Data Auditing Blog View Mantra V5

Photo: Prat Moghe

 
Prat Moghe is the founder and CEO of Tizor who led the launch of its product into the data auditing market. Prat is responsible for driving corporate strategy, technical vision and day to day operations.
Read More »

Subscribe By Email

Your email:

Keepers

Current Articles | RSS Feed RSS Feed

Motorola Spying Incident: Implications for DLP & DAM monitoring

 | Digg digg it | Reddit reddit | del.icio.us del.icio.us 
The incident reported yesterday by ABC News has created waves. Apparently the computer engineer who worked at Motorola was caught with hundreds of proprietary documents in her possession. Interestingly, she was caught not because of any data security monitoring within Motorola but because the customs agents at the airport found she was carrying too much cash. This was an example of how weak the general state of monitoring is within enterprises.

Three implications:
1. If you are not monitoring, start to monitor sensitive data for theft and leakage

I read an interesting study conducted by the Verizon Business Risk team that surveyed over 500 data breach incidents. Apparently 82% of the data breaches could have been detected before the actual compromise, had there been monitoring of event logs. Enterprises need to turn on their data cams.

2. What to monitor? Egress, users, or servers?
A related question is where to point the data cam? At each enterprise user? At the egress? At the sensitive data servers? Each of these locations has implications in terms of cost and effectiveness of seeing specific types of data theft attacks.
  • This particular incident would not have been caught by egress monitoring (DLP – data leak prevention) because the engineer downloaded all the documents to portable drives.
  • Laptop-level endpoint agent monitoring could have caught this, but this type of technology is expensive to deploy and maintain. Think of 50,000+ laptops at Motorola. 
  • Monitoring data servers (DAM - data activity monitoring) would have been an efficient way to catch this theft. Why? Lets do the math.
3. Using DAM to detect Motorola theft in real-time
  • Monitoring footprint: Motorola has probably 1000+ sensitive servers. 20-30 DAM appliances can monitor all these servers. Not a big expense considering the value of this theft (estimated at $600M).
  • Based on the indictment documents, the engineer downloaded 200+ documents between 9 am and 2 pm on Feb 26, 2008. A simple DAM threshold that tracked the number of documents downloaded on sensitive file servers could have caught this in real-time. (Threshold can get more sophisticated, but again most egregious attacks are high volume.)
  • The DAM appliance could have sent an alert to the security team. A simple phone call to her boss would have confirmed that this was suspicious.

Posted by Prat Moghe on Thu, Jun 26, 2008 @ 01:31 PM

COMMENTS

Currently, there are no comments. Be the first to post one!
Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics

Receive email when someone replies.