Poor data-loss prevention practices almost cost Intel a billion

By Michael Morisy, News Writer 13 Nov 2008 | SearchNetworking.com

Network management news, advice and technical information Digg This!     StumbleUpon     Del.icio.us

Pani was indicted by a grand jury last week for allegedly stealing more than $1 billion in Intel's intellectual property after the former design engineer jumped ship to competitor AMD.

The drama began when Pani, whom Intel described in the indictment as a low-level employee, gave notice to quit his job, telling his employers that he was pursuing an opportunity with a hedge fund, although he had already been offered a position with the chipmaker's rival.

Before officially departing, however, Pani would use up the last of his vacation days. During this time, he kept his Intel-issued laptop – and all the user permissions that came with his role in various projects.

Intel claims that Pani spent that vacation time downloading secret internal files -- some of which related to projects he had never worked on -- to an external hard drive.

Security experts said cases like Pani's are impossible to prevent completely, but there are some measures that can be taken to step up data-loss prevention efforts.

"There are just so many ways that someone can get something out the door, that if they're intelligent and motivated enough, they're going to make it happen," said Rich Mogull, founder of security analysis firm Securosis. "The good news is that most employees aren't that smart."

There is also a fairly standard process that security teams can go through to develop their plan of defense: determining corporate data's importance, determining and enforcing who can access it, logging data usage, and finally alerting when potentially malicious or unsafe uses are discovered.

The first step in defining a data-loss prevention policy, Mogull said, is determining data's value to the company and the company's tolerance for loss of that data.

"Somebody like Intel probably is not willing to tolerate one incident a year around certain types of their intellectual property," he said. "For other companies, their tolerance is probably higher."

More on data-loss prevention What is data loss prevention? -- An introduction to DLP When it comes to data loss prevention, networking should be part of the conversation http://securosis.com/ is the home page and blog of Securosis

That means classes of data need to be differentiated and assigned a value. Leaked internal policy manuals probably have a lower value, for example, than the schematics to a new line of chips.

These value classifications will ultimately determine the security measures that an organization should take to protect each set of data. The manual might simply have a note saying "Do Not Distribute," while the network security team might use deep-packet inspection to make sure users are not emailing out chip blueprints.

Intel had evidently begun taking these steps: The company noted that the allegedly stolen data was classified internally as "top secret" and was valued at more than $1 billion in research and development costs.

After assigning priorities and values to the data, the next step is to actively monitor and log potential points of data leakage, according to Michael Maloof, CTO of TriGeo Network Security.

Given Intel's detailed picture of Pani's network and document access presented in the indictment, the company most likely had this element down pat.

Much of this historical data could be culled from networking logs, such as when various users were logged into the VPN, and how much data they downloaded.

This information can then be cross-referenced later with other external data sources to track potential problems. For example, if large downloads were made when a user was supposedly on vacation, something is probably amiss.

Maloof said that while most companies are relatively good about logging the data -- as Intel did -- and preventing unauthorized users from accessing it, it's cases like Pani's, where material was accessed legitimately for illegitimate purposes, where companies really need to improve.

Odd access behavior or unusually large quantities of downloads could also be a sign of an employee stealing data, Mogull said.

Although Intel had all the information about when data was being accessed (on Pani's vacation) and by whom (an employee getting ready to leave), the red flags weren't raised, Maloof said.

This data – everything from vacation schedules and when employees are leaving to regular working hours and how much data users typically need to access – needs to be integrated into the security solution, so that when normal patterns are disrupted, a security professional can follow up and discover why.

"You investigate and say, 'I didn't realize you were going to be working from home,' " Maloof said, noting that it's best to follow up and ask with particularly valuable data, even if the suspicious behavior is unlikely to be theft. "I would err on the side of being a little painful and sacrificing some productivity."

Such tracking can be tricky, Mogull said, particularly as users increasingly work their own hours, on their own terms, from a home office or while traveling.

"What you're going to be able to do a test and alert and monitor on is going to vary based on what you're monitoring," Mogull said, adding that network security solutions have to be tailored to the individual corporation's particular data-loss prevention needs. "Our technologies really aren't standardized yet. You have to look at it and say: 'Where is this information? How do we want to protect it?' "

Tags: Network Security Best Practices and Products,  Network Access Control,  Network Security Monitoring and Analysis,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Network Security Best Practices and Products 3Com acquisition confirms HP-Cisco battle for China Enterprises demand next-generation firewalls with IPS, app visibility Preventing hacker attacks with network behavior analysis IPS Is there a way to trace my stolen laptop computer? Integrating NAC with network security tools Should organizations separate technical from administrative security? What network equipment is needed to secure a small business LAN? Ethical hacking and countermeasures: Network penetration testing intro Are you on a domain name system (DNS) blacklist database? Rogue access points: Preventing, detecting and handling best practices Network Access Control Network security risks multiply when enterprises begin outsourcing Dynamic policy ensures faster, safer network for school district NAC appliance vendors: Can you depend on them? NAC integration at the endpoint Extending NAC enforcement to network security devices Integrating NAC with network security tools Network access control market crushed by economy, but future is bright Joel Snyder discusses Network Access Control Day at Interop Las Vegas Maturing NAC market gets its first Gartner Magic Quadrant Network access control poised for a comeback by aiming small Network Security Monitoring and Analysis Application-specific network intrusion detection systems emerge Anomaly-based intrusion protection configuration and installation How can I calculate perimeter firewall throughput? How do I find the application on my network that's dropping packets? Integrating NAC with network security tools Where can I find a sample security audit report? How can I run my own? The firewall remains the network traffic cop, but its role is changing Troubleshooting VLANs: How to monitor 802.1q tagged traffic How can I block my competitor's IP address range from my website? Hospital gains network visibility by convincing vendors to collaborate

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary anti-replay protocol  (SearchNetworking.com) dynamic packet filter  (SearchNetworking.com) HELLO packet  (SearchNetworking.com) packet filtering  (SearchNetworking.com) rule base  (SearchNetworking.com) stateful inspection  (SearchNetworking.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary