Data Leaks: What You Don't Know Will Hurt You

How do you know employees aren't transmitting sensitive data off your network if you're not bothering to look? How one company found a technology answer that led managers to institute new training programs and other changes.

Back in 2004, something didn’t seem right within the sales group at WebEx, the software-as-a-service Web conferencing provider. Many sales executives worried that critical competitive information —such as WebEx pricing data —might be slipping out to WebEx’s competitors before the sales force could close deals with prospective customers.

“A deal would be made [with a potential customer] by one of our competitors, and the price was right below what we were going in at,” recalls Randy Barr, CSO at WebEx, which claims 64 percent of the Web conferencing market and hosts 50,000 conferences on an average day. (Barr’s responsibilities include both physical and information security.)

MORE ON CIO.COM

How to Monitor Workers' Use of IT Without Becoming Big Brother

How to Conduct an Effective Investigation

How One CIO Escaped E-Mail Attachment Hell

That concern prompted sales department executives to ask Barr and the CIO at the time to investigate the situation. After several days of investigating (interviewing sales reps, scanning network logs and searching through sent e-mails), Barr concluded that no information had been leaked.

However, the investigation and subsequent conversations with WebEx executives prompted all involved to wonder if there was a way that the company could actively monitor its internal networks, especially because all of WebEx’s tools are proprietary.

Barr says executives were looking for details on not just what happened yesterday on WebEx’s systems, but they wanted to understand and prevent what might happen today and tomorrow. Barr’s team revisited sensitive data-handling procedures and also set out to identify if any vendors could help them improve the gatekeeping technology behind the processes.

In Search of Safeguards

Though Barr felt confident there was no systematic data leak problem, the discussions and investigative process gave him reason for unease. “I didn’t feel confident where all the information was coming out of our network,” he says. He was also concerned that it was “taking us such a long time to investigate the request,” he says. Depending on the request, investigations such as the sales team one could take half a day to a couple of days —and he wanted to speed that process up. In addition, Barr worried about not only tracking WebEx documents that he knew existed but the “documents that we don’t know exist.”

Barr isn’t alone. During the past three years, spectacular data-handling transgressions and subsequent compliance and regulatory mandates have lit a fire under CIOs and CISOs to protect their digital borders —from both insider threats and outside malcontents. In addition, there’s been a big push to safeguard companies’ intellectual property, says Paul Proctor, a research VP at Gartner who tracks vendors in the content monitoring and filtering (CMF) and data loss prevention (DLP) market.

There are many vendors now in the CMF/DLP space, according to Gartner research. In addition to the network monitoring capabilities of these vendors’ products, Proctor says “the value is the identification of bad business practices, and visibility into things you are doing to yourself that you didn’t know were going on —that, for example, sensitive information is being abused.”

Still a New Field

According to a recent Gartner report, the market “for content monitoring and filtering and data loss prevention technologies is maturing rapidly but remains fundamentally adolescent.” Here is a sampling of the market leaders.

Vericept

Vontu

Websense

Reconnex

Tablus

Code Green Networks

SOURCE: Gartner report on content monitoring, filtering and data loss prevention, 2007.

WebEx ended up purchasing Reconnex’s iController appliance product. iController first would register all of WebEx’s proprietary content, then monitor if anything out of the ordinary was going on with that content and alert Barr to any other “signatures” (digital fingerprints that correlate to sensitive company data) that seemed inappropriate.

At WebEx, sensitive data includes “anything that would lose our competitive advantage,” Barr says. This includes proprietary product information or strategies, as well as sales lead data.

Reconnex’s promise, according to Faizel Lakhani, the company's VP of products and marketing, is that once deployed on customers’ systems, the technology will build a map and show companies what’s happening on their networks —where financial statements, Social Security numbers and intellectual property data reside and are going.

Flashing Spotlights on the Network

Because IT managers have so many blind spots into what’s actually transpiring on their networks these days, turning on a network monitoring appliance can be quite surprising. With the iController appliance in place, Barr says, “we went through I don’t know how many different emotions during the first 24 hours: We were happy and excited that the device worked; stunned at what we saw; scared at what we were going to do; then relieved that we had the right device to provide that visibility that we never had before.”

With all that new visibility into WebEx’s network, however, Barr and his colleagues came upon a common problem. “My concern was: What do we do with all that information?” Barr says.

In fact, this is a dilemma that stumps many companies, says Gartner’s Proctor. “If you go looking for sensitive information, you’re going to find it,” he says. “Then what are you going to do about it?” As an example, Proctor describes a healthcare vendor that was sending out real patient data to demonstrate its product. If the company blocked this practice, however, the sales force wouldn’t be able to close its sales deals. Also, if a monitoring product sent alerts when any sensitive information went outside the company’s networks, the system “would be lighting up like a Christmas tree,” Proctor says. And if the company ignored it altogether, then executives could face huge HIPAA-related sanctions and customer backlash if they got caught.

“If the business is not willing to change, then organizations will have trouble getting value out of these [vendor] products,” Proctor says. “And if you’re not willing to change, you’re just wasting your money.”

Making Use of What You Learn

At WebEx, there was a concerted effort to change and use the information and violation scenarios that the iController found to help better educate employees about the security risks by providing actual examples of inappropriate actions. Like most companies that turn on a network monitoring product, WebEx found that “majority of incidents are related to employees making a mistake,” says Barr.

For example, some WebEx employees who worked from home sometimes sent unencrypted documents, which had proprietary information in them, to their home e-mail addresses. In addition, other employees would occasionally send their user name and passwords over the network. These violations were against company appropriate-use policies, and the new system quickly alerted Barr to the problems so that he could take action.

Now, not only does Barr’s group follow up on each incident but his team counsels those involved to show them what they did wrong and how it could have affected the company’s security through what he calls a minisecurity awareness program. “We remind them of our policies, what their obligations are and what tools we have in place to monitor [their actions],” he says. “We also show them what [the policy] is that they violated or had the potential to violate.”

Barr has incorporated the real-life events (such as an employee who sent her user name and password information through her AOL account) into new-hire and ongoing training programs, which he thinks is critical. “It helps put some perspective on how the actual incidents did occur and how it relates to them in their day-to-day jobs,” he says. “They can see themselves in a potential violation situation, and they might relate to it more than just talking about policies.”

His team has worked with HR and legal to revise document management policies to better protect sensitive information. All this ensures that employees “learn from the mistakes of others,” Barr says. In addition, WebEx, like many companies, informs employees that the company has the ability to monitor networks, chat, Web-mail and e-mail functions to detect offending signatures —such as if the word “confidential” is located within an e-mail, which will then trigger an alert through the iController system.

Three years after the sales-force incident, Barr and his fellow executives feel much more comfortable about how they can better plan for and deal with network security. Barr cites decreases in the time it takes complete an investigation (such as the sales-force one) and the number of violations and potential violations during the past three years; he declines to give specifics about these changes, but he attributes them to employees’ better understanding of WebEx’s processes as well as an increased awareness of security risks.

Still, if and when somebody does slip up, Barr will know about it. “If it leaves our network,” he says, “we’re going to know it’s going.”

Related:

Copyright © 2007 IDG Communications, Inc.

Get the best of CIO ... delivered. Sign up for our FREE email newsletters!