How to detect data leaks

Data leaks are a growing problem. Yet most firms don't know how sensitive data is getting out, let alone how to stop it. Tools exist to shore up those vulnerabilities, says Anthony Plewes.

Ever-increasing email attachment file sizes and multi-gigabyte removable storage is driving an alarming increase in the volume of data leaking from companies.

Most data leakage is not malicious. It is caused by users not being aware of the implications of their actions. "Users simply don't have the expertise needed to classify all the sensitivity of the information they use," says Gartner Research vice president Jay Heiser.

Security from A to Z

Click on the links below to find out more...

A is for Antivirus
B is for Botnets
C is for CMA
D is for DDoS
E is for Extradition
F is for Federated identity
G is for Google
H is for Hackers
I is for IM
J is for Jaschan (Sven)
K is for Kids
L is for Love Bug
M is for Microsoft
N is for Neologisms
O is for Orange
P is for Passwords
Q is for Questions
R is for Rootkits
S is for Spyware
T is for Two-factor authentication
U is for USB sticks/devices
V is for Virus variants
W is for Wi-fi
X is for OS X
Y is for You
Z is for Zero-day

Heiser continues: "As a result they send huge amounts of inappropriate email, and store highly sensitive data on laptops and memory sticks, ignorant of the risk it represents to their employers."

To help companies stem this flow of confidential information outside their direct control, security vendors have developed a family of tools called data leakage prevention (DLP). These tools look at data across the entire organisation - at rest, in motion and in use - to try and control and report on any activity that contravenes the security policy.

DLP tools incorporate a wide range of modules to protect sensitive data across the corporate infrastructure, including monitoring and protecting network gateways, email, end points and storage.

When a data leak is detected the DLP tool can block the leak or warn the user and also provide an audit trail for compliance. "Some 80 per cent of data leakage is inadvertent, so usually what would happen is that a warning would appear saying: 'Are you sure you want to send this confidential data out?'," says security firm Symantec's chief scientist, Guy Bunker.

In addition to blocking data leaks, DLP tools can also help companies carry out a risk assessment on their data, allowing them to check where their sensitive data is stored and helping customers put it in more secure locations.

Where do leaks occur?

Data leaks can come from anywhere and can be an employee mistake, a malicious insider or an external criminal. Losing laptops or other storage is still one of the most common sources of data leaks and DLP tools can help by checking whether confidential data is encrypted. But it's not just laptops that need protecting, companies need to look at all end-points connected to the corporate network.

"iPod's are a particular problem as they can remove vast amounts of data," says Symantec's Bunker. "Companies need to decide what can be connected to the network and prevent unauthorised devices to connect. And for all authorised devices, companies need to enforce their security policy, by preventing unauthorised copying, for example."

Email continues to be a major source of data leakage. A survey carried out by security vendor Websense across Europe, found two-thirds of UK users sent confidential information to their home email without recognising the potential risk.

As well as preventing unwanted email from clogging up users' inboxes, anti-spam software can also monitor outgoing email and alert users to, or block, the breach of the security policy. This can be tuned to the exact needs of each user, so that users who are permitted to send confidential financial information over email can do - but only if it is encrypted, for example.

Security is only ever as good as the weakest link, so it's pointless only monitoring the company's email system, if users simply send it through their web-based personal email.

Again, this isn't necessarily malicious; users may have a legitimate need to send confidential data to themselves at home and are simply attempting to circumvent any controls that have been but in place, without thinking of the potential consequences.

Gartner's Heiser warns: "The awareness of email or internet content monitoring has been shown to encourage internal data leakers to change their behaviour."

The web is rapidly becoming the number one source of data leakage and it's not just web email services that are the problem. Companies are struggling to deal with the impact of web 2.0 and user-created content.

The scale of data leakage often comes as a surprise to many companies. Websense technical director Mark Murtagh said when one customer started using the DLP tool to monitor its infrastructure, there were up to 1,000 potential leaks on a daily basis.

Having the tool tell people that they were putting confidential information at risk, cut these breaches by between 60 and 80 per cent before the customer had even started to deploy the blocking part of the software.

Identifying confidential data

DLP rests on the ability to identify what data is confidential. It may seem like a straightforward task but the huge volumes of continually changing data make it very difficult indeed.

For example, a document in draft form may only become confidential once it includes the name of an undisclosed customer. The DLP software needs to be aware of the change in status and protect the document appropriately.

One company has a novel way of identifying confidential data. Faizel Lakhani, vice president at Reconnex, likens the security firm's approach to Google's search indexing. When a company deploys the appliance it starts collating data on flows and locations of all company information.

One week gives enough information to start being able to search on any aspect of data, to see who has been using it and where it has been sent for example.

"Companies want to protect sensitive data but they don't always know what it is or where it is," explains Lakhani. "Our appliances index of company data allows them to pick up not only the simple things like social security numbers, but also information that they don't yet know is important."

And because the content search is similar to an internet search, line-of-business managers are able to run the queries themselves.

For example, Reconnex's tool allows companies to mine all their historical data to search for any data leaks. Faizel recounts the tale of one customer who needed a tool to secure credit card details for PCI compliance, but when it deployed Reconnex's solution a manager put in the search term 'inventory turn report' and found out an employee had been sending confidential information to a competitor.

It's also vital to know exactly with which regulations certain confidential information needs to comply. Websense provides 600 templates that allow companies to match the regions they operate in and their industry sector to see what regulations apply and the legal implications of data leakage.

Technology is not a silver bullet to all data leakage prevention. Companies also need to look at the people and processes. The HMRC disc going out over insecure channels, unencrypted and containing unnecessary data was a process failure, for example. People need to be educated about what confidential data is and how they should use it.

However, DLP tools are an essential part of this strategy, as they give companies the wherewithal to enforce their security policy and user education, accurately identify and protect sensitive data and the means to provide auditable records to comply with multiple regulations on data security.