Gaining Visibility Into Data Loss Resources

Joshua Mauk, information security officer at the University of Nebraska, had a vision for what it takes to build a secure network. For him, the first step was understanding the risk environment.

"When I got here four years ago, we didn't have visibility into our network in terms of data," Mauk says. "We really didn't know what was coming in or leaving the network."

That's all changed, thanks to data loss prevention software from Symantec that sends Mauk alerts when bank account and credit card information, Social Security numbers, medical data and driver's license information leave the network.

Today, Mauk receives daily, weekly and monthly reports on the four business-critical information types that the DLP software tracks.

"If someone sends an e-mail over the Internet that includes a Social Security number or bank account information, the software flags it as a risk and sends the person an e-mail that says 'You have sent an e-mail that may have contained confidential information, please contact the security office,'" Mauk explains.

"The Symantec tool can be turned on to block certain ­behaviors, but since we are a university and have a tradition of openness, we have opted not to do that," Mauk adds.

Mauk says the Symantec tool is now in place at three of the University of Nebraska's campuses: Lincoln, Omaha and Kearney. As an added protection, the university has tools for encrypting sensitive e-mail, and university-issued notebooks that may contain sensitive data are locked down with PGP encryption software.

"It became very clear to us early on that e-mail was the primary way people send out confidential information, so it just made sense to implement tools to encrypt e-mail and notebooks," Mauk says.

Content Awareness

Eric Ouellet, vice president of secure business enablement at Gartner, refers to the kind of software that the University of Nebraska uses as "content-aware" DLP software.

Ouellet says content-aware software can determine what information is contained in a specific file, folder, application or other data store, and whether that information is at rest, in use or in transit. He says the early adopters of DLP software didn't fare so well, mainly because they didn't fully understand what these tools are good for.

"You had what I call the Christmas tree effect: False positives filled the logs with events, making the management screens blink incessantly," Ouellet says. "The early adopters tried to track everything under the sun, and that simply didn't work. It's much more effective to do what the University of Nebraska is doing in modifying the rules based on very targeted sets of data."

Ouellet says the main ROI case for DLP software is as a preventive tool. The thousands of dollars an organization may spend on a software deployment is minuscule compared with the cost of a data breach, he reasons.

DLP software is also the perfect educational tool. "There's really no tool like DLP software that can train a user on security policy," Ouellet says. "What we're seeing is a real maturity, where people finally understand what these products can do."

Tammy Clark, chief information security officer at Georgia State University, in Atlanta, agrees.

"Presenting information in terms of informing-educating as opposed to admonishing or sanctioning goes a long way in the higher education sector, especially with faculty members on campus," says Clark, who plans to fully deploy the McAfee Total Protection suite early next year.

"With DLP, if a user is storing unencrypted confidential information on their systems or doing something that violates our information security policies, you can find out what is occurring through DLP scans, then work with users to educate them and correct it as opposed to making it seem that they did something wrong."

Protecting Apollo

Another organization that is deploying DLP using McAfee Total Protection is the Apollo Group, the parent company of the University of Phoenix.

Scott Carlson, a principal security engineer at Apollo, says his organization supports 450,000 students, as well as 35,000 desktop endpoints.

He says the McAfee suite is used for three purposes:

• Endpoint protection: Whole-disk encryption locks down all of the organization's notebooks.
• USB device encryption: Apollo wants its employees to use only hardware-encrypted USB thumb drives with McAfee antivirus software. The idea here is to prevent the staff from using insecure drives that the IT department can't centrally manage.
• Content awareness: A DLP agent on every machine scans for attempts to move confidential financial or Social Security information across the network. Users will be prevented from copying information, such as credit card numbers, to USB devices or insecure websites such as webmail portals.

"What happens is that sometimes users won't even realize they are sending confidential information, or they'll just mix personal and work information. But then all of a sudden, their confidential credit card information could be exposed," Carlson says. "Our goal is to make sure we are doing what's right for students, staff and faculty, and that we're protecting their information. That's our utmost concern."

The University of Nebraska's Mauk says once faculty, staff and students see the DLP tools in action, they quickly understand the value.

"The president of our university has seen some of the notices and has told us he's very happy to know we are taking those kinds of precautions," Mauk concludes.