[Web Informant] 10 December 2008: How to stop leaking data

David Strom david at strom.com
Wed Dec 10 16:44:33 EST 2008

Web Informant 10 December 2008: How to stop leaking data

One of the great things about the Internets is that it provides
universal connectivity between your desktop and the world. But that is
also a tremendous weakness and security professionals often lose sleep
over how easy it is for a rogue employee to email a friend – or even
his private Webmail account – their entire customer list or other
confidential information.

There have been a number of products to try to track or block leaking
data, and this week I was testing one of them for my WebInformant.tv
video screencast series -- TrueDLP from Code Green Networks. The idea
is fairly simple: you install their appliance on your network, point
out your most sensitive data, and then it watches over your packets
and sees what is leaving the premises. It doesn't take that long to
setup and install, once you figure out what it is doing and what you
are doing.

The tricky part is figuring out exactly what is your most sensitive
data, and being able to focus in on it in a way that the product can
identify. It comes with dozens of various templates to be able to
recognize social security numbers, or names and addresses, or stock
symbols, or other kinds of well-formatted data. But the real plus is
being able to handle unformatted data, such as a memo about a
customer's preferences that is just a Word document, for example. Code
Green can connect to a SQL database and directly handle the query
syntax to select particular data types, and it can also connect via
WebDAV to Sharepoint servers or other document repositories too. Once
you find your data, you create protection policies and tell the
appliance what to do – whether to just log the violation or actually
block the activity.

You also need to make sure that you are matching everything properly,
because the last thing you want to have on your hands is a series of
false positives that you have to chase down. You can also set up
fancier things, such as automatically requiring emails between two
places (such as your office and a partner) to go out encrypted.
Speaking of encryption, they work with the Blue Coat Web proxies so
that even if someone is using SSL connections to talk to their Webmail
accounts they can take those packets apart and see what someone is
doing. That is pretty spooky, but hey, you have been warned!

There are other things that the product does, such as being able to
detect content on removable USB thumb drives, or even block their
usage entirely. This is the way of the world: as these drives get
beyond 64 GB (yes, gigabytes), they are more of a threat for someone
to just literally take an entire database out the door in their
pocket. I recently ran up against this when I was in my bank trying to
provide documentation for a loan. I had brought a CD, a USB thumb
drive, and had saved the documents on my Google account just for good
measure. Because of the bank's endpoint security lockdown policies, I
was 0 for 3 and had to send them the old fashioned way, by making
paper copies, once I got home. At least it was nice to know that they
had protected their employee's PCs.

The interesting thing is what happens after customers get their hands
on this Code Green product. Lawsuits typically ensue, so to speak,
because often the network administrator finds someone is doing
something that they aren't supposed to be doing.  One of the product
managers I was working with told me that this usually happens within
the first week of the product being put into production. Given that
the basic price of the product is ten grand, I figure that is as close
to instant ROI as you are going to get these days, considering the
cost of most litigation.

So take a gander over at WebInformant.tv and watch the four-minute
video of the Code Green appliance. It is a very innovative way to
detect and prevent data leaks and well worth a closer look.

More information about the WebInformant mailing list