ILP: Intelligent leak prevention?

Earlier in the year Nationwide in the UK was fined nearly a million pounds after an employee lost a laptop that contained sensitive data. FST spoke with Mark Murtagh, Product Director at Websense, who explained how new technology can aid firms in the battle against information leaks.

FST. Information leak prevention (ILP) is a hot-topic in IT security. Can you outline the main forms of data leak in the enterprise?
MM. There are three main types of incidents that might occur in an enterprise, ranging from unintentional to intentional. The first, unintentional leaks by non-malicious users, can happen when, for example, users accidentally expose confidential company information. Users can be completely unaware that they have done anything wrong.

The next is the intentional non-malicious user. Here, an employee might upload some data to their personal e-mail account so they can work on it from their home PC. They know they’re circumventing some form of policy, but there is no malicious intent. Unwittingly, they’re placing that data at risk.

And then the last element is with malicious intent. An example of this could be an individual who is leaving an organisation, and who chooses to deliberately take sensitive information with them, or an external attack where a hacker is trying to compromise data security, possibly for corporate espionage.

FST. And of these, which is the most prevalent in financial services?
MM. Probably the most common is the unintentional leak; a mistake made by an employee. An example is what happened earlier this year with Nationwide. A non-malicious employee had confidential data stored on a laptop and it was stolen from their car.

Another common type of scenario is a broken business process or ID system that exposes customer credentials or customer details online.

There are cases where a hacker gains access to an IT system externally, but these cases are less common and also not easy to detect if the right software isn’t in place.

FST. How business critical is this kind of threat? What are the costs?
MM. I think it’s becoming more critical as time is going on, especially in the financial sector where regulatory bodies are starting to enforce best practice. This kind of threat has always happened in organisations, yet so often information leaks go unannounced and companies don’t find out about them.

In terms of the cost to business, this can vary. The Ponemon Institute estimate a cost of $182 for each consumer record compromised. Nationwide paid direct costs of close to a million pounds in the form of an FSA fine. TJX, the US parent company of TK Maxx, set aside over $100m to deal with the after effects of the data breach they experienced this year. There are other costs to consider though. If you have a marketable brand that has value associated with a solid reputation, you don’t want that brand to be dragged through these types of cases and potentially scare off existing, and potential customers.

FST. You’ve mentioned regulators getting involved. Is this then an issue that now transcends a pure security function?
MM. Definitely. I think this issue will reach the top of organisations more than any other security matter due to the scale of impact a data leak can have. If a company gets hit with a virus which affects the IT systems, that’s an inconvenience and a concern for the IT and Operations departments.

In contrast, data leak incidents should be addressed at the board level. High profile data leaks can see a company stand before the media to provide answers to the public, to their shareholders, to their customers, to the regulators, and, potentially, to legal establishments as well.

The EU is considering introducing a Directive that requires disclosure of any data breaches, which will make it mandatory for companies to alert their customers to any type of incident.

FST. So this is serious stuff. From the Chief Executive’s point of view then, how can these leaks be prevented?
MM. First and foremost, firms need to stop relying on traditional technologies such as firewalls, to try and mitigate information leakage. While these technologies are trying to identify something bad, they are unable to identify information and where it is flowing in a company. They do not take account of the information’s content or context.

You can measure severity in many ways – financial cost, brand reputation, shareholder value and so on. With financial services being tightly regulated by the FSA, they are sending a clear message that cases such as Nationwide are publicly acknowledged and addressed.

FST. So there’s a cultural change needed across the enterprise in terms of looking after data?
MM. Yes, companies must take the responsibility for information security as much out of the hands of the employee as possible. By automating processes, companies can minimise their exposure to human error.

For example, if you have a business partnership with a third party and you’re allowed to exchange information with them, but the company policy states that any e-mails are supposed to be encrypted there is no way of ensuring this unless that process is automated. You’ve got to have the technology in place to enforce policy, humans are always the weakest link.

FST. So in this case you’d automatically encrypt any e-mail to the third-party using information leak prevention technology?
MM. You could be more sophisticated and encrypt only information if it’s confidential or sensitive. If you have a friend in a third-party organisation and there is a general dialogue over email, technology now can recognise that this doesn’t need to be encrypted as it’s not sensitive. You need something that can identify first that there is sensitive data, and second the context as well: who’s sending it, who’s receiving it, and is that permitted according to the policy.

FST. And this kind of technology is now available to automatically scan and assess outward communications?
MM. Absolutely, there’s technology today that can identify what the sensitive and private information is to start with, and then tell you where it is and who has access to it. The most effective technologies are ones that monitor the context around that as well.

For example, you have a group within an organisation that is allowed to communicate internally with each other around a particular project. However, if an individual tried to send, via e-mail or IM, to another group outside of that particular closed environment, the technology will stop them from doing that. Even if it’s internally within the organisation it protects the business asset, which is the data.

The technology can now identify this and produce a report that says: “Mark Murtagh logged into his workstation, and accessed confidential data belonging to Project X and tried to send that out to his gmail account.”

Information leak prevention technologies, such as Websense can be very sophisticated. In the past you would have had to take a decision as an information security team and asked ‘do we want to allow anybody in the organisation to upload information to the web? If you had said no, then you potentially stop people using web mail services, and you may want to allow them to do that.

Now you can set policies that say things like: “Mark can use gmail, he can read and post his e-mail, but he can’t post x, y or z data sets which are sensitive. If he tries to do that it won’t be allowed, and the data will be quarantined and sent to his manager to check. So, it’s providing much more context around what you’re actually doing.

It’s about knowing which elements to protect in order to protect company confidential information. If it was about closing every door you’d end up just suffocating business process and people wouldn’t be able to do their job.

Mark Murtagh has over 13 years experience in the high-tech arena. He joined Websense in 2000 and now holds the position of Product Director, Information Leak Prevention (ILP), EMEA & APAC. He is responsible for Websense’s ILP business throughout the Europe, Middle East and Africa and Asia Pacific regions Prior to this he was Technical Director EMEA, where he headed up the region’s technical support and services team. Before joining Websense, Mark held positions at ICL (Fujitsu E-Services) for six years where he filled a number of roles including working within the project team to roll out the National Lottery across the UK.

Websense is a California based company that produces web security software. Websense Content Protection Suite is the leading Information Leak Prevention (ILP) solution designed to protect customer information, intellectual property, and enforce and report on regulatory compliance.