Transcript Slide 1

Enterprise Risk Management
Outbound Content Compliance
and what you should know…
Jim Noble (aka dc0de)
[email protected]
Outbound Content Compliance
The study of outbound data, leaving a
network or enterprise, to determine
where risk exists.
 New industry – recognized in ’05 by
Gartner, IDC, & Forrester
 Many different names… depending on
the analyst

A security professional’s view of
Enterprise Risk

Deployed Controls




Technical controls (~85%)
Policy, procedure, & guidelines (98%)
Functional Audits with true verification (75%)
Weaknesses




Security is focused on the technology, not the
business
Privacy issues cause legal “quagmires”
Business Compliance & Audit don’t speak the same
language as Information Technology & Security
Traffic flowing outbound is normally unfettered
Why OCC gaining visibility?

Business is increasingly coming under fire to
comply with new privacy regulations


HIPAA, GLBA, Sarbanes Oxley, CB1386, & now
other state legislation
Why do I care?


If you work for a company that is required to comply
with these regulations, you need to pay attention
If you are an INFOSec or other IT staffer, you need
to learn to identify solutions for compliance
But we have…
Firewalls
 IDS/IPS
 Anti-Virus & Anti-Spam
 AAA Solutions
 Policy, Procedures, & Guidelines
 Change Control
 Etc…

The external threat is reduced
OCC provides
visibility of
existing controls
and aids in
Audit / Verification
Audit & Verification
Technical Controls
Most Companies
are located here
in their
Risk Lifecycle
Policy, Procedure,
& Guidelines
Technical Controls
Most controls
are to prevent
outside attacks
Email
www
e-commerce
External Services
Internet
Proxy
User Network(s)
LDAP
File Svr
Backend Server Farm
The Problem:


Lack of effective visibility to confidential & inappropriate content
flowing across the network. The risk & results can be significant:
Loss of confidential company information

–
Financials, strategic marketing plans, executive communications
–
Customer lists, Intellectual Property
Leakage of regulated, private customer information
–
SSNs, CCNs, other account information

Substantially reduced employee productivity

Increased legal exposure due to transmissions of offensive material

Damage to critical systems by insider attacks

And much more…
Would You Know If…

A trusted employee pasted confidential
acquisition information into a webmail
message & sent it to your competitor?
 An employee downloaded attack tools to their
work computer with the intention of stealing
your customer’s private data?
 An employee posted your confidential data on
www.internalmemos.com or some other
Internet posting site like Yahoo! Finance?
 An employee is using a P2P client & is
inadvertently exposing your proprietary
information to millions of other P2P users?
What’s Needed…



A solution that can passively monitor the CONTENT of
all outbound Internet traffic
Should analyze & identify the pertinent content at risk
Should focus on business data / risk


Focus on Legislative compliance to identify business risk
Ability to “write” custom rules for identifying specific content


Should have standard reporting mechanisms
Should have the ability to perform same intelligent
analysis on stored data


Should match user identity to events
Should integrate with Forensics tools for investigations
So, how does it work?



TCP Re-assembly engine
Linguistics engine
Decoders for:








http
ftp
smtp & imap
IM & Chat (MSN, AOL, Yahoo)
P2P Applications
telnet
VNC
And many more…
Intelligent Content Monitoring
Event Category Groups
Information
Privacy and
Compliance
Manager
Structured &
Unstructured Data
CA Driver’s License
Credit Card Number
PHI - Protected Health Information
Personal Information
Social Security Number
Confidential
Disgruntled Employee
Information Hiding Research
Mergers & Acquisitions
Resignation
Encrypted – PGP
Encrypted – S/MIME
Encrypted – SSH
Capture All Instances
IM & Chat
Mailing Lists
P2P File Share
Postings
Web-mail
Acceptable
Use
Manager
Unstructured Data
Adult
Conflict
Gambling
Games
Racism
Shopping
Sports
Substance Abuse
Trading
Violent Acts
Weapons
P2P Research
Capture All Instances
IM & Chat
Mailing Lists
P2P File Share
Postings
Web-mail
Preventive
Security
Manager
Structured and
Unstructured Data
Hacker Research
Impending Threats
Backdoors
Keylogger
Root Activity
Suspicious FTP
Suspicious HTTP Response
Suspicious SUID root
Preparation for Attack
Log Wiping Code
NMAP
SAM Cracking
Sniffer Code
Stack Smashing Code
Suspicious VNC Session
Suspicious Activity
Unauthorized Access Attempts:
FTP, General, IMAP, POP
Deployment Examples
Stand Alone
db
Remote Office
Kb
p
s
www
DMZ
56
mail
Collector
Collector
INTERNET
Remote Office
WAN
WAN Segment
1.5Mpbs
5M
1.
Users
bp
s
``
`
proxy
Collector
Console
Collector
Remote Office
Value & Benefits
Identifies Information Loss, Identity Theft
& Corporate Espionage
 Assists regulatory compliance


SOX, GLBA, HIPAA, CA SB 1386/AB 1950
Reduces liability of inappropriate use
 Identifies rogue protocol usage
 Reduces unethical & wasteful network
use

The Irony
In order to protect the consumer’s privacy,
there has to be an invasion of privacy within
the enterprise
 “Outbound Content Compliance” is an
emerging market in Information Security
Solutions
 They are already in place at





Schools
Hospitals
Public & Private Corporations
Financial Organizations, & any other heavily
legislated organizations
Warnings





Read your organization’s Acceptable Usage
Policy (AUP), “No Expectation of Privacy”
clauses are the norm.
If you’ve just received a new AUP to sign, it is
likely that a type of this product is being
deployed or has been deployed
Assume you are being watched 100% of the
time
Anonym.OS - kaos.theory security.research
TOR – Onion Routing - Roger Dingledine and
Nick Mathewson
Case Study
Case Study
Corporate Espionage
Situation:
 Company in Computer storage industry, who was involved in several
acquisition opportunities suspected individuals were leaking
sensitive information to its competitors
 CSO believed a competitor (with whom they were involved in a
multimillion dollar litigation suit) had connected with executives
inside the company & were leaking sensitive proprietary trade,
technology & client data to that competitor
What They did:
 Led by the CSO, the Corporate Governance officer & the Corporate
Counsel, the company installed a content monitoring platform to
identify certain content & place it in the proper context.

Goal: Identify where the sensitive information was leaking out of the
organization.
Case Study
Corporate Espionage
The Results:
 Within a few days of installing Vericept, the client confirmed the
information leak, who was involved & quantified the magnitude of the
exposure.
 Items identified by Vericept:
o An employee emailing the entire customer list to the competition
o A top executive with access to sensitive business plans
negotiating for a new job with a competitor
o An employee looking for system exploits on the network
applications & systems for the competitor to use
The Return on Investment:
 The CSO said that the Solution paid for itself several times over
within the first two months.
 The platform is required to “go live” on the new networks the day that
any acquisition is finalized
Demo
Future Features
o Desktop
Control
o SSL Decryption
o Integration with existing
Firewalls, IDS/IPS, & other
technical controls
o Further integration with
forensics tools
Questions
Jim Noble (aka dc0de)
[email protected]