Understanding The Impact of Different Approach to Content Recognition for Securing Personally Identifiable Information

The leakage, or extrusion, of privacy-sensitive personal information has been shown to have significant negative consequences on an organization’s brand, reputation, and customer trust as well as legal, operational, and financial implications. With the number of extrusions of personal information on the rise, both governments and industry organizations (such as the Payment Card Industry) have responded by instituting several privacy laws and industry operating standards with which all organizations must comply. To satisfy the increasing number of legislation and industry regulations designed to protect the personal information of consumers, employees, and private citizens, organizations must be able to detect identity information in outbound network traffic and prevent its unapproved distribution. This privacy-sensitive information can be referred to in a variety of ways, the most common of which is personally identifiable information (abbreviated PII or referred to as nonpublic personal information or NPI).

For organizations to protect PII they must put policies and tools, such as an extrusion prevention solution, in place to monitor and control privacy-sensitive identity information from data leakage. Content recognition is a key component to any such solution. Content recognition is the process of applying algorithms to examine material for a match to a particular type of information.

It is very important to understand the resource and cost impact of the content recognition method deployed in the data leakage solution you choose. A solution that is otherwise ideal, but does not fit an organization’s needs for content recognition, can render a solution useless or make its management costs prohibitively expensive.

CONTENT RECOGNITION METHODS

In order to evaluate which content recognition method is right for your organization, it is important to first understand the various content recognition methods. These methods generally fall into two categories—profiling and registration.

• Profiling of data uses rules that describe information, typically statistical, pattern and/or key attributes that the system uses to evaluate information. It does not require that the actual protected information be provided.
• Registration of data requires that protected content be enrolled in the system. This system then generates algorithms to detect an exact match or fingerprint of the actual content that has been registered with the system.

KEY CRITERIA

There are two key criteria when evaluating content recognition capabilities of a data leakage or a more comprehensive extrusion prevention solution: Accuracy and Management. These criteria will drive the system’s success at protecting identity information, the cost of deployment and the cost of on-going operation.

Accuracy

The ability to accurately recognize protected content, identity information in this case, is measured in the number of false positives and false negatives the system generates.

Definition Impact

False Positive When a test incorrectly reports that it has found a positive result where none really exists. An alert is generated for valid network traffic that does not violate policy. As a result, you think you have experienced an incident of data leakage when, in fact, you have not.

False Negative When a test incorrectly reports that a result was not detected, when, in fact, it was actually present. An alert is not generated for unauthorized network traffic that does violate policy. As a result, data is leaked and you are not alerted.

Significant false positives can make a system difficult to manage. Hence, much discussion is focused on false positives. But false negatives present a much greater risk for privacy compliance than false positives. False negatives mean that identity information is disclosed without any action from the system, thus bypassing the prevention and remediation processes required under internal policy and external regulation. A false negative puts your organization at risk of finding out about a leakage of identity information from the news media or regulators—what the system was deployed to avoid in the first place.

Management

Management should be evaluated in two areas—deployment (the time required to configure the solution before it becomes operational) and total cost of ownership (the initial acquisition costs and on-going costs of maintaining the solution).

REGISTRATION VERSUS PROFILING

Registration of data requires content to be enrolled in the system. The system then generates algorithms to detect a match, usually through a fingerprinting or hashing algorithm, of the actual content that has been registered with the system. Exact matching and watermarking are two examples of registration based systems.

For registration to be successful, all protected content must be enrolled. This is a significant barrier to deployment and greatly drives up management costs. Imagine the challenges of attempting to enroll or register all PII with a content monitoring solution. This alone could push out the implementation, and therefore value and risk reduction, by months or years.

In the event an organization could actually register all its PII, it then has to keep the registration current to avoid false negatives, as any information that was modified since its registration is not likely to be detected. The continuous integration of new privacy-sensitive information into the system creates significant cost of maintenance over the entire life of the solution, drastically raising management costs and, therefore, the total cost of ownership.

As a result, while registration typically results in a low number of false positives, it typically is highly prone to false negatives—allowing a digital asset to leave that should not. While false positives are obviously not ideal, a false negative actually results in the unauthorized disclosure of identity information—and to make matters worse, it also goes unreported. The high cost of ownership and significant risk of unreported disclosures greatly outweigh the benefits of data registration.

