Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Preventing Data Theft, Combating Internal Threats

Defend against internal threats and prevent information leakage and hacker attacks with several tactics such as employee monitoring, behavioral analysis tools, encryption and incident response.

Your worst enemy could very well be inside your network. We'll show you how to prevent insiders from sharing your most critical data.

Your problem might not be a hacker trying to break into your network: It could be Jim in engineering, or Steve in sales--maybe even Cindy in production. Your employees could be snatching intellectual property and e-mailing it to competitors, or they could be inadvertently sending out confidential customer information.

Employees who deliberately or unwittingly leak confidential information outside corporate confines pose a huge threat--one that businesses might overlook. This kind of data seepage can cost an organization millions of dollars and cause irreparable damage to its reputation.

According to a 2005 U.S. Secret Service and Carnegie Mellon's Software Engineering Institute study of insider breaches in critical infrastructure sectors, 81 percent of such breaches resulted in financial losses ranging from a $500 to "tens of millions of dollars." Additionally, 28 percent of the respondent organizations said their reputation was hurt by the breach.

The complexity of today's computing environments, with business networks becoming larger and more porous, is exacerbating the internal threat. What used to be the network perimeter is essentially a borderless mesh of connectivity for applications, telecommuters, business partners and customers. Adding to the problem is the untracked decentralization of information storage in files and databases across many systems. Spreadsheets, word processing documents and other files are not only stored on server shares and local user folders, but are strewn across messaging systems, mobile devices and local workstation folders. Maintaining proper access control on this information is nearly impossible.

Now, in this age of rogue and careless insiders with immeasurable access, network managers--and even many business executives--are taking a closer look at their internal systems. Technology suppliers have responded by developing new ways to address the insider threat.

So before your network springs a leak, here are several technologies to consider for keeping your most valuable data secure.

Checking the Pipes
Products providing insight into network activity under the guise of content filtering have been around for years. These products monitor e-mail, Web and other system usage to keep malware from entering the network, and block or flag inappropriate use to ensure employee productivity. But, emerging technologies allow you to peek into what's really going on inside your network to detect and even prevent information leakage.


Here is a sampling of products dedicated to preventing information leakage.

@exe There are more than a dozen vendors in the network content monitoring space, each with products that monitor Web, messaging, peer-to-peer, streaming media and other traffic. They identify breaches and suspicious usage based on pre-selected and customizable network protocols, traffic patterns and file types in communication streams. Some tools analyze words and groupings of words for suspicious activity, while others can determine the context of what's being done with files. Many look for binary signatures of sensitive information and files rather than relying on filenames and extensions, which can easily be removed, renamed, or otherwise obscured. Some even analyze network traffic patterns and build a big-picture vision of suspicious behavior, alerting security administrators to top talkers--computers, applications or users generating the most network traffic--and protocols in use.

By using sophisticated linguistic analysis, network content-filtering technology has advanced beyond regular expression and keyword analysis so it can analyze derivative content, says Trent Henry, senior analyst with the Burton Group. These tools are beginning to feature automatic content discovery capabilities, which eases administration, he adds. With key word or expression analysis, a fair amount of effort is required by an IT group to determine the sensitive information and its characteristics, and then set up the monitoring and associated policies. With automatic content discovery, the tools understand directory systems to pull in user and group information, and crawl through an organization's "information landscape." The tools can look in important file systems, document management systems or databases to identify information as sensitive, Henry says.

Many network-based content filtering products perform passive monitoring and can report back on suspicious activity, such as Jim e-mailing project designs to his Yahoo account or Steve mistakenly sending out customers' personal data. Others perform active monitoring and leakage prevention by blocking traffic and quarantining files. By taking a proactive stance and preventing questionable or malicious be-havior from taking place, the benefits are similar to that offered by IPS. This content-monitoring option will likely prove to be the most valuable long-term, especially for security policy enforcement and regulatory compliance management.

