Proposal Guidelines Archives Information Security Glossary Catalog InfoSecurityNetBASE Auerbach Publications Information Systems Security
Auerbach Publications

Maximizing Compliance and Content Protection
Benefits of a Content Monitoring Solutions for Securing Corporate Data

John Amaral

Ensuring regulatory compliance, safeguarding sensitive information and preventing IP theft requires more than monitoring network traffic for potential violations. While companies have traditionally identified violations as they occur or after they have occurred, there are simple practices businesses can follow to get ahead of the problem and understand what data needs to be protected. These steps can easily be implemented into any organization, regardless of size, helping companies to proactively combat the detrimental financial, IP and brand affects of a security breach.

Content Protection Opportunities throughout the Lifecycle of a Violation

The timeline analysis in Figure 1 provides a convenient framework to present the full range of opportunities that organizations have to exert control over sensitive data to proactively prevent violations. This timeline approach reveals how content monitoring solutions allow companies to go beyond simple compliance with accounting and data confidentiality mandates to achieve real content protection for sensitive information - even when trusted insiders remove desktops or laptops from the network:

  1. Before violations: In the time period before violations occur, content monitoring solutions enable IT security leaders to identify and secure sensitive information wherever it exists in their organization, exert tighter control over who has it and gain visibility into behaviors that signal when employees may be planning to steal or disclose it.
  2. During violations: During a violation, when users are accessing or transferring information on the corporate network, the scope and depth of analysis within the detection capabilities of superior monitoring solutions enable the technology to mitigate security breaches other solutions may miss. With more visibility into potential violations of data-in-motion and data-at-rest, organizations can intercept and act on policy infractions in real-time through several methods, including "enforced self-compliance," which provides users with options to review ill-considered actions or to enter auditable justifications to continue their communications.
  3. After violations: Specialized content monitoring solutions alert security staff to potential violations in real-time and an intuitive GUI enables them to perform freeform searches of the event database. The management system can track new risk events, trigger forensic scans of users' desktops and assemble "proof-positive" evidence of major policy violations. Specialized content monitoring solutions automate evidence collection and tracking of individual files into which new risk events can be continuously added. This allows organizations to track suspicious events and confidently take appropriate action with individuals who attempt to commit serious policy breaches.

Figure 1 outlines the opportunities for compliance and content protection tools during each phase.

Understand what data needs protection, who has it, and take steps to pre-empt its disclosure or theft Gain maximum visibility of violations coupled with automated control capabilities Investigate violations, correlate multiple events over time, and capture all relevant evidence to assemble cases for action

Figure 1. Opportunities for compliance and content protection by time period.

Before a Breach Occurs: How to Prevent Losses

Traditional content monitoring and filtering solutions only seek to protect violations as they occur or after they have occurred, ignoring opportunities to proactively prevent information disclosures. Organizations should consider solutions that help protect against breaches that have yet to occur. Broadly speaking, preventative measures fall into three areas:

  1. Identify what data is critical, where it is located, and classify new data and information as it is created in order to track it
  2. Establish and enforce policies to limit the exposure by restricting who can access, retain, transmit and receive sensitive data
  3. Monitor the behavior of trusted insiders and take steps to narrow their access to sensitive data if they exhibit behavior that indicates they may be moving from a trusted state to one that is not.

Identify and classify critical data and determine where it is located
Generally it's easy for IT leaders to identify specific servers and directories that contain important data, but most IT managers cannot say which employees have copies of sensitive data or where it has migrated to. Most organizations don't have a firm grasp on who has sensitive data, because it is so easily shared in a trusted network environment. When organizations don't know who has sensitive data and have no visibility into how it is being transacted, it is not surprising that there are so many inadvertent information disclosures. Data that is not under corporate control is more likely to be transacted improperly.

To establish parameters for protecting data before a breach occurs, organizations must also classify risk events. Risk events can be grouped into two categories: inadvertent and malicious. The two have very distinct profiles, as shown in Figure 2.

Inadvertent Disclosures
No premeditation
High volume and frequency
Each typically of low business impact
Often a result of lack of awareness
Not communicated to others
Malicious Disclosures
Premeditation and planning
Low volume and frequency
Potentially high economic or business impact
Motivated by personal gain, revenge, mischief
Often communicated to others
Remediation Approaches
Automated encryption
Enforced self-compliance
E-mail policy reminders
Remediation Approaches
Pre-empt by monitoring indicators of malicious intent
Post-violation investigation
Disciplinary or legal action

Figure 2. Characteristics of inadvertent and malicious disclosures.

Establish policies to restrict who can access, transmit, receive, save or print sensitive data with monitoring technology
Once organizations have identified and categorized data that is important to them and made sure that only authorized employees have access to it, they can apply content monitoring solutions to limit how it is transacted. For example, say it is the end of the quarter for publicly traded XYZ Corporation, and the company is preparing its earnings statement. Whether earnings are up or down, prerelease leaks have the potential to move markets - and invite enforcement action by the SEC. A look at a few of the people involved demonstrates the utility of establishing and enforcing policy rules regarding allowable communications:

In this example, security is enforced in several ways. First, all of the financial spreadsheets and draft press releases can be created in directories that automatically classify them into their appropriate categories of protected information. Policies can be established to ensure that:

Figure 3. Policies can be established to restrict certain communications of sensitive data to only those who are authorized to receive it.

This example shows how both structured data (the financial spreadsheets) and unstructured data (the draft press release) can be protected using exact content matching. Additional policies can be set to restrict communications so that anytime anyone attempts to send a message that contains, for example, more than three fields from any one row of a financial spreadsheet to anyone except the company's auditors - or a key sentence from the draft press release - those actions are recorded as events that are available for later review and analysis.

