When it comes to data-loss prevention, good network security can make all the difference, as Intel and its former employee, Biswamohan Pani, discovered.
The drama began when Pani, whom Intel described in the indictment as a low-level employee, gave notice to quit his job, telling his employers that he was pursuing an opportunity with a hedge fund, although he had already been offered a position with the chipmaker's rival.
Before officially departing, however, Pani would use up the last of his vacation days. During this time, he kept his Intel-issued laptop – and all the user permissions that came with his role in various projects.
Intel claims that Pani spent that vacation time downloading secret internal files -- some of which related to projects he had never worked on -- to an external hard drive.
Security experts said cases like Pani's are impossible to prevent completely, but there are some measures that can be taken to step up data-loss prevention efforts.
"There are just so many ways that someone can get something out the door, that if they're intelligent and motivated enough, they're going to make it happen," said Rich Mogull, founder of security analysis firm Securosis. "The good news is that most employees aren't that smart."
There is also a fairly standard process that security teams can go through to develop their plan of defense: determining corporate data's importance, determining and enforcing who can access it, logging data usage, and finally alerting when potentially malicious or unsafe uses are discovered.
The first step in defining a data-loss prevention policy, Mogull said, is determining data's value to the company and the company's tolerance for loss of that data.
"Somebody like Intel probably is not willing to tolerate one incident a year around certain types of their intellectual property," he said. "For other companies, their tolerance is probably higher."
That means classes of data need to be differentiated and assigned a value. Leaked internal policy manuals probably have a lower value, for example, than the schematics to a new line of chips.
These value classifications will ultimately determine the security measures that an organization should take to protect each set of data. The manual might simply have a note saying "Do Not Distribute," while the network security team might use deep-packet inspection to make sure users are not emailing out chip blueprints.
Intel had evidently begun taking these steps: The company noted that the allegedly stolen data was classified internally as "top secret" and was valued at more than $1 billion in research and development costs.
After assigning priorities and values to the data, the next step is to actively monitor and log potential points of data leakage, according to Michael Maloof, CTO of TriGeo Network Security.
Given Intel's detailed picture of Pani's network and document access presented in the indictment, the company most likely had this element down pat.
Much of this historical data could be culled from networking logs, such as when various users were logged into the VPN, and how much data they downloaded.
This information can then be cross-referenced later with other external data sources to track potential problems. For example, if large downloads were made when a user was supposedly on vacation, something is probably amiss.
Maloof said that while most companies are relatively good about logging the data -- as Intel did -- and preventing unauthorized users from accessing it, it's cases like Pani's, where material was accessed legitimately for illegitimate purposes, where companies really need to improve.
Odd access behavior or unusually large quantities of downloads could also be a sign of an employee stealing data, Mogull said.
Although Intel had all the information about when data was being accessed (on Pani's vacation) and by whom (an employee getting ready to leave), the red flags weren't raised, Maloof said.
This data – everything from vacation schedules and when employees are leaving to regular working hours and how much data users typically need to access – needs to be integrated into the security solution, so that when normal patterns are disrupted, a security professional can follow up and discover why.
"You investigate and say, 'I didn't realize you were going to be working from home,' " Maloof said, noting that it's best to follow up and ask with particularly valuable data, even if the suspicious behavior is unlikely to be theft. "I would err on the side of being a little painful and sacrificing some productivity."
Such tracking can be tricky, Mogull said, particularly as users increasingly work their own hours, on their own terms, from a home office or while traveling.
"What you're going to be able to do a test and alert and monitor on is going to vary based on what you're monitoring," Mogull said, adding that network security solutions have to be tailored to the individual corporation's particular data-loss prevention needs. "Our technologies really aren't standardized yet. You have to look at it and say: 'Where is this information? How do we want to protect it?' "