Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Case Study: Data loss prevention takes a catch

A new DLP tool paid for itself within days.

Article comments

Our intrusion-detection sensors give us about 40 percent coverage of our network, but we lack the manpower to pay proper attention to them.

With only two network engineers - whose time is consumed with managing firewalls, the virtual private network, RSA SecurID tokens and the like - it's difficult for us to get the full benefit of those sensors, which need to be tuned to decrease false positives. They do provide meaningful information, especially when an incident occurs that prompts us to monitor network traffic more closely.

So, I've been sceptical about data loss prevention (DLP) technology, which seems to share many characteristics of an intrusion-detection system (IDS). For example, DLP technology needs to be tuned to be most effective. On the other hand, it looks deeper into network traffic than a traditional IDS and is able to detect sensitive data leaving the network.

I was sceptical when I met with representatives of Reconnex. Still, its DLP product was feature-rich, and the promise that it could detect even small portions of data leaving the network was intriguing.

For that to happen, you have to first feed data to the Reconnex product. For example, if I load an entire directory of source code, it will be able to alert us should an engineer cut and paste even a small portion of it into a Yahoo email message.

We decided to pilot a limited deployment of the Reconnex technology on our network.

The pilot was timely. A few days after installation, I was asked to determine whether any employees were leaking information related to an acquisition the company was contemplating. We fired up the Reconnex management console and created a rule that would flag any network traffic containing certain keywords associated with the acquisition. After a couple of days, no hits were recorded on that rule, but something else popped up that was extremely alarming.

When they installed the Reconnex tool, my security engineers experimented with various rules. They created one to watch for design documentation files on the network, and that's the rule that triggered the alert: An employee had uploaded a computer-aided design document to his personal Yahoo Briefcase storage account.

Not knowing much about design documents, I forwarded a copy of the file to an engineering manager, who explained that this particular document is for the design of one of the very sensitive, proprietary sensors we manufacture. It's a design that any of our competitors would love to get their hands on. As it turns out, the employee who had uploaded this document had given his notice a few days earlier. My adrenaline was rushing.

This was when, as far as I'm concerned, Reconnex paid for itself.

It lets you go back and review captured network traffic. At this point, we had about a week's worth of network traffic. We created a new rule that let us see all network activity during that time related to the departing employee. Even more than before, the results were alarming. He had been using email and Yahoo Briefcase to copy design documents and source code for some of our flagship products. We probably would never have known if we hadn't been piloting this product that I had been lukewarm about at the beginning.

I had the employee's desktop confiscated and contacted human resources and the legal department. I wanted this guy out of the company immediately, and I wanted our intellectual property back.

Right now, we're deciding whether to call in local law enforcement officials. I'll keep you posted.

This journal is written by a real security manager, Mathias Thurman, whose name and employer have been disguised for obvious reasons.


More from Techworld

More relevant IT news


Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...
* *