Data Leakage and Content Monitoring
By Don Gilberg
It seems that everywhere we turn, public and private organizations are “leaking” consumer data. Recent news headlines describe spectacular losses of consumer and citizen data in the retail, banking, education, government, pharmaceutical, and other key industry sectors. These losses have cost organizations hundreds of millions of dollars, significant embarrassment, and permanent reputational damage, not to mention the inconvenience and costs to your customers. Beyond what is known to the public, it also is likely that losses of sensitive and classified data never are disclosed in the press, but happen on an equally frequent basis.
Today’s cyber threat environment is more complex than ever. It is dominated by well-funded adversaries with strong economic and political motivations and powerful technical capabilities. These state-sponsored and organized crime groups understand that you have deployed perimeter countermeasures and network monitoring sensors, but they are skilled enough to work around them. Consider STORM: a daily polymorphic, self-mutating, encrypted, P2P, worm Trojan with compartmentalized botnet functionality.
Network monitoring in today’s threat environment requires much more robust and diverse visibility than ever to cope with these multi-dimensional threats that may be invisible to your current defenses.
Data leakage protection (DLP) and content management (CMF) vendors have been around for a while, but there are limitations to what they can do for you. According to Forrester, 85% of organizations using content filtering technologies do not implement the filtering component of the technology because of concerns with issues such as false positives, and fears that legitimate business traffic will be interrupted by overly complex or simplistic filters. Content review technologies embedded in these products have been hampered by the severely limited number of protocols parsed by these systems and by the flawed assumption that adversaries, whether internal or external, will use standard business communication methodologies such as Web, email and chat as the primary vehicle for leaking data out of your network. Bypassing these controls is very simple, even for users with modest technical skills.
Many successful attacks today fly far under the radar of intrusion detection and security countermeasures that you have in place. Targeted spear phishing techniques combined with "designer" application exploits can gain a foothold inside your network without any alerts from your IDS or SIEM products. Once these exploits occur, attackers maintain access to victim networks by installing simple but effective code that "beacons" to one or more hosts outside of the organization under the control of the adversary.
In order to conduct regular business, companies move a lot of sensitive data across the network every work day. But deep within these gigabytes or terabytes of data traversing the wire, how do security managers in these organizations know for certain if any of these data fall into any of the following categories:
- Unauthorized transfer of personally identifiable or account information of customers
- Sensitive account information exfiltrated out of the network by a third party
- Internal employees sharing M&A transaction or SEC filing information for the company with a competitor or the press
- Resumes of key personnel shared with competitors
- Inappropriate, threatening, or hostile communications
- Illegal activities and inappropriate uses of company resources
- Designer malware, worms, or other destructive program code
These threats, and new and unknown “zero day” attacks, challenge the business continuity and brand loyalty of every enterprise across most vertical business segments.
Don Gilberg is the VP for Strategic Development at NetWitness Corporation. He may be reached at firstname.lastname@example.org.