than its technical attributes.

Extrusion detection and prevention systems were developed to provide this content-based analysis. These systems monitor outbound network traffic and identify whether the outflowing content is compliant with organizational policies.

However, a detection solution that merely reports on extrusions does not actually mitigate risk. Risk mitigation requires preventing the extrusion altogether.

BM. Can anything be done to prevent the actual extrusion from occurring in the first place?
TS. Thankfully, yes. An IT professional should deploy an extrusion prevention solution that actually blocks data leakage. Many solutions in the content monitoring and filtering marketplace today are able to let you know when you have leaked information. But in order to obviate this reality, you need to implement a solution that prevents this extrusion before it occurs.

Detection of an extrusion is necessary but insufficient to protect digital assets. Many organizations and technology solutions lose sight of the goal regarding internal policies and regulations: detection simply creates a report on the state of the organization’s compliance position and when the policies were breached. Prevention across all channels is required to stop information leakage before it occurs, ensuring digital assets are secured and demonstrating the exercising of adequate care to avoid an extrusion.

BM. Given the complexity of most networks, is it practical to expect a solution to prevent extrusions on all communication channels today?
TS. It is not only practical to protect all of your channels from the risk of information leakage – it is necessary. At Fidelis Security Systems, we designed a next-generation architecture to deliver all-channels prevention, which has been available in the DataSafe Extrusion Prevention System since 2004.

Historically, the e-mail channel has gotten most of the security focus. This is because it was both the most commonly used and also the easiest to secure. E-mail is one of the few protocols in use today that is not instant. While incredibly fast, e-mail is stored briefly on a mail server before it is forwarded on to its destination. During this brief stopover, it is very easy to analyze the contents of this e-mail for compliance with organizational policies. If this analysis takes a couple of seconds to occur, the underlying e-mail transport – the simple mail transfer protocol (SMTP) – continues to function as designed.

Unfortunately, e-mail is the only protocol used widely today that has these attributes. Other channels – such as instant messaging, HTTP, webmail, file transfers and peer-to-peer technologies – are designed to be instant. These channels are much more difficult to secure because the content analysis must occur in real time as the network session occurs. This is a significant challenge, as any detectable delay will have a negative impact on user experience or even cause the session to disconnect.

The architecture of the solution is the key to meeting the real-time requirements. For example, a solution that requires the network session to be written to computer disk for evaluation, typical of a solution originally designed to address SMTP e-mail, will be too slow to prevent leakage on a real-time protocol. With an all-channels prevention architecture (such as Fidelis Security Systems’ DataSafe), the content of the session is evaluated in real time on all network channels and a policy decision is made before the data leaves. It is important to ensure the solution chosen can actually achieve prevention on all network channels, and therefore actually mitigate your risk.

BM. It sounds impressive, but it also sounds like a lot of work. With IT staff strained in almost every organization, how feasible is it that such a technology can be deployed without draining the IT staff even more?
TS. Focusing on three key areas will ensure a solution can be deployed without draining significant IT resources – prevention, content recognition and enterprise architecture.

Prevention is a key requirement to lower the total cost of ownership and avoid a significant workload in the IT security organization. A solution that does not provide all-channels prevention just creates more work by sending more alerts to be manually processed. IT personnel must investigate the alert and the possible ramifications of the information loss. Prevention stops the data loss from occurring, eliminating the people-intensive investigation, crisis management and manual remediation processes.

Content recognition is also a critical area to evaluate. The solution’s content analysis must go beyond exact matching in order to be deployed cost-effectively. Solutions that depend on exact matching technology can present a heavy burden on staff – across the entire organization – as they require the organization to catalog and keep current an inventory of all digital assets that need to be protected. With exact matching, only those items that have been registered with the system will be detected, and any information that was missed or changed since the inventory will be disclosed without alert or action.

To be successful, an extrusion prevention solution also needs to provide analyzers to profile or describe digital assets without the intensive registration process, and should include pre-built profiles to accelerate the time-to-value. When these analyzers are implemented in a scalable, granular rules engine, the organization deploying an extrusion prevention solution will realize a lower total cost of ownership.

Finally, an extrusion prevention solution must be able to be deployed in a manner consistent with enterprise architecture standards. The cost of management of the solution can skyrocket if its implementation causes negative network performance, additional points of failure and/or desktop or server reconfiguration. In addition, certain architectures (particularly proxy servers) are limited by the network channels they are able to handle – thus limiting the applicability of the solution.