A DLP Success Story
October 14th, 2011
Those of us who are information security professionals know all too well that success stories in our arena are too few and far between. When we hear of one, we thus need to savor the moment. This kind of moment recently occurred within Nationwide Insurance, which not too long ago had implemented a data loss prevention (DLP) tool enterprise-wide. The DLP tool issued an alert that a Nationwide employee had sent a spreadsheet from his personal email account to his Nationwide email account. A follow-up investigation revealed that the spreadsheet contained information such as credit card numbers, Pay Pal and eBay account names, and bogus identity information, prompting an investigation by Nationwide officials who contacted law enforcement soon afterwards. The FBI Cybercrime Task Force and the U.S. Postal Inspection Service launched an investigation and ultimately determined that Bi was copying computer games to CDs and then selling the CDs for a greatly reduced price. Between 2005 and late 2009, Bi sold more than 35,000 copies valued at $700,000 on eBay and using the eBay and Pay Pal account names he had stolen as well as his own account.
Last July Bi pleaded guilty to one count each of copyright violation, mail fraud, and aggravated identity theft. He could have received a sentence of as much of 20 years in prison, but because he pleaded guilty, his sentence was for only two and a half years of imprisonment and two years of probation, one of which will be home confinement. He also must pay a yet unspecified amount of restitution and must give up what he gained from his crimes ($367,669), a Lexus SUV, his house, and his computing and electronic equipment.
Nationwide was both smart and fortunate. This company was smart in that powers-that-be within approved the purchase and installation of a DLP tool. DLP technology is by no means any kind of panacea, but it can and does identify anomalous user actions related to copying and sending sensitive and valuable information. DLP, not intrusion detection, was the correct choice. Whether or not we realize it, intrusion detection technology as we currently know it is dying a slow but sure death.* The gap between the state-of-the art within the black hat community and the state-of-the-art for intrusion detection technology has already grown out of control. But more importantly, intrusion detection, even if it were more proficient in detecting incidents than it currently is, does not really deliver the results that we need most. An intrusion detection system may inform us that someone has broken into a system. There is some value in knowing this–based on this information, we can send technical staff to clean and restore the compromised host and also to determine whether the compromised host has been used to attack other systems. But today the bottom line for organizations is intellectual property (IP) or its equivalent and our ability to protect it. The value of organizations is increasingly being linked to the value of the intellectual property they possess and their ability to create it. So if a perpetrator breaks into a host, but no IP is stored on it, the break-in has far less negative impact than if a naïve company employee sends a critical business document to someone who works for a competitor. And that is exactly where DLP technology comes in. Sooner or later, someone who attempts to engage in unauthorized activity involving sensitive and/or proprietary information will not only trigger a DLP alert, but (provided the DLP tool is sufficiently proficient) will be unable to carry out the intended copying or transfer of files. And stopping deliberate perpetrators as well as naïve users from engaging in actions that can result in IP being compromised is likely to make an enormous difference in an organization’s bottom line.
Nationwide was fortunate in that its own proprietary and other personally identifiable information that it stored and used was not involved in the incident being discussed here. At the same time, however, Bi’s moving such information to Nationwide machines could potentially have opened up this company to numerous lawsuits based on downstream liability. In a nutshell, you need to not just worry about your own information on your own hosts, but you must also worry about other information that is not intended to be stored and processed on your own hosts.
And, oh by the way, think of all the trouble that could have been prevented or at least stopped shortly after it started if the U.S. State Department had deployed DLP technology on its Net-Centric Diplomacy system from which so many sensitive documents were leaked to WikiLeaks.
–Gene Schultz, Ph.D., CISSP, CISM, GSLC
* – I still nevertheless recommend using intrusion detection systems as part of a defense-in-depth scheme–they may be able to identify incidents and anomalies that might otherwise be missed.
– – – – – – – – – – – – – – – – –
Dr. Eugene Schultz is the CTO at Emagined Security, an information security consulting practice based in San Carlos, California. He is the author/co-author of five books, and has also written over 120 published papers. Gene has been the editor-in-chief of two journals and is currently on the editorial board of three journals. He is also a SANS instructor, member of the SANS NewsBites editorial board, co-author of the 2005 and 2006 CISM preparation materials, and is on the technical advisory board of three companies. Gene has previously managed an information security practice as well as a national incident response team. He has also been professor of computer science at several universities and is retired from the University of California. He has received the NASA Technical Excellence Award, the Department of Energy Excellence Award, the ISACA John Kuyers Best Speaker/Best Conference Contributor Award, the Vanguard Conference Top Gun Award (for best presenter) twice, the Vanguard Chairman’s Award, and the National Information Systems Security Conference Best Paper Award. A Distinguished Fellow of the Information Systems Security Association (ISSA), Gene has also been named to the ISSA Hall of Fame and has received ISSA’s Professional Achievement and Honor Roll Awards. He is currently a member of the accreditation board of the Institute of Information Security Professionals (IISP). Dr. Schultz has provided expert testimony before committees within the U.S. Senate and House of Representatives on various security-related issues, and has served as an expert witness in legal cases.