In contrast, an extrusion prevention solution that takes a description or profiling approach to content recognition is very fast to deploy and has a low total cost of ownership. Organizations can generate policies to describe the protected information, and in many cases these policies come pre-built in the solution. Small customizations can quickly be made and the content recognition system requires very little on-going management. If the profiles are correctly developed, false negatives (disclosure of identity information without the system generating an alert) are incredibly low, often approaching zero. The drawback to a profiling based system can be the occurrence of false positives if the system is not able to define the profiles at a granular level.

The recognition rates and false positive rates for profiling systems are typically driven by the type of technology used for content recognition.

• Keywords are very effective with low false positives and negatives for unique terms, but can present a false positive challenge for more general use.
• Patterns are very effective for unique, predictable alphanumeric sequences but present a false-positive challenge for numeric-only items.
• Statistical and structural analysis are very effective at recognizing items of particular structure (for example, name or address), however the more basic the analysis the more likely a false-positive occurrence.

Regardless of the type of technology used, profiling systems have an extremely low rate of false negatives, as any information that meets the profile will generate a match, even if the system has never seen that information before.

ACHIEVING THE BENEFITS OF PROFILING WITHOUT FALSE POSITIVES TO PROTECT IDENTITY INFORMATION

It is possible to design a profiling system for identity information that generates very few false positives. These systems use sophisticated statistical calculations to compare characteristics of data to characteristics of a known statistical profile to eliminate false negatives, and then apply validation and verification routines to eliminate false positives. This is the approach applied in Smart Identity Profiling in Fidelis XPS.

More specifically, identity information is best identified when different analyzers can be logically combined to more specifically describe sensitive data, so multiple methods can be used at once. Profiling systems designed to achieve this implement a collection of statistical routines from coarse-grained to fine-grained, followed by run-time verification to check validity. Examples include checking that a Social Security Number is in a valid issuing range or that a credit card number could be valid.

In addition, identity attributes always appear in duplets or greater groupings. A credit card number without an expiration date, security code or cardholder is of no value—you can easily download software from the internet to generate potentially valid credit card numbers. Smart Identity Profiling can use these other attributes to further reduce false positives. In real-world implementations, profiling systems that use this architecture meet or exceed customer expectations by providing a high degree of content recognition, with minimal false positives and false negatives.

While extrusion prevention is still a relatively new data security process, the need for effective systems becomes more urgent by the day. Both registration and profiling can protect PII and reduce the varied—and costly—risks posed by data leakage. Organizations considering an extrusion prevention system should carefully weigh the performance and total costs of both solutions, though the deployment and management costs of data registration will prove cost prohibitive for most organizations. In today’s data-based business environment, protecting digital assets can literally be the difference between success and failure.

David Etue, Senior Security Strategist, Fidelis Security Systems

Mr. Etue brings years of experience at early-stage and mature companies to his role at Fidelis Security Systems. Prior to joining the company, he was Vice President of Marketing at Celcorp and led product management for a variety of technology products and services at Global eXchange Services (GXS). Before his tenure with GXS, Mr. Etue led General Electric's global computer security program. He was a member of the GE Information Management Council, and was an original member of GE's Global E-Commerce team, which was responsible for development of the company's e-business strategy. Mr. Etue holds a Bachelor of Science degree in Business Administration and Finance from the University of Delaware.

Gene Savchuk, Chief Technology Officer, Fidelis Security Systems

Mr. Savchuk has been in the computer and networking industry for 15 years, both managing networks and developing commercial network security and management solutions. His first network systems administration program went to market in 1992. In 1995, a remote user authentication solution that he developed was introduced to European markets. Prior to co-founding Fidelis Security Systems, Inc., he served as Director of Software Development at InforMax Inc. and helped to guide it from a startup to a public company with almost 300 employees. At Fidelis, he has been the primary architect and has led the development of Fidelis XPS. Mr. Savchuk holds a Bachelors Degree in Physics and Applied Mathematics and a Master of Computer Science.

Fidelis Security Systems
Since 2002, Fidelis Security Systems (www.fidelissecurity.com) has been committed to giving organizations the power to protect their brand, intellectual property and resources by stopping data leakage