Endpoint Protection

First it was the cuts in private sector firms and now it is the public sector. The easiest and quickest cuts that make a difference to the bottom line are to remove people who are usually the largest cost item. Sadly redundancy is now a major occurrence in a working life. I know of many capable, intelligent and hard working people who have been made redundant two or three times in their lives sometimes more. It is increasingly a tool of organisations to quickly get rid of people. In general, redundancy is never executed against the legal guidelines which results in court cases and compromise agreements.

So what has all this to do with Information Security. The removal of staff from an organisation is currently the biggest threat to an organisations information. Redundancy or whatever method is used can result in animosity, resentment, and malicious intent on the part of the former employee. Of course most organisations are understanding and sensitive to emplyees and most follow the rules. However, sales of DLP software has been rising and the most sited reason for purchase is protection of contact databases, intellectual property and sales information from disgruntled employees.

The threat is real and active and who knows how much critical informaiton has been taken by upset and revengeful emplyees without anyone knowing. Please add any comments to this post on your experiences of cost cutting and data loss.

It is really worrying that organisations are completely blind when asked if they know what critical information exists and what their employees are doing with it. So many customers regard DLP as only a product that will solve all security ailments.

At the moment employers have no choice but to trust their employees as there is no alternative. Organisations have no real idea what data is confidential, where is it being held and where it is going to. However, as disgruntled ex-employees continue to take all their data with them whether unintentionally or maliciously the result is the same. The potential for important information to be removed. As more organisations rely on outsourcing and the use of partners to advise, project manage, augment skills so the problem gets worse. 
So the trust is breaking down particularly as cuts are coming but still organisations have no idea what to do

So what is the answer? Not an easy one for sure. First thing is to work out what data there is and where. Look for something that will index your endpoints so that live keyword searches can be used to identify what data is stored and where. Secondly, start to categorise your data into no more than four levels such as Internal Use Only, Confidential, Confidential and Restricted, Critical. Then decide on the policies required at each level. Once you have a classification and the policies for security then you can start to develop the DLP policies to protect the data.

So the basic answer is ‘No you don’t trust them’ but until work is done there is no choice.

See my next post on the economic climate and the impact on data loss

Apologies for the lack of posts - Had some personal problems that took me away.

There has been a lot happening in the security market in the last few months particularly in the data loss prevention and encryption side of things.  Encryption is hotting up as customers are, at last, trying to understand it and make informed decisions about what is required for their environment. Vendors still continue to ‘throw in ‘ some licenses just to mess things up but that is business

On the DLP front we are also seeing proper investigation by customers who want to understand what it can do and if it will work for them. For so long vendors have used the acronym without any cost or risk justification. Well that is starting to change thanks to Firewalls, IDS, AV and encryption still not able to stop determined efforts at data removal. Customers are waking up to adding more products is not the answer but proper risk assessment and the reduction is the highest threats.

I also see a change in tack of vendors who are now trying to justify the spend. See my next post - can just DLP be justified on a cost basis?

Anway it is good to be back and sorry for the delay - all comments, suggested topics are very welcome

Latest reports on conficker infections include not only Ealing Council (see previous post) but also Oxford Brookes University, Manchester City Council and Whipps Cross University Hospital NHS Trust. Prior to this, the Houses of Parliament and Ministry of Defence were infected.

So AV has been proved to be powerless with this worm and even the DLP vendors do not have any defence as they tend to focus on information passing out of the organisation. Application control should be a part of a DLP solution to stop worms from running and spreading to the rest of the organisation. In most cases it is not as AV and most DLP is focused internally not at the endpoint which is the highest risk. Maybe Windows 7 will save us but how many will implement the application control features and AV and DLP. Not many I fear - Take a look at our sponsors product and if implemented will protect against zero day attacks and Conficker worms as well as the normal DLP features.

Ealing Council is facing a bill for over £500,000 after a member of staff plugged in an infected memory stick into a PC. The virus spread. The virus infected Ealing Council systems for several days after introduction at the housing department requiring emergency IT work and interruptions to services such as parking fines and library systems.

It also seems that the council’s telephone systems were affected. It stopped AV functioning and blocked access to Microsoft support sites as well as contacting other websites at random.

What can one say? (I told you so springs to mind but that would be chirlish). There are products that would have stopped this from happening but the reliance on AV as the main security barrier was found lacking.

What is needed is a thing called Application Control. This function stops any application whether a legitimate application started by the user or a malicious virus running on the endpoint. Windows 7 will have this feature as part of the Operating System but that is not out for a while and it will take years before everyone upgrades. So what do you do? Well look at some of the existing products that already provide this capability for XP and Vista such as Versec from Guardian Technologies. It scans permitted application images into a database which is then compared with the image that the user would like to run. It either permits or prevents as required.

So security guys at the councils get wise and look at what employees are doing on your systems. Data is spread everywhere, running unauthorised applications on endpoints, storing inappropriate content, using unsecured IM - all lovely ways for viruses to get in and data to get out!!

If you want the full story go here. http://news.bbc.co.uk/1/hi/england/london/8237085.stm

The recent acquisition of DLP vendrs by the more traditional virus scanning giants might give the impression that the market is now the domain of the big players. Such acquisitions such as Symantec buying Vontu, McAffee buying Safeboot and the EMC/RSA acqusition of Tablus has shown the DLP market is real and worth investing cash in order to get big quickly. But the DLP market is growing and developing and, so far, no one has the complete answer. Large security companies are still developing their strategy such as Kaspersky labs to name but one.
However, not all DLP start-ups have been consumed as the Network World article shows. They have reviewed the small independants to show that the small guys are still worth taking seriously. See the link below to see the full article.
http://www.networkworld.com/research/2008/010708-data-leak-prevention-watch.html?nlhtsec=rn_051309&nladname=051309securityal

7th Space reports ESET, the leader in proactive threat protection, has been included in leading analyst firm Gartner’s “Magic Quadrant for Endpoint Protection Platforms,” published May 4, 2009.1

ESET is the only company with over 50 VB100 awards and continues to lead the industry with the highest detection rates and zero false positives - the winning formula in malware protection.

Information Week reports We start our Rolling Review of data loss prevention products with Safend Protector Endpoint, the lone entry in our DLP mix whose primary emphasis is endpoint security. The other players have strong DLP capabilities at both the network level and the endpoint, but we wanted to include a company that operates exclusively in the endpoint market because not all IT shops want, or can afford, a soup-to-nuts system from the likes of RSA, Websense, or Symantec (NSDQ: SYMC).

Regardless of how large or complex your organization is, battling data loss threats must start with an emphasis on the endpoint. Safend estimates that 60% of corporate data resides on endpoints, and that’s where Safend Protector Endpoint aims its DLP resources.

CBR Security reports Guy Bunker, who is responsible for cloud security strategy at Symantec and sits on the Jerico Forum said, “A common misconception is that because security issues in the main CRB Security reports don’t happen in the data centre but out at the end points, then stuff out in the cloud is going to be more secure and is more resilient against attack. It is not the case.”

Symantec have released Endpoint Encryption 7. eChannelLine reports that the product is aimed at providing advanced encryption for desktops, laptops and portable storage devices.

Symantec have designed the product to fit in with a wide variety of configurations among is larger enterprise customers. Support is provided for non-domain customers such as Novell eDirectory clients. These users should be able to have a single sign-on experience in a similar way to that of windows clients.

Group policys are implemented so that CD’s for example  that might be burned for use in a closed group of users, access will only be available to members of that group.

Administrators can administer encryption to hard drives for protection of sensitive data when lost of stolen. Symantec is releasing three versions of the software with the full version costing around $110 per seat.