This article can also be found in the Premium Editorial Download "Information Security magazine: Closing the gap: How to decide when (and if) to patch vulnerabilities."
Download it now to read this article plus other related content.
In more than a few games this past season, the 5-11 Houston Texans played as though their opponent knew their playbook better than they did.Price is an obvious issue of concern. These solutions aren't cheap. Most of them cost tens of thousands of dollars, ... depending on your overall network layout and number of supported hosts.
But thanks to the use of software that protects against intellectual property (IP) leakage, the team knew the playbook was always under digital lock and key. "We were just inexperienced and getting our butts kicked," laughs IT director Nick Ignatiev.
When the Texans entered the NFL two seasons ago, it became one of the first teams to place its phone book-thick playbook entirely on its network. Though IT policy mandates tight access controls, authentication and separate shares for each coaching group with playbook access -- offense, defense, special teams -- Ignatiev knew he'd sleep better with additional IP monitoring.
"We wanted to be proactive about this rather than wait for something bad to happen," he says. "We wanted to make sure we had all the bases covered." Not to mention the post route or fake punt.
The solution Ignatiev chose, Vericept's VIEW, scours corporate mail, instant messaging, FTP communications and Web mail for specified keywords -- "playbook," game plan-specific file names and many others. It also performs basic URL monitoring.
"We're more concerned about network monitoring than network filtering," Ignatiev says. "In that sense, we're more of a watchdog than a guard dog."
What Is IP, Anyway?
We hear about the insider threat to intellectual property security all the time. In the Texans' case, the result of lost IP is simple to quantify: Opponent gets your playbook, you lose.
But most organizations, quantifying what constitutes IP -- and what the consequences are if it's leaked or stolen -- is more challenging. With rare exceptions, IP is never a single "thing." It exists in more than one place, often only in the minds of "trusted" users. Everyone's favorite example of IP -- the recipe for CocaCola -- is actually many intertwined things: ingredients of varying quantities, step-by-step mixing, manufacturing and bottling procedures, etc.
Determining who's an insider is equally difficult. With the advent of mobile computing, multiple extranets connected to sensitive back-office applications, and an endless stream of consultants, contractors and partners plugging in and out of your network, keeping the keys to the kingdom inside the castle walls is almost impossible.
Put all this together, and it's no wonder that most organizations consider insiders to be a much greater threat to IP than outside hackers or malware.
Technology to the Rescue
While technology is never the only answer to security problems, IP leakage is one area where it can make a huge impact. Policy controls are equally important, but even stringent acceptable use policies won't prevent a disgruntled employee or corporate spy from tipping off a competitor about a pending contract.
A handful of vendors are addressing this problem, often by using old technologies in new ways. As a group, these products monitor and control network usage in real time. They allow you to identify trends and specific behavior patterns in network traffic that may signify abuse or misuse of IP.
These solutions focus on the applications where IP leakage is most likely to occur: e-mail, Web access and peer-to-peer applications such as IM and file-sharing programs such as KaZaA and Gnutella. Basic file transfers via Telnet, FTP and even encrypted SSH will have a difficult time flying under the radar of these programs, since they check not only for content but also usage patterns and other behaviors.
Let's say, for example, that you have a security policy that prohibits IP from being copied to external storage, or from one application to another. Perhaps users are attempting to browse network shares or open unauthorized files. Users may even attempt to burn IP to CD-ROMs to take home or mail outside the company.
Security startup Verdasys offers a solution called Digital Guardian that detects these types of actions on Windows 2000/XP workstations and file servers. The system drops an agent on local machines that logs and tracks system usage against acceptable use policies defined by a centralized server. Responses to unauthorized activity range from a simple user warning prompt to preventing the execution of the command, depending on the severity of the policy infraction.
While Digital Guardian focuses on host-based activity, other solutions examine network traffic patterns for keywords or language patterns associated with organizational IP. These solutions typically scan e-mail, IM and file uploads/downloads for both default keywords -- "confidential," "proprietary," etc. -- and user-configured words and phrases. If, for instance, your company is developing a new RFID management system, you could scan for keywords such as "identity," "frequency" or "design specs," performing both single word and multiple word combination searches. Some of these solutions include target IP addresses in their scans. That way, you can pay special attention to traffic destined for your competitors' networks.
One solution in this group of products is Vidius' PortAuthority, which focuses strictly on content within e-mails instead of specific file and other behavioral controls. PortAuthority supports Exchange, Notes and other mail servers, scanning both internal and external messages in real time. PortAuthority detects and quarantines policy infractions immediately and notifies you or the appropriate sysadmin.
Another product, Vontu's Protect, also monitors mail traffic at critical network exit points. In an upcoming release, the product also will monitor Web and FTP as well. Rather than using heuristics and other pattern-matching techniques, the software searches for one-to-one matches of specific outbound information, such as user names, passwords and Social Security numbers.
While these products are useful for detecting IP leakage through traditional network applications, other forms of IP leakage can be just as damaging to your organization. Consider, for instance, insiders who have low-level access permission to a database, and attempt to exploit those rights by accessing information they don't need to know. Let's say your organization has compiled a database of chemical compounds required for a new arthritis drug. Based on the original database design, the only way to prevent unauthorized access to proprietary research is by hiding data though security by obscurity. If a rogue user knows how to generate manual database queries, he could end up with access to all chemical compounds required for the new drug.
Another security startup, IPLocks, has a solution called Database Security Audit System that helps defend against IP leakage issues at the database transaction level. This system provides "separation of duty" filters based on user requirements. It can also be configured with monitoring rules that detect unauthorized privilege elevations or malicious data injections into a database. It can even monitor for granular events based on time and specific database tables.
Which Technology Is Best for You?
If an IP protection solution is on your radar, you need to consider several factors before moving forward. These solutions have a lot of overlap, though none of them is exactly the same as the others.
As with most security initiatives, price is an obvious issue of concern. These solutions aren't cheap. Most of them cost tens of thousands of dollars, and some are more than $100,000, depending on your overall network layout and number of supported hosts. This may seem like a small price to pay given what's at risk, but it's still enough to make even the most security-conscious CFO cringe.
Also, from a more technical perspective, once you narrow down your options, you'll need to determine the amount of effort and manpower involved in installing, configuring and administering the system. For instance, you may have to push out client components to all of the workstations you wish to monitor or work to ensure that policies are in line with your organization's custom databases, applications and business processes. These aren't usually big issues for smaller networks, but may tax IT resources for larger ones.
Don't forget to consider how an IP protection system will integrate with your existing IT and security infrastructure. These solutions are not replacements for existing security controls (access controls, AAA, firewalls, IDSes, etc.), but are excellent complements. They provide an extra defense-in-depth layer that's been hard to attain.
These solutions aren't going to run themselves, either. And keep in mind other issues -- such as directory service integration and network management compatibility -- to make sure that the solution you choose is compatible with existing systems.
Finally, it's important to recognize that most of the solutions offered in this burgeoning technology space come from startup companies with short track records. Do your homework to make sure the provider you choose will be around tomorrow to support and upgrade your purchase.
About the author:
Kevin Beaver, CISSP, is president of Principle Logic, an information security consultancy.
This was first published in February 2004