Several products also have built-in and customizable regulatory compliance and security policies that can be tweaked for your specific network environment and business needs. If audit log retention is required by the business--public companies covered by SOX, or organizations in the securities industry--most content monitoring options provide system activity logging.

Another method for detecting nefarious insider behavior and computer misuse is host-level content monitoring, which uses agent software to track computer, OS and application operations, enforce applicable security policies, and warn users of violations. Vendors in this category include ControlGuard, Orchestria, Oakley Networks and Verdasys, among others.


  • Ask yourself if monitoring will actually help minimize risks and provide business value.
  • Obtain and maintain user buy-in by giving reasonable business justification.
  • Develop reasonable policies by balancing security with usability and privacy as well as fair sanctions that are consistently enforced.
  • Tell people what's expected of them clearly and concisely--focus on this area the most.
  • Put everything in writing (either on paper or electronically via an intranet portal).
  • Show ongoing value of system monitoring (if you can't, it's being done incorrectly).
  • Take it lightly and monitor for the sake of monitoring-- do something with your results.
  • Micromanage and enforce in demeaning ways that will harm employee morale.
  • Overlook how easy it is for system monitoring to get in the way of employee productivity.
  • Use zero tolerance--instead use reasonable discretion based on the context of the situation.

@exe At first, it appears that host-level control may be more difficult to deploy and require more resources to manage than network-based products, but it does have a major benefit: the ability to monitor at the desktop level, which is the launching pad for wayward behavior. An ideal setup would be to have both network and host-based protection guarding local usage and network transmission in a layered approach, as in the case of the Tablus and PortAuthority offerings.

According to Henry, host-based behavioral analysis tools can see information in plain text on the host, giving them an advantage over network content filtering, which can't inspect encrypted content. Some vendors have plans to add the ability to monitor encrypted traffic, but it's a difficult problem to solve, he adds.

Alternative Measures
Other security products don't necessarily fall into the same context as content monitoring and information leakage solutions, but can contribute to the overall protection of sensitive information. These include messaging firewalls such as Akonix's L7, IMLogic's IM Manager, CipherTrust's IronMail and NetIQ's MailMarshal, which can be configured to filter inbound and outbound e-mail and instant messages for sensitive information. Obviously, these types of systems won't detect and protect against misuse in other network systems and protocols, but a very large portion of insider abuse takes place inside messaging applications.

There are also dedicated forensics analysis and replay products such as Niksun's NetVCR and NetDetector, and Sandstorm Enterprises' NetIntercept that can help. These tools not only provide security surveillance and proactive system analysis of Cindy's suspicious activities, but can record network traffic and serve as strong forensics investigation tools with their anomaly detection and session reconstruction capabilities.

And, don't overlook the value of encrypting information for securing confidential data. This is especially true for sensitive databases, files and mobile computer storage such as laptop hard drives and PDAs--just don't get caught up in the hype that encryption solves all security problems. Most insider breaches result from users like Jim having authorized and legitimate access to sensitive information-- something that encryption is not going to help protect against. Also, information encrypted during transit does nothing to protect data once it's stored on internal systems. In fact, encrypting information in transit may only serve to cover up what a malicious insider is doing.

Technically speaking, it wouldn't be impossible to utilize a host or network-based intrusion detection system--especially when combined with an event correlation system--to obtain similar information protection results as dedicated content-monitoring solutions.

Pros and Cons of Monitoring
In order for most security policies to be effective, they need to be enforced with technical safeguards. Content-monitoring solutions offer a great deal of benefits for anyone involved with protecting sensitive information. Investment in one of these products can:


Don't let your organization get stuck without a content monitoring and information leakage policy. Consider the following template:

Introduction--Overview of the topic being addressed by the policy.

Purpose--Statement of high-level goal(s) and strategy of policy.

Scope--Short outline of organizational units, departments, employees, computers and applications covered by the policy.

Exceptions--Organizational areas, people and systems that may fall within the scope but should be excluded by this policy.

