Inside Threats: What's Walking Out Your Front Door?

By Sonny Discini | Jul 27, 2007 | Print this Page

I’ve long said that the notion of network perimeters is dead.

Data has become fluid and collaboration, interoperability and mass dispersal of information is the name of the game. Security professionals are supposed to embrace this landscape, meet compliance and protect against all evils along the way. Given this playing field, along with all the various insider threats, how can you tell what, when and what kind of data is walking out your doors?

It’s no secret that disgruntled insiders can display amazing ingenuity when it comes to stealing company data. Whether the motive is profit or revenge, the bottom line is that data is constantly threatened and it’s extremely difficult, if not impossible, to mitigate the threat. Criminals are also hard at work, employing botnets, phishing, ransom and a plethora of other techniques.

And finally, there is the accidental data leak. While not in the same class as insider threats and criminals, the result can be equally as damaging, and in some cases worse than outright theft.

Given that there are so many ways for data to walk out, how will you know what leaked and when it happened?

Policy doesn’t have the ability to stop data leakage alone, especially if no one enforces it. Technological resources require a great deal of effort to efficiently operate and in some cases you may actually be violating internal policy and possibly external laws and regulations by using a tool that monitors for data leakage.

But for the sake of argument, let’s say that you have a policy that allows you to monitor for leakage and you’re operating within the bounds of the law. The logical next step that most organizations take is to look for a nifty toy to monitor for leakage and enforce the policy.

For those not in the know, the term coined for this type of solution is “anti-data leakage”. Some vendors call it the “extrusion protection” space as well. While the vendors would like you to believe that this has additional (and of course a much more beneficial to you) meaning, it all boils down to trying to see what’s going out the door and preventing its exit if need be.

One vendor that places its offering in the extrusion protection space is Fidelis. Its product works by sitting at a network chokepoint and filtering traffic via packet sniffing. If a violation is detected, the appliance will clip the connection via a TCP reset packet. It reports based on canned compliance signatures such as HIPAA and PCI, and it also has capabilities for you to write your own filters or edit existing templates. The XPS appliance boasts real-time data leakage protection across all protocols and ports at gig speeds.

Another provider in this space is Proofpoint. It, too, uses a rules-based approach to signatures. What’s different about this offering is that it focuses primarily on e-mail as the source of leakage rather than the various other ways data crawls out the door. Proofpoint mails a report of all flagged traffic by category and allows the admin a number of actions such as alert-only, quarantine and so forth.

So what exactly will you see with solutions like these?

If you’re not the techie type, you can get canned reports and/or summary information that relays high level stats on what they picked up. This means that you can see how many credit card numbers, social security numbers and so forth were sent outbound. Once configured for your specific requirements, you can view stats on the hit points critical to your organization. Some of these devices, such as Fidelis, can also report on instant messenger applications, which account for a lot of data flowing in and out of your organization.

What’s important to note here is that these solutions address data that is being transferred over the network. They do not address data that walks out via USB, hard copy and a number of other removable media formats. You’re going to have to engineer an architecture that addresses all of the vectors, which will take a lot of time, money and resources. Even after you expend all of this effort, you have to accept that you haven’t covered every possible vector related to data leakage but at least with some solid policy and tools, you can get a good look at what’s going on in your environment.

So, do we see a pattern here? Of course.

Again, we’re faced with a very serious problem that has many vectors, and to cover them, multiple products are required. The problem is complex but there exists a simple, if unrealistic, solution to this. Why not give users only what they need, remove personal PCs that have 600 interfaces to every removable media product on the planet and implement something similar to dumb terminal technology?

I often point to the human immune system as a model that a security architecture should emulate. The human immune system enforces the least privilege model. Unless it is specifically allowed, it is assumed denied.

If only we would embrace this simple design, data leakage, among other security problems would be greatly reduced.

Article appeared originally on Enterprise IT