Outbound email monitoring, filtering to prevent data leakage, breaches

By Ron Condon, UK Bureau Chief 05 Sep 2008 | SearchSecurity.co.uk

Security UK News Digg This!     StumbleUpon     Del.icio.us

A quick follow-up message asking Joe, Jim or Susan to ignore and destroy the contents is usually enough to save further embarrassment. But it shows just how easily information can leak out via email unless you have controls in place.

And it's not just accidental leaks that can occur. Ed Macnair, CEO at email and Web security company Marshal Ltd., says he was called in recently to help a certain large soap manufacturer that was worried about a competitor stealing its ideas.

"The competitor had come out with very similar products within a timeframe that would not be possible from normal R&D cycles. They were suspicious," he says.

The company used Marshal to fingerprint certain confidential documents, and instructed both the WebMarshal and MailMarshal products to look out for them. "Within a week, they found two people were sending out confidential data to their competitors," says Macnair. In this instance, the perpetrators were using webmail to try and avoid detection.

While USB sticks have attracted most of the headlines about data leakage recently, email remains one of the most open (and obvious) channels for information to pass outside an organisation.

"We estimate around 80 per cent of the information leakage goes out via email, the reason being that it is so easy to use," says David Stanley, European managing director for Proofpoint Inc., an email management company. "It is much easier to send an email than transfer a file on to a USB stick and then lose it."

He says most organisations have concentrated on keeping out external threats and have only recently started to monitor outbound email, and the results can be surprising. In one instance last month, an NHS trust, suspecting that its security policies were not being followed, invited Proofpoint to monitor its outbound email traffic. The company discovered 137 security breaches in a single week.

In most cases, says Stanley, users were just trying to do their jobs and were cutting corners with no malicious intent. But some serious breaches were discovered and may result in punitive action.

Most email management systems provide users with filters and mechanisms to control outgoing messages, but up to now their use has been limited. Andrew Kellett, a consultant with the London-based Butler Group, says users are finally catching up with the technology.

"I think the vendors got the solutions in place before the marketplace was really ready for them," he says. "But control of outbound email is becoming more common now. In the general data leakage prevention strategy, the email channel is one where companies can most easily make a difference."

But as he points out, successful control depends on companies having a proper set of policies, which are properly communicated and protect the right information. "It is not a quick fix. You have to go through a lot of stages to do the job properly," he says.

James Blake, chief strategist at Mimecast Ltd., agrees: "Implementing an effective DLP strategy for email needs to be viewed in the context of an organisation's overall email compliance and risk management policy. Any email-oriented DLP solution must be content-aware as well as granular enough to deploy different policies for different users."

But as Sarah Deacon of Guidance Software Inc. points out, technology and policy have to track a moving target: "The majority of these systems rely on pre-created keywords, word weightings and document types to flag alerts and stop email travelling outside of an organisation. However, the type of information that can be leaked is ever changing and so there is a constant battle to maintain these criteria and traps."

It is also easy to overdo the security and create false positives, according to Patrick Walsh, marketing director at UTM (united threat management) vendor eSoft Inc. "In practice, monitoring outbound emails - flagging the emails with NHS numbers, licence numbers, or with 'Confidential' stamped on them - results in a lot of false positives," he says. "The 'confidential' tag, for example, is often found in the footer of emails sent by lawyers."

Much of the impetus to take control of outgoing email comes from the combined pressures of recent data-breach horror stories, and a need to comply with the growing body of regulation on data handling. But the security dangers are real, as an analysis of UK business by Forrester Research Inc. discovered early this year. The study found that two-thirds of UK companies were worried about email being used to disseminate company trade secrets or intellectual property, and 47 per cent had investigated a suspected leak of confidential or proprietary information via email in the previous 12 months.

And there are other advantages of monitoring email. According to Marshal's Ed Macnair, one company became so worried about its high level of staff turnover that it decided to check for any CVs going out over email. The CVs were not blocked, but the HR department was notified so that pre-emptive action could be taken to keep the employee in question. A pattern soon emerged: most of the applications were from staff working for the same unpopular manager. The staff turnover problem was soon solved.

Tags: Email and Instant Messaging Security,  Data Protection Solutions and Strategy,  Network Security Monitoring: Tools and Systems,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Email and Instant Messaging Security Websense integrated security system aims to simplify security management Preventing phishing attacks: Enterprise best practices Chinese hacker attacks target Google Gmail accounts, top tech firms PDF attack code complicates security analysis, skirts detection Understand role-based access control in Microsoft Exchange 2010 Yahoo login credentials at risk to hijacking attack Top spammer gets four years in jail for stock fraud scheme M86 buys Web security gateway vendor Finjan Web-based attacks skyrocket, pirating sites surge, security firms say Pushdo botnet uses Facebook to spread malicious email attachment Data Protection Solutions and Strategy Enterprise data management: Prevent data loss and insider threats NSA, cryptoexperts jab at RSA Conference 2010 Cryptographers' Panel Make PCI DSS compliance easier by reducing scope, outsourcing data Data Protection Act fines likely limited, audit powers may expand Websense integrated security system aims to simplify security management Full disk encryption: Safer and easier than file and folder encryption No major PCI DSS revision expected in 2010 Data breach costs continue to rise in 2009, Ponemon study finds Chinese hacker attacks target Google Gmail accounts, top tech firms Annual security reports offer some hope Network Security Monitoring: Tools and Systems Scapy tutorial: How to use Scapy to test Snort rules How to use Google Webmaster tools to help protect your site New Community Security Policy aims to reduce computer misuse SIEM systems streamline compliance processes, offer security benefits How to set your baseline with host integrity monitoring software Thin-client technologies surge thanks to easier security, says Deloitte Network discovery and the Simple Network Management Protocol Finding the best log management product for your organisation How to maintain network control plane security Conficker-infected machines now number 7 million, Shadowserver finds

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary