Plugs for Data Leaks
PLUGS FOR DATA LEAKS
As the need for network security broadened and military contracts began to build
in cyber-security costs, a torrent of data leak-prevention offerings emerged last year.
By Cheryl Gerber
As the need for network security broadened and military contracts began to build in cyber-security costs, a torrent of data leak prevention offerings emerged last year. Consequently, the developing technology is marching ahead this year, beyond network content flow inspection and into the realm of data and user activity monitoring, aimed at detecting and proving legitimate insider threats.
By the end of 2008, insider threat detection technology will begin to incorporate intelligent, individual behavior pattern tracking. New product versions may start to detect and prove legitimate cases of insider threat more actively and accurately, while minimizing false positives, which often still comprise half of the alerts.
Military and commercial technology providers alike responded last year to a call expressed in recent months by Assistant Secretary of Defense for Networks and Information Integration/DoD Chief Information Officer John Grimes for increased protection of internal networks in the defense industry and for security requirements to be built into contracts.
Data leak or loss prevention technology offerings ballooned in 2007, with many acquisitions and startups aimed at expanding current capabilities to include content inspection, more finely tuned policy development and enforcement and human behavior monitoring for insider threat prevention.
Both Raytheon and IBM acquired companies in 2007 with technology that can detect and prove legitimate cases of insider threat, enforce "acceptable use" policies or assure compliance with government regulations, such as the International Traffic in Arms Regulations (ITAR), which controls the import and export of defense-related articles and services.
Other companies acquiring data leakage prevention products in 2007, partly to develop insider threat prevention technologies, include Symantec, which acquired Vontu; Trend Micro, which acquired Provilla; McAfee, which acquired Onigma and Safeboot; and WebSense, which bought PortAuthority and SurfControl.
Policy Compliance
Raytheon this past fall acquired Oakley Networks, a cyber-security and data leak or extrusion prevention company. Now called Raytheon Oakley Systems, the subsidiary is looking at ways to integrate its SureView (also known as Inner View) product with Securify and Guidance Software technologies to provide a more comprehensive solution.
The SureView v5.0 appliance provides enterprisewide event reports in a TiVo-like manner that enables the replay of actual events, including pre-encryption data. SureView agents are located at user workstations to monitor them and peripherals for compliance with data leakage policies. The product includes hundreds of policy examples that can be utilized out of the box, as well as the ability to customize new policies. SureView clients and servers are integrated with Lightweight Directory Access Protocol (LDAP), an Internet protocol that e-mail and other programs use to look up information such as entries in an e-mail address book from a server.
"The replay tool reconstructs what exactly happened and replays it like a DVR. So you are seeing what was on the user screen when, for instance, the user did the FTP upload and then tried to erase the log files. The product also delivers the context around it-the instant message the user got right before the upload," said Tom Bennett, Raytheon Oakley vice president of marketing.
A primary concern that blocked widespread use of insider threat prevention in the past has been the tendency of the technology to produce false positives, flagging users who either unknowingly or innocently violated policy, sometimes as a way to get work done faster. However, as Bennett pointed out, the technology can be used in those cases to teach or remind users about policy compliance by sending pop-up warnings or reminder messages as they are about to violate policy, or it can raise awareness of a need to fine-tune policy.
Last year IBM acquired two data loss prevention companies, including Consul Risk Management, which provides identity access monitoring software that works across mainframes and distributed environments. IBM folded Consul into its Tivoli software unit and called the resulting product Tivoli Compliance Insight Manager. IBM also acquired Watchfire, a provider of software that guards against compliance breaches and assesses web application vulnerability.
"Many systems administrators are happy that they now have technology that proves they are not doing anything wrong," said Marc van Zadelhoff, program director, business development for IBM Tivoli Security and Compliance Software.
"We found that 80 percent of insider threats are done by the most technical and privileged users, the systems and information technology administrators who have the keys to the kingdom. But about 50 percent of the time it's by mistake or accident as a result of not following procedure right because they were rushed or working hard," he said.
"IBM Tivoli Compliance Insight Manager integrates with more than 80 platforms right out of the box, so it doesn't require any customization to set up. And we improved the reporting capability to match it with regulations," said van Zadelhoff.
Securify offers appliances called SecurVantage Monitors, which track the network to determine who is accessing which applications where. The product monitors network traffic in either "discovery mode," for which a network manager can watch what's happening passively, or "verification mode," in which traffic is mapped to controls based on pre-defined roles or best practice templates. Violations captured by the appliances are reported through a web interface with user identities and incident details.
The Defense Information Systems Agency (DISA) granted Securify authority to operate in February 2006, which is good for three years. The company also has Common Criteria certification.
The evolution of SecurVantage early this year illustrates how the data loss prevention technology is expanding beyond networks to incorporate data and individual identities for stronger insider threat prevention. "The software inside SecurVantage Monitor used to be IP-based, but it evolved from an IP address to an individual identity. We integrated with customers' directory systems, and then co-related the identity with the network traffic associated with that individual," said Jeff Waters, head of Securify's federal operations.
