| |
| |
SECURITY INSIGHTS ARTICLES |
|
|
 |
Hot on the Trail of Confidential Data
Leakage of confidential information—customer credit card data, intellectual property, or employee social security numbers—can rock your world. A single USB drive, iPod, printed document, or Microsoft® Outlook email message that ends up in the wrong hands—accidentally or deliberately—can have devastating consequences for your organization. The worst case scenarios include compliance penalties, loss of customer loyalty, or damage to your reputation and credibility. According to a recent report issued by the Gartner Group, "we seem to be in the midst of a 'data loss epidemic,' with tens of millions of individuals receiving data loss notification letters this year." [Source: Garnter, Inc., July 12, 2006, "Top Five Steps to Prevent Data Loss and Information Leaks," by R. Mogull.]
What kinds of controls and data tracking technologies should you look for in a data loss prevention solution to prevent sensitive information from walking out the door and inviting catastrophe?
Monitoring and scanning email is something that can be handled by gateway data loss prevention solutions (DLP) that inspect specific protocols such SMTP and HTTP. But how do you prevent employees from accidentally or deliberately copying confidential data to portable devices, such as USB drives and iPods or sending sensitive documents to printers and fax machines? The key is a DLP solution that monitors and controls all avenues of data transit—at the desktop as well as the network. And endpoint control can only be achieved through agents that oversee authorized users—online and offline—because they actively enforce policies and analyze data flow on the fly. Agent-based data loss prevention solutions follow the transit of sensitive data from one document to another and protect it in the natural flow of legitimate business activities and processes.
Agents, of course, need to know how to spot confidential data so that they can do their detective work. The McAfee Data Loss Prevention solution—which addresses information leakage issues at both the host and the gateway level—uses two techniques to identify and analyze confidential data: tagging and fingerprinting. Tags, which are inserted in document headers, are a low overhead way of tracking and monitoring confidential data files and documents. Tags are used to identify three types of information about the data: (1) storage location (server and directory); (2) the application used to generate the data, such as SAP, Business Objects, or Microsoft Excel, for example; (3) keywords or patterns in the document, such as "company confidential" or strings of digits in a particular format that designate social security numbers or credit card numbers. Tags are invisible to users, but invaluable to agents that can recognize sensitive data immediately when actions are performed that may potentially result in information leakage.
In addition to tagging, the McAfee DLP solution implements two types of fingerprinting. In general, fingerprinting examines the content in more detail, looking at words, terms, and character recognition. An algorithm creates signature hashes based on these chunks and stores the hash tables in a database, which resides inside the firewall, along with classification information gathered from tags.
McAfee's DLP solution is unique in that it combines two fingerprinting techniques that reinforce more accurate detection. Fine fingerprinting looks at multi-character chunks of content and detects information that is copied and pasted into emails, for example, or anywhere for that matter. It's precise and can detect confidential information down to the paragraph level. Compact fingerprinting looks at the file as a whole and takes a hash. It detects up to 80 percent of the content of the file that is being transmitted, making it a light-weight, but accurate, method of protecting entire files or files that only pose a risk if transferred in their entirety (e.g., an executed contract). Fingerprinting can be scheduled for regular updates. It adds more information to the hash table database when the document is modified or when new documents are added to file locations and then pushes the information to gateway appliances, servers, and endpoints.
When you install the McAfee DLP solution, you start off monitoring activities in one department a few days or a week at a time, or any time frame that gives you a baseline of normal business activities. After reviewing detailed and summary reports of DLP violations, you can make adjustments to the fingerprints or the policy to keep false positives to a minimum and get a better understanding of your data loss risks.
A truly effective data loss prevention solution is complex, multidimensional, and continuous. McAfee Data Loss Prevention engages agents to constantly monitor networks and endpoints with highly sophisticated methods of identifying, classifying and detecting data. The result is a solution that leaves no stone unturned and provides organizations with a high level of confidence that they can avoid a disaster because a lost USB drive containing classified documents finds it way into a criminal's pocket or because a disgruntled employee decides to send intellectual property to a competitor.
|
 |
| |
|
|
|
|
