We Have Spent Millions On Security But Still Face Leaks To The Public And The Press?
Spending huge sums of money have not resulted in the reduction of information leaks caused by the internal staff. These leaks could be either accidental or deliberate in nature as can be seen from the following examples:
“Google accidentally leaked hundreds of thousands of customers’ personal details — and didn’t notice for 2 years”
“David Bowie, Diane Von Fürstenberg, Diego Forlán, and other famous names that appeared in HSBC’s Swiss bank leak”
NSA leaks by Edward Snowden
Secret military and diplomatic files leaked to Wikileaks by Bradly Manning
The key reason for these failures is that protecting against insider threats is not an IT problem but a business problem. Existing security solutions like firewalls and Data Leakage Prevention (DLP) systems, which try to prevent unauthorised access to sensitive information, do not tackle the issue of fraud. What is required is an approach where the auditing of users with authorised access to sensitive information is central to the implementation of the system.
Why existing security systems like DLPs fail
The biggest challenge in information security is detecting the theft of sensitive information by users with legitimate access to that information. For example, a procurement manager might send an email containing upcoming tender details out to a third party. Another common example of this is copying and destruction of information by users who have resigned or are about to resign. Existing solutions, like DLP systems, are unable to meet this challenge due to the following reasons:
1. Information Owners (Heads of Department) are unable to directly control the information for which they are responsible
Sensitive information is created daily in a decentralised manner at the departmental level. The only people who can actually decide the appropriate use of this information are the department staff themselves. Unfortunately, traditional security approaches rely on central tagging and monitoring of sensitive information and there is no automated way of tagging new information being created on a daily basis. Furthermore, as they rely on central monitors rather than departmental-level monitors, they have no idea what qualifies as inappropriate usage of sensitive information. As such, sensitive information which can actually hurt the organisation never gets tagged and monitored.
2. Existing security solutions only catch illegitimate access
The standard industry security solutions, such as DLP systems, are built to only catch illegitimate access. They do this by restricting access to sensitive information. This works fine as long as the person is not authorised to have access to the information. However, when dealing with security risks such as social engineering attacks and insider threats, where the perpetrators are usually authorised users who have legitimate access, these solutions fail.
3. Real sensitive information is not shared with, or monitored by, IT staff
Real sensitive information like board papers, new acquisition documents, etc are often considered to be too sensitive and are not shared with the IT staff maintaining the security system. When the information cannot be shared with the IT staff, the information never gets protected.
4. IT staff cannot identify actual leakage of sensitive information
When potential leakages of sensitive information are captured, the IT staff will need to review the incidents to determine whether each leakage is genuine or a false positive. As the IT staff does not know much about the people using the information, the operational circumstances and what constitutes misuse of the information, the IT staff will be unable to make this decision accurately. As a result, either serious leakages go unreported or else a lot of false positives get reported to the management.
5. No education or involvement of users and so no modification of user behaviour
Indicate whether documents contain sensitive information or not. This means that users are unaware of the importance of some documents and unwittingly violate DLP rules regarding their usage. Furthermore, DLP systems do not allow users to provide feedback directly to the information owners as to their changing business needs regarding the sensitive information. The lack of education means the users are unable to modify their behaviour in handling sensitive information. The lack of involvement means they are unable to modify the behaviour of the DLP system to match their business needs. This quickly leads to user dissatisfaction with the DLP system.
THE SOLUTION : CORPORATE INTEGRITY MANAGEMENT SYSTEM A SMART DLP
e-Safe Compliance is a corporate integrity management system. It is built on the philosophy of “Educate, Trust and Verify”. e-Safe Compliance enables information owners and users to educate each other on what information is sensitive and the changing business needs regarding its use. e-Safe Compliance avoids operational overheads through trust, by making information owners responsible for protecting sensitive information through specification of document rights, and allowing users to override document rights when necessary. e-Safe Compliance enables information owners and auditors to verify that sensitive information is protected, and not misused, by monitoring its usage and highlighting potential issues.
e-Safe Compliance is the only system to protect against both insider and outsider threats:
e-Safe Compliance is the only system to protect against both insider and outsider threats:
1. Behavioural analytics to detect potential threat points
e-Safe Compliance uses user behaviour analytics to automatically build a profile of each of your users’ normal activity, and alerts security teams to anomalies. e-Safe picks up indicators of compromise like unusual use of admin / hacking tools, unusual transfers or consolidation of data, and unusual after-hours activity. When used in combination with threat intel feeds and/or perimeter security tools, e-Safe can also be used to identify compromised machines and the source of an attack.
