Our intrusion-detection sensors give us about 40 percent coverage of our network, but we lack the manpower to pay proper attention to them.
With only two network engineers - whose time is consumed with managing firewalls, the virtual private network, RSA SecurID tokens and the like - it's difficult for us to get the full benefit of those sensors, which need to be tuned to decrease false positives. They do provide meaningful information, especially when an incident occurs that prompts us to monitor network traffic more closely.
So, I've been sceptical about data loss prevention (DLP) technology, which seems to share many characteristics of an intrusion-detection system (IDS). For example, DLP technology needs to be tuned to be most effective. On the other hand, it looks deeper into network traffic than a traditional IDS and is able to detect sensitive data leaving the network.
I was sceptical when I met with representatives of Reconnex. Still, its DLP product was feature-rich, and the promise that it could detect even small portions of data leaving the network was intriguing.
For that to happen, you have to first feed data to the Reconnex product. For example, if I load an entire directory of source code, it will be able to alert us should an engineer cut and paste even a small portion of it into a Yahoo email message.
We decided to pilot a limited deployment of the Reconnex technology on our network.
The pilot was timely. A few days after installation, I was asked to determine whether any employees were leaking information related to an acquisition the company was contemplating. We fired up the Reconnex management console and created a rule that would flag any network traffic containing certain keywords associated with the acquisition. After a couple of days, no hits were recorded on that rule, but something else popped up that was extremely alarming.
When they installed the Reconnex tool, my security engineers experimented with various rules. They created one to watch for design documentation files on the network, and that's the rule that triggered the alert: An employee had uploaded a computer-aided design document to his personal Yahoo Briefcase storage account.
Not knowing much about design documents, I forwarded a copy of the file to an engineering manager, who explained that this particular document is for the design of one of the very sensitive, proprietary sensors we manufacture. It's a design that any of our competitors would love to get their hands on. As it turns out, the employee who had uploaded this document had given his notice a few days earlier. My adrenaline was rushing.
This was when, as far as I'm concerned, Reconnex paid for itself.
It lets you go back and review captured network traffic. At this point, we had about a week's worth of network traffic. We created a new rule that let us see all network activity during that time related to the departing employee. Even more than before, the results were alarming. He had been using email and Yahoo Briefcase to copy design documents and source code for some of our flagship products. We probably would never have known if we hadn't been piloting this product that I had been lukewarm about at the beginning.
I had the employee's desktop confiscated and contacted human resources and the legal department. I wanted this guy out of the company immediately, and I wanted our intellectual property back.
Right now, we're deciding whether to call in local law enforcement officials. I'll keep you posted.
This journal is written by a real security manager, Mathias Thurman, whose name and employer have been disguised for obvious reasons.