Tuesday, January 22, 2008

Late thoughts from CES - data leakage via gumdrops

A friend of mine just returned from the Consumer Electronics Show, where he saw NBC giving away 2GB flash drives at its booth in return for a badge swipe!

I remember when flash drives first came out: 8 or 16MB cost more than $100, and people gladly paid it. The price point has hockey-sticked downward, and with it, demand for more and more storage that fits in your pocket has skyrocketed. To me, however, there’s a more important focus: when 2GB flash drives are being tossed around like gumdrops, it means that the means of preventing access to files have to be rethought. And I’m not just thinking of flash drives.

The cat-and-mouse game that infosec pros have played with the bad guys has now extended to the good guys as well. It’s not a matter of them trying to do something wrong, per se...it’s all a matter of convenience to the people inside an organization. If you gum up their USB ports to prevent the use of thumb drives, they’ll will use Gmail...or Hotmail. And if you block those sites, they’ll use another site you don't even know about until too late. (Has anyone seen YouSendIt.com?)

No, files leaving the cozy confines of the company cannot be totally controlled. However, if the files were protected, we may have a chance. Makes me believe that a data-centric approach to protection of information is an absolute must.... And through a combination of encryption, access control and retention. So that the information stays protected, even if there are more ways and means than ever before to gain access to the files.

Now, if anyone can figure out a way to load (or "leak") one of those 150” diagonal plasma screen TVs my friend saw at CES onto that 2GB flash drive, let me know. :)

Friday, January 18, 2008

Can security improve your bottom line?

Interesting question - and lots of opinions, I bet. Just read this interesting article on Network World where EMC's CSO, Roland Cloutier, argues for the proposition. To quote Roland...

“I challenge the theory that [security] is a necessary evil and I believe that if you do security well as part of your business processes that you will become a more competitive company..”

Notice the emphasis on business processes - this is where the real benefits come in. Security in itself can make you feel safer doing business, but the combined investment in security, infrastructure, business processes etc are what will make you stand out from the competition. Patrick had discussed how this applies in the context of PCI and comparing it to the benefits realized by companies who invested in Y2K.

At the end of the day I think well implmented security reduces transaction costs in business, reduces disruptions and therefore will be beneficial to the bottom line.

Now, all we have to do is quantify it! Hmm.. that might be a much harder challenge..

Wednesday, January 16, 2008

Wireless holes - protecting retailers from themselves

Interesting article in Network World on some of the holes many retailers have in their wireless infrastructure. Apparently, wireless security company AirDefense walked around New York City and ran their analyzer against many small retailers. They found that over a third did not have even basic and easily hacked WEP protection!

According to the article:

"..access to the unprotected access points and unencrypted traffic -- spilled well beyond the walls of the store. Attackers could set up shop outside, snoop on the WLAN traffic, and collect MAC addresses and other data that could be used to hack deeper into the store’s net, servers and data. "

Apparently the TJX scenario has not yet put feet to the fire for smaller retailers! Now, I agree that some technology solutions can be expensive - but surely, using inbuilt protection all wireless products come with can't be that hard?

Tuesday, January 15, 2008

Data-breach laws and business concerns

Seems like data-breach laws are getting expansive - California law now requires notification of leaked medical information.

Others, such as Massachusetts, are having a harder time convincing businesses. I do understand the challenge small businesses have - some of the security solutions they need to implement can be expensive. Howeever, the solution is not just technology. Better processes and compensating controls for small organizations will go a long way in reducing threats.

All this brings into focus the need for a national, standardized law. Our CEO, Patrick McGregor had some interesting points to make on this subject in this SC Magazine article.

Friday, January 11, 2008

To collaborate or not - this is NOT the question.

Just came across this interesting article in Network World by Kurt Johnson - Control Collaboration, don't inhibit it. No doubt concerns from Web2.0 and social media security risks also weighed in...

The article argues about best practices and has some good suggestions - however, I feel that the core challenge was not fully addressed. How do we really let data go free, but control it?

There are technology solutions (perimeter security, anti-malware, access control), process solutions (compliance - the challenge of managers now becoming compliance police? I doubt whether they would want to take on that responsibility) and people solutions.

The one aspect not touched upon explicitly is the data-centric perspective on meeting these challenges. I am a firm believer in de-perimeterization and think that we have to get to more granular controls at the data level with policies around encryption, access control and retention to effectively deal with these challenges.

Wednesday, January 9, 2008

Data leakage and being proactive about it..

My colleague, Hugh, has an interesting point in his article on keeping barrels out of the water. I agree that by the time information is out on the network and the IT Security folks don't know whether the data is sensitive or not, the battle is nearly lost. Access control and protection are vital. However, I also think classification is a huge issue as well.

Which brings us back to understanding data in an organization being the "a stitch in time" approach. We need to be able to classify, and identify interesting data. Don't get me wrong - this is a hard problem to address. Too much data, information about them being distributed, end users not being reliable to classify it, the changing business dynamics changing what is sensitive from day to day - all of these make it feel like a Herculean task. Nick Selby from the 451 Group also participated in an interesting Q&A on this.

Maybe the better approach is - start small (as always!). Much of it will be process focusses with help from the technologies currently emerging in this space. Be interesting to see how this area evolves in the future....

Sunday, January 6, 2008

What’s next in Data Leakage Prevention - Keeping your barrels out of the water

I recently attended the SANS WhatWorks in Stopping Data Leakage and Insider Threat Summit in Orlando. The Summit included a variety of sessions where vendors, industry experts, and end users talked about their experience with Data Leakage Prevention (DLP) products. There were also plenty of networking opportunities to talk one on one with presenters and peers. I applaud SANS on the program and highly recommend the WhatWorks series to anyone looking to implement one of the featured technologies.

The Summit provided me the opportunity to learn more about the various types of DLP products on the market today and while there is not one product that is right for every company, I liked what I heard from Vericept and Tablus. Vericept has one of the more mature products in this space and Tablus is poised to have a big impact as it is integrated into the RSA product suite.

There are different approaches to the data leakage problem. For example, some vendors sit at the edge of the network while others deploy an agent to the endpoint. Rich Mogull has an excellent whitepaper on how to choose a DLP solution. The one thing that all of the solutions have in common is that they are designed to keep sensitive data from leaving the enterprise or, as one presenter described it, to keep the barrels from going over the falls. He went on to say that while this is important, the best way to protect your data is to keep the barrels out of the water in the first place.

Data Leakage Prevention products solve a real problem today but you can expect much more than data monitoring and blocking from your DLP vendor in the future. In addition to monitoring outbound traffic, many DLP products are good at finding unstructured data much like a search engine and then classifying it as sensitive or top secret based on the criteria that your business outlines. While this requires various amounts of tuning and configuration, you will get a better understanding of where your sensitive data resides and who is using it.

However, finding and classifying your data is not enough. Forward looking DLP vendors are extending their products and developing partnerships to help you protect and manage the data they discover. These vendors are looking to implement data control polices to enforce access rights, the use of encryption, retention schedules, and even a time for the data to self destruct. This data-centric approach will allow companies to enforce their paper polices on electronic data and reduce the risks associated with the growing volumes of unstructured data.

The best way to protect your data is to manage it. You can spend a lot of time and energy trying to stop the barrels from going over the falls or you can keep the barrels out of the water in the first place by controlling access and enforcing usage polices.

Looking for more information about what DLP solutions can do for you? Check out what Nick Selby of The 451 Group has to say on his blog. Two of his recent posts on this topic are ADL doesn’t cure piles, either and Tying the Business Problem of Data Leakage to IT Processes - recovering from the deer-in-the-headlights moment.