2. Securing information at its source and eliminating the need to block
e-Safe Compliance was designed in a way that assumes that you cannot stop information from getting out as there are just too many media (handphones, chat applications, websites, etc) involved. Furthermore, if an insider is involved, he can simply access the information from his house PC. e-Safe Compliance solves this problem by securing the information at its source using universal encryption to encrypt sensitive documents. The document encrypted using universal encryption can only be opened on devices having the e-Safe agent installed and with the relevant user credentials, and is tracked throughout its lifecycle from creation to deletion using e-Safe. This ensures that admin does not need to worry if a sensitive document gets out as it is encrypted.
3. Empowering end-users to classify and monitor sensitive information themselves
e-Safe Compliance ensures that all transactions done by authorised users are analysed and monitored by users who understand them. This is made possible via e-Safe Compliance decentralised management components as follows:
The decentralised security facilities ensure that end-users are engaged in the maintaining the security of the information, as they can clearly see results of any mishandling, making security part of everyday operations.
- Using e-safe Compliance information tagging utility, authorised information owners can classify large amounts of information into rules which are applied within their department.
- Information owners can classify sensitive documents as secret, confidential or internal use using document rights management. They can also specify who can access this information by defining document rights without involving the central admin.
- Potential data leak incidents which are produced by these decentralized definitions are reviewed by the information owners themselves, and, in some cases, completely without involving the IT admin. As the information owners have a good understanding of the people using the information, the operational circumstances, and what constitutes misuse of the information, they are able to identify serious misuse of information accurately.
The decentralised security facilities ensure that end-users are engaged in the maintaining the security of the information, as they can clearly see results of any mishandling, making security part of everyday operations.
4. Real-time forensic monitoring
e-Safe monitors the complete usage of documents and information throughout their lifecycle from creation to deletion using e-Safe’s real-time, forensic monitoring technology. The technology provides an unequalled audit trail for monitoring information to the administrators. For example, they can know at any time where a particular piece of information resides, who had this information, the movement of this information and a complete history of different versions of the information, even if it gets modified.
5. Integrity management workflow
e-Safe Compliance integrity management workflow ensures that any dubious transaction done by the users is reported to the user’s manager (the information owner) and the security personnel. This mechanism of reporting to the users who actually understand the information, ensures that staff do not misuse information. Furthermore, to ensure that the information owners are not stealing sensitive information, the usage reports are centrally audited by the security department (or similar). This dual-reporting is an essential requirement for compliance with ISO27001 standards.
A high level diagram of the checks and balances within e-Safe Compliance is shown in figure 1 below.
A high level diagram of the checks and balances within e-Safe Compliance is shown in figure 1 below.
Figure 1 – Decentralized Information Monitoring System (Security is everyone’s responsibility)
6. Visual signals ensure ongoing education and ensure compliance
e-Safe Compliance assists in improving the behaviour of users by educating them on acceptable usage. e-Safe Compliance monitors user behaviour, and when misuse of sensitive information or inappropriate behaviour is found, it displays warning messages to the user for guidance. For example, sensitive information is clearly marked with triangles based on their sensitivity levels (displayed below). The visual representation ensures users are aware they are dealing with sensitive information and appropriate warning messages are displayed when they mishandle -the information.
In addition to this, users are warned of any misuse of the company property through the display of a clear policy screen when logging into a company PC. This policy screen (displayed below) sends a clear, customisable message to members of staff that this machine is monitored and acts as a perfect deterrent to prevent infringement of the company’s IT policy.
