So we’re all technical folks…and we all like to use technical solutions to fix problems. I’m tellin ya, without the proper non-technical controls I mentioned earlier….you’re dead in the water. Can’t have bacon without eggs and peanut butter without jelly. It’s just incomplete.
I’m telling you now: Technical controls without proper non-technical controls provide no solution.
(Gotta love a disclaimer.)
So let’s talk about these technical methods:
1. Data Encryption – The proclivity of data encryption technology in IT is overwhelming. You can now obtain stringent encryption mechanisms for your laptops and mobile phones (i.e. PointSec, Credant, BitLocker, etc.), as well as for your email (PGP) and for documents and folders at rest (EFS). Persistent data protection, through such technologies as Microsoft’s Rights Management Services, provides confidentiality that travels with a document, even outside the organization. (You can check out the demo here). There is simply no excuse for failing to provide encryption to all stages of data transfer and storage. However, the use of data encryption on sensitive and critical intellectual property is minimal. Fears arise with regard to the amount of time required for implementation of an encryption solution, as well as concerns around key management has prevented the adoption of these technologies. As with all security concerns a simple question must be put forth: Does the risk justify the solution? In almost every situation, data encryption justifies those means.
2. USB blocking/Media Burning blocking – The technical controls for blocking USB and CD/DVD burners are available as Group Policy Objects for centralized management in the Microsoft Windows Vista operating system, and 3rd party solutions exist from vendors such as ScriptLogic, SecureWave, etc. The premise being that only specific and authorized devices (such as USB keyboards) have access to the ports, while non-authorized devices are blocked and subsequently logged in the appropriate audit mechanism. The manageability of these solutions is imperative and each solution researched proved to have the ability to be centrally managed through the use of group policy.
3. Audit Policy – In 2006, while conducting some field tests with the Dallas FBI CyberCrime team, I asked what the number one technical control that IT professionals could do to assist law enforcement’s efforts to effectively prosecute data breaches. Their answer? Audit Controls. Like encryption, audit controls exist on almost every operating system in existence. The biggest problem is that it’s either not configured properly, or in most cases, not configured at all. Audit policies are often configured based on some regulatory compliance auditor checklist and are often ineffective in identifying an attack on trade secrets. Too often the logs generated become overwhelming and the data is not correlated in a timely fashion, which also delays the breach notification. Proper auditing is a key technical control and should be implemented in every situation on a high risk asset, such as Server X.
4. Data Leakage Prevention (DLP) – As the saying goes, “necessity is the mother of invention” and we are certainly seeing this with regards to the newer automated data leakage prevention solutions. These devices provide outbound monitoring and data archival of outbound data. PortAuthority and Vontu are two of the big players in this space and have been for quite some time. Several existing security vendors such as McAfee and Symantec have already added DLP technology to their existing network gateways. For large enterprises, protecting intellectual property as it moves through the R&D lifecycle is a daunting task. The mitigation a good automated DLP solution provides is certainly worthy of consideration.
I also want to mention that SC magazine recently nominated several intellectual property protection solutions for their 2007 IPP Product of the Year. You may want to take a look and see if these technical controls can work in your environment. The winner of this year’s award was the solution from Vericept, called the Vericept Risk Management Platform which seems to do a good piece on covering insider threats. If anyone has any experience with this product, I’d love to hear your thoughts on it.
 2006. Personal conversation between myself and various Dallas FBI field agents.
Next Post: Kai is going to TechEd 2007….with a special guest!