Enterprise Risk Management Outbound Content Compliance and what you should know… Jim Noble (aka

Outbound Content Compliance The study of outbound data, leaving a network or enterprise, to determine where risk exists. New industry – recognized in ’05 by Gartner, IDC, & Forrester Many different names… depending on the analyst

Other names Forrester – Information Leak Prevention Meta Group – Content Filtering Gartner – Outbound Content Compliance IDC – Outbound Content Compliance

A security professional’s view of Enterprise Risk Deployed Controls Technical controls (~85%) Policy, procedure, & guidelines (98%) Functional Audits with true verification (75%) Weaknesses Security is focused on the technology, not the business Privacy issues cause legal “quagmires” Business Compliance & Audit don’t speak the same language as Information Technology & Security Traffic flowing outbound is normally unfettered

Why OCC gaining visibility? Business is increasingly coming under fire to comply with new privacy regulations HIPAA, GLBA, Sarbanes Oxley, CB1386, & now other state legislation Why do I care? If you work for a company that is required to comply with these regulations, you need to pay attention If you are an INFOSec or other IT staffer, you need to learn to identify solutions for compliance

But we have… Firewalls IDS/IPS Anti-Virus & Anti-Spam AAA Solutions Policy, Procedures, & Guidelines Change Control Etc…

The external threat is reduced Most Companies are located here in their Risk Lifecycle OCC provides visibility of existing controls and aids in Audit / Verification

Technical Controls Most controls are to prevent outside attacks

The Problem: Lack of effective visibility to confidential & inappropriate content flowing across the network. The risk & results can be significant: Loss of confidential company information – Financials, strategic marketing plans, executive communications – Customer lists, Intellectual Property Leakage of regulated, private customer information – SSNs, CCNs, other account information Substantially reduced employee productivity Increased legal exposure due to transmissions of offensive material Damage to critical systems by insider attacks And much more…

Would You Know If… A trusted employee pasted confidential acquisition information into a webmail message & sent it to your competitor? An employee downloaded attack tools to their work computer with the intention of stealing your customer’s private data? An employee posted your confidential data on or some other Internet posting site like Yahoo! Finance? An employee is using a P2P client & is inadvertently exposing your proprietary information to millions of other P2P users?

What’s Needed… A solution that can passively monitor the CONTENT of all outbound Internet traffic Should analyze & identify the pertinent content at risk Should focus on business data / risk Focus on Legislative compliance to identify business risk Ability to “write” custom rules for identifying specific content Should have standard reporting mechanisms Should have the ability to perform same intelligent analysis on stored data Should match user identity to events Should integrate with Forensics tools for investigations

So, how does it work? TCP Re-assembly engine Linguistics engine Decoders for: http ftp smtp & imap IM & Chat (MSN, AOL, Yahoo) P2P Applications telnet VNC And many more…

Intelligent Content Monitoring

Event Category Groups Information Privacy and ComplianceManager Structured & Unstructured Data CA Driver’s License Credit Card Number PHI - Protected Health Information Personal Information Social Security Number Confidential Disgruntled Employee Information Hiding Research Mergers & Acquisitions Resignation Encrypted – PGP Encrypted – S/MIME Encrypted – SSH Capture All Instances IM & Chat Postings Mailing Lists Web-mail P2P File Share AcceptableUseManager Unstructured Data Adult Conflict Gambling Games Racism Shopping Sports Substance Abuse Trading Violent Acts Weapons P2P Research Capture All Instances IM & Chat Mailing Lists P2P File Share Postings Web-mail PreventiveSecurityManager Structured and Unstructured Data Hacker Research Impending Threats Backdoors Keylogger Root Activity Suspicious FTP Suspicious HTTP Response Suspicious SUID root Preparation for Attack Log Wiping Code NMAP SAM Cracking Sniffer Code Stack Smashing Code Suspicious VNC Session Suspicious Activity Unauthorized Access Attempts: FTP, General, IMAP, POP

Deployment Examples

Value & Benefits Identifies Information Loss, Identity Theft & Corporate Espionage Assists regulatory compliance SOX, GLBA, HIPAA, CA SB 1386/AB 1950 Reduces liability of inappropriate use Identifies rogue protocol usage Reduces unethical & wasteful network use

The Irony In order to protect the consumer’s privacy, there has to be an invasion of privacy within the enterprise “Outbound Content Compliance” is an emerging market in Information Security Solutions They are already in place at Schools Hospitals Public & Private Corporations Financial Organizations, & any other heavily legislated organizations

Warnings Read your organization’s Acceptable Usage Policy (AUP), “No Expectation of Privacy” clauses are the norm. If you’ve just received a new AUP to sign, it is likely that a type of this product is being deployed or has been deployed Assume you are being watched 100% of the time Anonym.OS - kaos.theory security.research TOR – Onion Routing - Roger Dingledine and Nick Mathewson

Case Study

Case Study Corporate Espionage Situation: Company in Computer storage industry, who was involved in several acquisition opportunities suspected individuals were leaking sensitive information to its competitors CSO believed a competitor (with whom they were involved in a multimillion dollar litigation suit) had connected with executives inside the company & were leaking sensitive proprietary trade, technology & client data to that competitor What They did: Led by the CSO, the Corporate Governance officer & the Corporate Counsel, the company installed a content monitoring platform to identify certain content & place it in the proper context. Goal: Identify where the sensitive information was leaking out of the organization.

Case Study Corporate Espionage The Results: Within a few days of installing Vericept, the client confirmed the information leak, who was involved & quantified the magnitude of the exposure. Items identified by Vericept: o An employee ing the entire customer list to the competition o A top executive with access to sensitive business plans negotiating for a new job with a competitor o An employee looking for system exploits on the network applications & systems for the competitor to use The Return on Investment: The CSO said that the Solution paid for itself several times over within the first two months. The platform is required to “go live” on the new networks the day that any acquisition is finalized

Demo

Future Features o Desktop Control o SSL Decryption o Integration with existing Firewalls, IDS/IPS, & other technical controls o Further integration with forensics tools

Questions Jim Noble (aka