The Securify monitors have screens with different-sized grey, yellow, green and red bubbles that indicate degree of concern. "The size of the bubble depends on the volume of communication and the color of the bubble depends on how critical the bad behavior is. A big red bubble is the worst, so you immediately know which users and systems are the most problematic," Waters said.
Detection of inappropriate behavior produces an e-mail, pager notification or a trouble ticket, depending on configuration, to the appropriate authority. As a result of integration with routers and switches, the system will block a suspected network area.
Packet Inspection
SecurVantage tracks data in three basic ways: through flow-based data analysis (looking at changes in data) via Cisco NetFlow or Juniper J-Flow technology; using native Deep Packet Inspection (DPI); or a combination of the two.
Also known as content inspection or content processing, DPI has been used increasingly by network managers to examine and classify both the header and the data portion of a network packet as it passes through an inspection point. Unlike regular or shallow packet inspection, which only examines the header, DPI checks the data for noncompliance, scams, viruses or intrusions in order to decide whether the packet can pass or should be routed to another destination. DPI is also used to collect statistical information. Using DPI, a packet can be classified, tagged, blocked and reported to an agent in the network.
Securify monitors send prioritized real-time alerts to trouble-ticket systems and specified personnel, or the monitors can automate policy enforcement via access control commands when activated. Securify Enterprise Manager scales up to centralized, multi-monitor deployments with consolidated information on an integrated dashboard with software that provides customized controls and forensic analysis. There is also a SecurVantage enterprise warehouse and reporting appliance for long-term data warehousing and trend reporting.
Raytheon Oakley is hoping to integrate SureView both with Securify and with Guidance Software's computer investigation software, entitled EnCase Enterprise Information Assurance and eDiscovery suites. Those products are already being used by military and intelligence agencies both to mitigate risk and to prove a legitimate case of insider threat once it has been established.
Guidance recommends implementing a few basic practices to prevent insider threat activity. "First, lock out thumb drives or USB storage drives; second, watch CD activities-that is, who is burning what to CDs and when; and third, make sure that file permissions on certain files are not changed," said Jim Butterworth, director of incident response and federal services for Guidance Software.
To prevent having one source without accountability, Guidance recommends automating a two-person integrity concept. Butterworth also favors using a variety of integrated technologies. "Sole reliance on one product is not a panacea. You need a lot of different technologies to solve the problem," he said.
The information assurance suite provides automated incident response, classified spillage, InfoCon baselining and IAVA compliance modules. The Information Assurance Vulnerability Alert (IAVA) is a DISA process for risk and vulnerability management. The product also supports Open Vulnerability and Assessment Language from MITRE, which standardizes the process of assessing software vulnerability and uses XML.
The EnCase eDiscovery Suite automates and expands the capabilities of EnCase Enterprise by providing the ability to search, identify, cull, collect and process electronically stored information (ESI) across the enterprise and export the ESI to a variety of attorney review platforms. It has five basic capabilities: enterprise search and collection, e-mail processor, evidence file processor, review platform exporter and report generator.
DISA and the defense intelligence community are actively testing a Verdasys product entitled Digital Guardian, which provides data security and is integrated with LDAP for identity management, with enterprise resource planning systems from IBM and with the Guidance EnCase forensic tools. Based on an original equipment manufacturing agreement with Autonomy, Digital Guardian has integrated Autonomy's content and context analysis features. Autonomy is an intelligent search engine with content inspection capability.
Like SureView, Digital Guardian can produce pop-up warnings to users such as, "What you are about to do is against policy."
Verdasys is continuing to build out platform support for Digital Guardian beyond Windows and Linux and into the wireless world. "This year we will begin to build in behavioral recognition capability," said Bill Munroe, Verdasys vice president of marketing.
False Positives
However, while the battalion of tools released in 2007 minimize the risk of the insider threat, many barriers remain to eradicating it. Two of the top hurdles are the counterproductive impact of false positives and the inability to track individual human behavior recognition in cyberspace.
"There are still too many false positives out there to allow fully active security monitoring to occur," IBM's van Zadelhoff pointed out.
Consequently, as data loss prevention systems move into the realm of insider threat prevention, they will remain more passive than active until current technology has developed more to self-learn the difference between false and real positives. Meanwhile, analysts say it is up to security managers to find their agency's particular balance between too little and too much protection. "By definition, every false positive stops some important activity someone is trying to get done-and worse, it can cause it to be time late, so the model of security as a lockdown is a problem," said Munroe.
Some believe the highest hurdle is more human than technological. "The insider threat problem cannot be solved solely with technology. We need to become more aware of how human behavior is different in cyberspace than in the world of bricks and mortar. Even when some users know their behavior is being monitored, a feeling of anonymity in cyberspace sometimes overcomes policy and social constraints," said a source who asked not to be identified. The source has been involved with determining eligibility for granting access to classified information.
"In terms of policy compliance, technology does whatever you tell it to do regardless of who's on the other end. In the case of insider threat prevention, most technologies enforcing policy treat the CFO the same as the network administrator, equalizing the problem to eliminate any possibility for profiling," said Carol Haave, president of Sullivan Haave Associates and a former deputy undersecretary of defense for counterintelligence and security. ♦
