A Good Judge of Character

Opinion: Systems need to know suspicious content when they see it.

I cant define "suspicious traffic," but I know it when I see it. Unfortunately, this human test—with apologies to the late Justice Potter Stewart, who famously applied it to pornography—does not scale cost-effectively to enterprise volumes of potentially sensitive information that requires controls on access or exchange.

The future of corporate and personal reputations (not to mention the growing danger of legal penalties) therefore depends on our devising and deploying systems that can automatically characterize information, in context, and tell us when something doesnt look right—without getting in the way of doing our work.

We cant depend on perimeter defense because both innocent misdirections and malicious leaks are often the acts of authorized parties. We cant depend on data protection policies or employee training because many problems result from user error. We cant rely on firewalls, anti-virus or anti-spam products, or other generic tools because they protect against whats intrinsically bad—not against whats merely inappropriate in specific situations.

"The current approaches are threat-centric," said Sharon Besser—thats "Sharon" like "Ariel Sharon," not like "Sharon Stone"—during a conversation that we had early this month about data leakage threats and responses. Besser, a senior director at PortAuthority Technologies, said that "virus threats and spam threats are very similar from one organization to another, but content is quite different. You and I both have contracts, we both have trade secrets, but those similar things are in quite different-looking documents."

Whats needed, Besser continued, is an information-leakage detection process that doesnt generate lots of false positives and doesnt interfere with business processes. Sensitivity to users roles is critical, he added: A human resources manager may often refer to Social Security numbers, while a physician may need to discuss prescriptions for Viagra. Neither should have messages discarded or delayed by blanket rules concerning disallowed information types or because of generic lists of blocked keywords.

From where I sit, its clear that getting data under control requires automation: We cant afford to put more people on a non-value-adding task, and human error is itself a big part of the problem. It also requires transparency: Users will find a way around any system that adds to their workload without adding to their output.

Most difficult is the requirement of an in-depth approach that looks at whats actually crossing the wire, without relying on falsifiable indicators such as file name extensions. Users find and share the shortcuts that let them get their jobs done more quickly—even though the same shortcuts can also be used invidiously.

For example, its not enough to look for the .zip or .exe extension on an e-mail attachments file name: I just now Googled "rename zip firewall," and the fifth hit was a helpful inquiry on a gaming forum titled, "How can I pass a .exe past work firewall?" There were several reasonable and even clever suggestions, including one to " ... uuencode/base64 the binary and e-mail it that way, right there in the text. Compress first to mitigate the damage." In most enterprise settings, that would likely work, unless a limit was in place on maximum transmitted e-mail size.

In an environment where any user can get this kind of expert advice in a matter of seconds, perhaps with a few more minutes to download or to learn to use the necessary tools, no single method of protecting information is likely to hold up for long. Whats needed is a multivectored approach. For example, sensitive documents can be "fingerprinted," to use PortAuthoritys term for its application of multiple hash functions.

The final step, of course, is management visibility into indications of error or abuse: PortAuthoritys 3.5 release strengthens its tools to highlight problem trends. I guess that brings us back to Justice Stewarts rule. To know it, you have to be able to see it—but at least we can hope to get a higher-level view.

Peter Coffee can be reached at peter_coffee@ziffdavis.com.


Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.