Policy statement--Short, concise policy statement.

Roles and/or responsibilities--Listing of who is involved, duties required and what each person must do to support the policy.

Procedures--Steps on how the policy is being implemented and enforced.

Compliance metrics--Procedures, standards or other requirements for measuring compliance.

Sanctions--Consequences for policy violations (X occurs on the first offense, Y takes place on the second offense).

Review and evaluation--When the policy must be reviewed for accuracy, applicability and compliance purposes (i.e. HIPAA, GLBA, CoBIT, ISO/IEC 17799).

References--Regulatory code sections and information security standards (i.e. HIPAA Security Rule, GLBA Safeguards Rule, CoBIT, ISO/IEC 17799).

Related documents--Other policies, guidelines, and standards.

Revisions--Who, what and when to document changes.

--Kevin Beaver


  • Help auditors, managers and HR personnel spot trends in computer and network abuse.

  • Trace suspicious or malicious usage back to computers and users.

  • Provide strong audit trails and evidence needed to confront employees about suspicious activities.

  • Augment forensics investigations by providing incident context and content.

  • Help decrease legal liabilities by minimizing sensitive information losses.

  • Detect unauthorized encrypted communications sessions and information that should be encrypted but is not.

Content-monitoring products can serve as the last layer of security control to help organizations enforce their own internal security policies. These products also help with the never-ending growth of security and privacy-related regulatory requirements.

As with most technologies, there are some downsides. The first is cost: A full-blown content-monitoring product system ranges from a few thousand dollars to more than $100,000, based on the number of dedicated appliances, remote sensors and users. Additional downsides include:

  • False positives and false negatives are bound to occur and are almost always unavoidable, thus requiring at least a small amount of administrative resources to manage.

  • Proving return on investment may take some time.

  • Network vulnerabilities may be difficult to locate, and a certain amount of placement, policy tweaking and manual analysis may be required.

  • Integration with other technologies--such as remote access, identity management, LDAP, directory services, IDS/ IPS and event monitoring--can be hit-or-miss depending on the product and its supported standards.

  • Administrators must be aware of the need to balance security with convenience and usability, and not let these technologies get in the way of employees doing their jobs.

Finally, a lot of value can be obtained by simply locating and properly classifying your sensitive information, either by manually taking inventory or utilizing an automated product such as Google's Search Appliance or StoredIQ's Information Classification and Management Platform. You can then lock information down where it resides using widely-accepted security hardening techniques and layered defenses built right into your OSes and applications--including solid access controls, strong file permissions and least-privilege user accounts.

It Really is a Business Issue
There's a common belief held by upper management: "We're not at risk." But excuses like, "We cannot fix what we don't acknowledge," and "I don't know what I don't know," are no longer valid.


There are various security policies that affect information leakage and content monitoring. It depends on your specific requirements, but the following are needed in a comprehensive policy to monitor for data leaks:
  • Acceptable computer usage
  • Handling of sensitive information
  • Incident response
  • Information classification
  • Security awareness
  • System monitoring

@exe Whether insiders are malicious or simply making mistakes, you've got a network full of proprietary information your organization cannot afford to have compromised. From corporate trade secrets to financial reports to private employee and customer information, once sensitive information is gone, there's no getting it back. Although major damages are more the exception than the rule, most organizations cannot afford even the most basic information leak. And, technology won't solve this problem by itself.

In the quest to protect your organization from insider threats, you must have executive buy-in, and responsibility and accountability also need to be placed in the hands of network users.

This involves management supporting and posting security policies and then effectively communicating to employees the standards to which they're being held. This must take place over and over again to be effective. Technical solutions such as content monitoring products are merely a means to that end--not the end itself.

But implemented for the right reasons and in the right way, these technologies can serve as a great monitor to ensure that your most critical data isn't dripping out of your network.


Dig Deeper on Security Awareness Training and Internal Threats-Information