Visibility is a critical element to both the physical and cybersecurity universes. With the recent events of Christmas day 2009, we see the need for increased airport security in the physical security space. These needs include visibility into the various “lists” that identify potential flight risks and even visibility down to our “skin and skivvies” with use of controversial scanner devices.
The physical security realm has long been dominated by visually oriented technologies, such as cameras and CCTV. However, visibility into the logical space has been less clear. I have spent many hours pouring over firewall and intrusion detection logs in search of evidence, much like a hunter tracking spoor. Sifting through volumes of logs can be a daunting task, even after help arrived in the form of log aggregation and SIEM (security information and event management) technologies and products. But these products have their drawbacks as well.
As the CISO for a large health care organization and an early adopter of data loss prevention (DLP) technology in early 2007, I was not fully prepared for the visibility this technology would offer. With eight hospitals, over 50 satellite offices, and 25,000 employees under our corporate umbrella, we had a lot of “invisible” issues that prior to DLP went unnoticed.
Within the very first 45 minutes of tapping into the corporation's internet junction point with DLP, we captured evidence of a user accessing child pornography. Over the next two years, I personally documented over 200 investigations largely facilitated by the use of DLP. Not all incidents involved pornography, as there were issues related to HIPAA and general privacy and policy violations. The violators included all job descriptions, including doctors, nurses, lab techs, system administrators, and even a chief of (physical) security at one of the locations. Based on these experiences, I can offer the following advice when deploying DLP.
First, meet with your human resource management and general counsel in advance of implementing DLP technology. Make sure they understand its capabilities and the probability of discovering and dealing with employee usage and policy abuses.
Next, have well documented and communicated policies for acceptable use of your company's systems and networks, as these will be indispensable in having to address staff issues related to system and network abuses.Further, document your investigations in excruciating detail. I developed a template that employed detailed reporting from a number of technologies to logically show the network-to-computer-to-user-to-evidence relationships. For example, output from one technology showed the relationship of IP addresses to machine names and locations, a report from the inventory system validated IP/machine name/user ID relationships, and reports from access control systems identified user ID assignment-to-user's real name. Corroborating evidence was included in reports from web content filters, DLP and, finally, internet history from the client device itself. Packaging investigations in this manner, with screen shots, made it easy for our HR departments to make their cases.
Remember that someone might be dismissed as the result of your investigations and you owe them and your organization the best job of investigating and reporting that you can. As the result of personnel actions, you may be called to court, and having detailed, easy-to-follow reports will help make your case. In this experience, I had to go to court on six occasions over the course of two years.
Seeing is believing.
