The war on leaked intellectual property

A study by PricewaterhouseCoopers, the U.S. Chamber of Commerce and the American Society for Industrial Security International estimated that U.S. companies lost up to $59 billion in intellectual property and proprietary information between July 2000 and June 2001. The largest average dollar value of loss per incident occurred in research and development ($404,000), followed by financial data ($356,000).

This probably isn't surprising to information security professionals, since most IP leaks involve insiders. Insiders are generally considered trusted users who have access to a network, whether they are connected on the internal LAN or through virtual private networks. Insiders can be current and former employees, contractors or business partners.

Any one of these people could be dissatisfied and decide to send a few design specs to a competitor. Once the secret is out, it's extremely difficult to contain. IP litigation, if you choose to go that route, can cost from several hundred thousand dollars to several million dollars. This amount doesn't even include the cost due to loss of reputation, brand, speed to market and other factors.

So how does a company go about securing its IP and make sure access to IP is tracked?

Enterprise content management

The first class of companies to attack this problem is the enterprise content management (ECM) vendors, such as FileNet Corp., Documentum Inc., Interwoven Inc., Open Text Corp., Stellent Inc. and Vignette Corp. These vendors generally provide centralized document management capabilities that allow users to:

- Organize and classify electronic documents

- Search documents using keywords

- Share documents with other users

- Check in and check out documents for editing

- Version control for all documents

- Audit all access to documents

These vendors' main solution to the IP leakage problem is to ensure that all access to electronic documents is recorded and reported. These vendors' products will help manage and track documents when they're stored centrally on the server. These products can track who has accessed which file at what time, how many times files are accessed and how often people access these files.

Some of the more sophisticated products can also tell you the access behavior by individual users. For example, if a user who doesn't normally access a certain section of the repository all of a sudden starts to download all the files in that section, something suspicious may be going on, and an alert would be sent.

But what happens when the file has been downloaded to the user's desktop? Once that happens, these products can no longer protect or track the documents. What happens if the user e-mails the file via Yahoo Mail or Gmail? What happens if the user uploads the file to another server using File Transfer Protocol (FTP) or HTTP? What happens if the user copies it to a Universal Serial Bus (USB) drive or prints it out?

IP leakage detection

A whole new class of companies, including Vericept Corp., Vidius Inc. and Vontu Inc., has arisen to detect IP leakage on the network. These companies' products are designed to monitor all the exit points in which information can leave the corporate network.

In general, when users intentionally or unintentionally leak IP, they will probably:

- E-mail the documents as attachments

- Upload the documents to another server via FTP or HTTP

- Send an instant message to another user

All unencrypted traffic on the network can be sniffed out by package sniffers and the content examined. This is essentially what some of these products are doing. Most of the products in this category are basically repurposing technologies from the intrusion-detection system (IDS) and content-filtering world. These products will capture the contents from either the network or e-mail stream, examine the content by either performing a keyword or regular expression search and alert the administrators if any matches occur.

The detection mechanisms in these products are not unlike a signature-based IDS. They also suffer the same high false-positive rate problems as the IDS products. You will also need to spend quite a bit of time tuning and maintaining the products in order for them to accurately detect IP leakage.

However, some vendors, such as Vericept, claim to have additional technology that performs statistical or linguistic analysis on the content and is able to detect leakage more accurately and efficiently.

IP leakage control

One major problem that network-based detection products can't solve is sneakerware leakage. Such leakage happens when the user prints out documents or copies a file onto removable media such as CDs, USB drives and floppies. The user can then carry these removable media or printouts with him, and no one will notice.

Another class of companies, including Verdasys Inc., Liquid Machines Inc., Authentica Inc. and AegisDRM Ltd., is attacking the IP leakage problem in a different way. It has designed agents that run on users' desktops and track all user actions, including opening and printing files, copying files to removable media and sending files across the network. These products allow users to define acceptable use policies, monitor all actions performed and send an alert when a violation occurs. This class of companies is generally categorized as digital rights management vendors.

In general, however, these products can't detect whether a document contains confidential information. Administrators or users must explicitly mark documents as confidential and needing to be protected or not confidential. Administrators can also set up policies to globally ban copying to removable media or file sharing via peer-to-peer networks.

The future

What's in the future in the fight against IP leakage? As storage and security companies merge, as evidenced by the marriage of Symantec Corp. and Veritas Software Corp. (see story), we can expect comprehensive systems that will integrate all of the above components. We can expect products that have:

- Centralized ECM capabilities

- Components that monitor network exit points and match the outbound content with the central repository

- Agents that monitor user activities.

These three components will talk to one another to more accurately detect and prevent IP property leakage.

We will also probably see many of the pure-play vendors in these three areas (ECM, digital rights management, IP leakage detection) get bought up by some of the bigger vendors such as Symantec and EMC Corp.

Jian Zhen, CISM, CISSP, is a senior product manager at LogLogic Inc., a log management vendor in Sunnyvale, Calif. He has been in the information security industry for nine years. He can be reached at zhenjl@gmail.com or www.trustpath.com/logmatters.

Source: Computer World