My company currently filters and monitors all incoming and outgoing corporate e-mail and has policies banning Web mail and instant messaging. What other controls do we need to protect against insider threats?
Over the last five years, most companies have made significant investments to protect their corporate e-mail systems from viruses, spam, and spyware and to address hacker attacks on the open SMTP port, including denial-of-service (DOS) and directory harvest attacks.
Now companies are adding outgoing filtering technologies to analyze the contents of the communications leaving their networks. In some cases, companies are driven by the need to comply with regulations such as the Health Insurance Portability and Accountability Act (HIPAA) or the Sarbanes-Oxley Act (SOX). In other cases, they use filtering to prevent leaks of data, including Personally Identifiable Information (PII) or Intellectual Property (IP).
Unfortunately, most outgoing e-mail scanning solutions employ ‘stone-age’ analysis techniques such as key-word or regular-expression matching that can only find fixed-format data such as Social Security numbers or specific keywords, e.g., ‘company confidential,’ included in the body of the message. These solutions cannot deal with critical content, and worse yet, many cannot open attachments such as Microsoft Word or Excel documents and scan their contents for data leaks.
When companies are looking to best protect their messaging networks from insider threats-be it end-user errors in handling sensitive documents, broken business processes, or a malicious insider leaking confidential information to a competitor-they need to do three things.
The first is to identify and discover all content inside the corporate environment that represents risk before it leaves the network. This content includes all files containing PII or other IP assets; these files may be located in file shares, on laptops or desktops, or in other content repositories or databases. Once discovered, content is fingerprinted and registered to ensure it is not distributed in outgoing e-mails (or in other traffic, including IM, FTP, IRC, and more). Typical e-mail gateway products, even those designed for outbound scanning, cannot discover and protect data at rest using a pre-populated mechanism.
The second is to implement deep content analysis techniques that go beyond simple fixed-format analysis, which looks only for patterns of numbers or letters. Such techniques can look inside attachments, detect the presence of foreign-language content, and look for known content types or unique identifiers that represent risk as well as for matches to pre-registered content. The right content-analysis techniques should also be multi-channel in nature, looking for risks outside of the traditional corporate SMTP flow, including SMTP traffic directed on non-standard ports (i.e., Port 80) or e-mail activity on public Webmail services such as Gmail.
The third thing companies need to do is realize that outgoing e-mail is not the only risk point. One reason multi-channel content monitoring is important is that even though many companies put in place guidelines and training that tell employees not to use certain applications at work (some companies even lock down desktops and laptops so users cannot install custom software packages), rogue activities can still take place. And these activities represent significant risk when it comes to data leakage. Even the best, most clearly communicated company policy on appropriate use is ineffective without the tools to monitor and enforce the right behavior. In summary, outbound content control is imperative for businesses today, whether they are trying to protect their brand and public reputation, comply with regulations, or secure the IP that is at the root of their market differentiation or competitive advantage. To guard against the insider threat and protect valuable digital assets, companies need tools that discover content at rest, perform deep inspection of content in motion, and look for risk beyond the obvious e-mail channel. Only this multi-faceted approach to information security will give companies the complete and adaptive security they require.