Outbound content filtering requires products and processes

Ultimately, bad guys predominately want personally identifiable information (PII) -- examples include mailing addresses, Social Security numbers and credit card information -- which can be used as a mechanism for identity theft. Unfortunately, there is a huge market for information that can be used not only to loot accounts, but also to obtain credit in the name of someone else. TJX Companies Inc. is the king of the Rogues gallery, illuminating the potential consequences of private data loss.

Another big source of data leakage is intellectual property (IP). We are all familiar with the theft of trade secrets at DuPont Co., but there are hundreds of other transgressions that go unnoticed because most organizations want to keep them quiet. All businesses have a significant portion of their intellectual property digitized. So at any given time, a malicious or unsuspecting employee can download information to removable media or attach it to an email message and BAM! Your data is gone.

Since the stakes are clear, what can we do to protect "outbound" content? It starts with a multifaceted approach that includes training, i.e. reminding employees of the organization's policies and the consequences of not complying.

Yet, the first step is not even training; it's figuring out what you are trying to protect. That's means finding and surveying the data in your organization and defining who can use what and why. Simply locating data is helpful because the organization process can often help eliminate a lot of leakage points that would otherwise go unnoti

To continue reading for free, register below or login

Requires Membership to View

To gain access to this and all member only content, please provide the following information (all fields required):

First Name:
Last Name:
Country: Select... Afghanistan Aland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory British Virgin Islands Brunei Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos (Keeling) Islands Colombia Comoros Congo Congo, Democratic Republic of Cook Islands Costa Rica Cote D'Ivoire Croatia Cuba Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia, The Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard and McDonald Islands Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati Korea, North Korea, South Kuwait Kyrgyzstan Laos Latvia Lebanon Lesotho Liberia Libya Liechtenstein Lithuania Luxembourg Macau Macedonia Madagascar Malawi Malaysia Maldives Mali Malta Man, Isle of Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands Netherlands Antilles New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestine Panama Panama Canal Zone Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Reunion Romania Russia Rwanda Saint Helena Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and the Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia and Montenegro Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard Swaziland Sweden Switzerland Syria Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu U.S. Minor Outlying Islands Uganda Ukraine United Arab Emirates United Kingdom United States Uruguay Uzbekistan Vanuatu Vatican City Venezuela Vietnam Virgin Islands Wallis and Futuna Islands Western Sahara Yemen Zambia Zimbabwe
Email Address:

I would like to receive a FREE subscription to Information Security magazine online.
YesNo

Do you manage, evaluate, recommend, implement, support or purchase security products, software or services?
YesNo

Please estimate the yearly security budget for your entire organization including all security products and services.
Please select... Over $10 Million $5 Million-$10 Million $1 Million-$4.9 Million $500,000-$999,999 $100,000-$499,999 $50,000-$99,999 $25,000-$49,999 $10,000-$24,999 Less than $10,000 None

What is your role in purchasing IT related products and services? (Check all that apply)
Technical decision maker
Financial decision maker
Recommend/Specify
Evaluate products
Implement Products/Services
Determine Needs
Create Security Strategy
None

By joining SearchSecurity.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.

TechTarget cares about your privacy. Read our Privacy Policy

OK, so now that the sensitive data has been located and it's been determined what needs special protection, next comes technology. There are many techniques to identify sensitive data before it escapes, and the difference between an effective product and the perception of failure is accuracy. Too many false positives, meaning you flag data that isn't actually a violation, and you are mud. Miss something, meaning data leaks out, and you are mud. The objective is to not be covered in mud, since both scenarios waste a lot of time and money and don't stop the data leaks. Here is just a smattering (certainly not comprehensive) of the available techniques:

The reality is that every vendor and/or technology will likely use all of these techniques in some way and probably quite a few others. To further complicate things, they are going to use different language to describe the same methods, meaning it will be an inexact science to determine what product will provide the best outbound content filtering for your environment. The only way to figure that out is to actually test a few (meaning 1-3, not five or 10) of the devices on your actual traffic.

Yes, this approach is resource-intensive and eats up time that you probably don't have, but can you really compromise on your accuracy? Not a chance. So get it right the first time, or the auditors will be making sure your successor does.

Finally, determine whether a stand-alone device makes more sense or whether this content security capability should be integrated into another device, like an email gateway or a unified threat management (UTM) device. The answer is both; the decision points are really more about politics, scale and complexity within your organization rather than anything from a technology standpoint.

If you've determined that 95% of your organization's risk is derived from potential email message leaks, then using the outbound filtering capabilities within your existing email security device will suffice. If the company has a lot of complicated CAD/CAM drawings or drug compounds, then it only makes sense to use a product that specifically tracks data not only on file shares and in databases, but also on endpoint devices.

Don't neglect the ramifications of scale as well. In relatively small environments, the Web- and email-filtering capabilities of existing perimeter gateways should suffice. But in mega-enterprises -- where egress points are numerous and geographically distributed and 1 GB networks are yesterday's news -- a dedicated outbound content security platform is probably a more suitable option.

Looking ahead, outbound content filtering and leak prevention technology may become a feature of perimeter platforms and endpoint security suites, but it's not clear that will make things easier, especially in large enterprises. Why? It's all about a consistent policy. If different technologies protect different aspects of an environment, then it's hard to enforce a consistent policy.

Similar to pretty much every other problem we are trying to solve in security, there is no silver bullet or a generic solution. You can't just go down to the corner store and pick up a content security thingy. The best answer today is adopting a process that can help determine where data lives, what needs protection, and finally which technology mix is best for your organization's needs.

About the author
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Rothman is also SearchSecurity.com's expert-in-residence on information security management. Get more information about the Pragmatic CSO at http://www.pragmaticcso.com, read his blog at http://blog.securityincite.com, or reach him via e-mail at mike.rothman (at) securityincite (dot) com.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Network Security Tactics,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics Screencast: Samurai offers pen-testing nirvana Firewall rule management best practices Chained Exploits: How to prevent phishing attacks from corporate spies Rootkit Hunter demo: Detect and remove Linux rootkits Enterprise UTM security: The best threat management solution? Making the case for network security configuration management An inside look at security log management forensics investigations How to find sensitive information on the endpoint How to perform Microsoft Baseline Security Analyzer (MBSA) scans How to spot attacks through Apache Web server log analysis RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.