In addition to protecting complete documents, more comprehensive content monitoring solutions use a technique called "concept modeling" to protect against paraphrases or similar iterations of information being transmitted. Take our previous example, if someone in the cafeteria overhears the accounting people discussing that the quarterly numbers are not looking good and listens to them speculate about the effect the earnings release might have on the price of the company's stock; If that sharp-eared employee tries to send an e-mail, IM or post a message to a Web log such as, "Earnings looking bad at XYZ this quarter, better sell!" - those attempted communications can be detected and the e-mails can be blocked, preventing data loss, even at that minute level.

What is unique about this capability is that the eavesdropper did not write anything that had ever existed before - so no content-matching engine could ever catch it - but performing "concept modeling" based on linguistic analysis can discern and block this type of communication.

After an organization has identified, categorized and protected its intellectual property by limiting who has access to it and what those trusted insiders can do with it, the only question that remains is: Can those insiders continue to be trusted? This aspect of content protection goes beyond the realm of data management and regulatory compliance into the province of security risk management. This higher level of risk management is important because once all the other controls are in place, insiders who are not transacting information properly are likely trying to steal it!

As an example, consider two reps who are in jeopardy of missing their quota and share disgruntled messages between them such as, "I'm never going to make any money here." Specialized content monitoring solutions automatically classify these activities as potential pre-resignation behaviors. These events justifiably raise the suspicion that these employees may try to send their customer lists or other confidential information outside of the company. Since these behaviors have been observed well before any violation has occurred, management can proactively restrict the scope of data that these suspect employees are allowed to access to reduce the risk that it will be misappropriated.

Using linguistic, contextual and behavioral analyses, content monitoring solutions gain significant insight into behavior of people's communicated language, types of Web sites visited, and information viewed on those sites. As these behaviors are logged, they can generate instant management alerts. The most serious events can immediately trigger automatic forensic scans of users' desktops and laptops to discover all of the sensitive information they contain. The events and all of the associated contextual information - such as the complete thread of exchanged messages and the actual screen displays of Web sites users have accessed - can be collected for potential disciplinary or legal action. Figure 4 shows how some common precursor behaviors can reveal probable intent, enabling organizations to act before violations occur.

Figure 4. Observable precursor behaviors that can signal predispositions, probable intent, or plans to commit content policy violations.

During Violations: Isolation and Prevention

Regardless of whether a violation is an inadvertent error, lapse in judgment or premeditated act, the instant that a potential violator clicks "send" a window of time is opened for that data to move across the organization's network. This is the period described as "during" a violation when companies have the opportunity to recognize that a violation has occurred and exert some form of control over it.

At the risk of stating the obvious, only violations that are detected can be blocked or otherwise controlled, so it is imperative that a solution be put in place that will identify the highest possible percentage of probable violations.

Once violations are detected, specialized content monitoring solutions provide a flexible set of automated dispositions so that security staff is not overwhelmed with easily correctable inadvertent violations. This enables them to focus on violations and attempted violations that have a significant economic or business impact. Figure 5 illustrates the timeline of actions on data-in-motion during a violation or potential violation.

Figure 5. During a violation or attempted violation, content monitoring solutions classify data-in-monition, apply policy rules and automatically take the appropriate control actions.

After Violations: Investigation and Case Management Close the Loop

Investigation management enables security officials to rapidly know:

Figure 6. During a violation or attempted violation, superior monitoring tools classify data-in-motion, apply policy rules and automatically take the appropriate control actions.

Specialized content monitoring solutions can build case files by user name or by event class. The files are self-contained entities that can store events, including the complete context around those events that constitute relevant evidence, with annotations that document the progress of an investigation. The supporting evidence that is able to be captured surrounding an event can include:

Comprehensive content monitoring solutions capture all of this evidence and automate its organization into the case files, allowing it to marshal evidence for human resources managers and legal staff to effectively confront employees who have committed serious policy violations.

Summary: Unique Methodologies Set Content Monitoring Solutions Apart

The scope of visibility, depth of analysis and pre-emptive capabilities that content monitoring solutions bring to content protection and risk management are the result of many methodologies:

  1. By automating regulatory compliance with out-of-the-box tools, even large organizations can enforce strict controls regarding their sensitive data and IP. Since the vast majority of disclosures are inadvertent, automatic encryption of permitted communications combined with enforced self-compliance solves most day-to-day compliance issues without attention from IT staff.
  2. By addressing inadvertent information disclosures with automated solutions, companies can focus on malicious information disclosures and IP theft. While a single inadvertent information disclosure can have a devastating impact, generally inadvertent disclosures are high in frequency but low in economic impact. Malicious disclosures, in contrast, occur much less frequently but typically pose a far greater threat. Multiple detection methods include linguistic analysis that identifies protected content even when it is described in entirely new ways, giving customers capabilities to track and block sensitive information that other products do not.
  3. By scanning all communications using linguistic, contextual and behavioral analysis, behaviors can be identified that suggest an employee may be intending to steal IP or deliberately disclose sensitive information. This extends the reach of content monitoring and control solutions into the period of time before a violation occurs. Content monitoring solutions can spot the probable intent of employees who are likely to misappropriate IP or engage in malicious information disclosure. This early warning enables companies to lock down data or substantially narrow the scope of proprietary content that suspect employees are able to access.

About the Author
John Amaral is Chief Technology Officer at Vericept Corporation.

© Copyright 2007 Vericept Corporation.