The information security officer for a network of healthcare centers in New York found an employee sending confidential payroll information to a recruiter. A California-based semiconductor manufacturing technology provider caught a worker e-mailing PowerPoint slides detailing product plans to a former colleague at a competitor to show off the "cool things" he was working on. A network administrator for a school district in Indiana nabbed a student trying to finagle school lunch account information stored on an off-limits server.
These are just some of the things you can learn when you take a good look at what goes on inside your network.
"Oh, you'd be surprised," says Mark Moroses, senior director of technical services and information security officer with Maimonides Medical Center, who found an employee instant-messaging payroll information -- including social security numbers -- to a recruiter.
That discovery came about three years ago when Maimonides was looking for a way to better control who was accessing what on its network, per HIPAA specifications and also because the company has to give network access to users who aren't employees, such as referring doctors. Maimonides brought in security vendor Reconnex, which set up a risk assessment test that monitored the network for 48 hours.
"It's an eye-opening experience," Moroses says of the test. Having found numerous instances of questionable employee productivity (extended visits to Myspace.com, for example) as well as some policy breaches, the company installed Reconnex's electronic risk protection offering to monitor employee interaction with the outside world, and is now leveraging the product to ensure that employees are only accessing the internal information that they are authorized to view.
"We've gone through an awakening in stages, we put [Reconnex] at all our egress points because we wanted to know what's going out, what's coming in...it leads you to ask questions about what's going on internally, people accessing internal data," Moroses says. "We've looked at the edge, now we're looking internally."
Reconnex is one of a handful of vendors that make up a relatively new area in the security market that also includes vendors such as Oakley Networks, Vontu, Vericept, PortAuthority Technologies, Securify, Tablus, and others.
Called a variety of terms including network content filtering/control, network leak prevention, extrusion prevention, and risk protection, this category is largely defined by products that monitor multiple network protocols with sophisticated word analysis and automated data discovery techniques to alert administrators when sensitive information is being accessed by unauthorized employees and/or sent outside of the network. As these products mature, the facility to block sensitive information from being viewed or sent out of the network is being added.
While having such a view into your network sounds as good as a superpower, there are trade offs.
First, there are the upfront costs; typical configurations for these tools -- most of which are appliances loaded with specialized software -- generally start between US$25,000 and US$50,000. In the defense-in-depth model that's become a popular way to describe the need for multiple layers of information security required in and around an organization, these tools are secondary to the perimeter products such as firewalls and intrusion-detection systems required to keep unauthorized users off a network.
Then there's the time and energy required to customize these tools so that they understand what an organization deems sensitive.
"In advance of using this kind of tool, you really have to decide what to use it for, what nuggets [of information] are you looking for, because these tools really will give you everything," says Tom Scocca, investigator and global security consultant for a large provider of microprocessor manufacturing technology, which has about 17,000 users on its network. The company uses Oakley Networks' CoreView appliance, and Scocca says the vendor was very helpful in tuning the product to meet its needs.
But still the company needed to decide what its crown jewels were before the tool could be effective, Scocca says.
"If you don't have any idea about what's important to your company's bottom line, then this is just a fancy tool to let you know what's traveling across the wire," he says.