News Stay informed about the latest enterprise technology news and product updates.

Content monitoring tags questionable email activity

You've spent thousands to keep malware and hackers out, but what are you doing to keep your data inside? Encryption can lock things down, but you need visibility to make sure the data is truly safe.

Securing your network to keep the bad stuff out is a security practices no-brainer. But watching what's being sent...

from your company network is just as important -- maybe more, experts say. Increasingly, CIOs are not only blocking and monitoring Web site usage as a way to secure their networks, but they're also deploying tools that flag questionable email content to prevent sensitive data from being leaked outside company walls.

The shocking part was looking at how little people really know about the computers they use every day.
Sharon Finney
information security administratorDekalb Medical Center
Content monitoring technology is based on linguistic scanning engines that search for communication and activity performed by network users. Some vendors offer out-of-the-box keyword scanners with their products. Others allow customers to build their own. If a company wants to scan for questionable communication between their employees and the competition, they can build an engine to do it.

Vericept Corp., Vontu Inc., Reconnex Inc. and PortAuthority Technologies Inc. are some of the major players in the content monitoring market.

"Content monitoring … is more about tagging the data," said Chris Liebert, senior analyst at Boston-based The Yankee Group. "They tag assets in one fashion or another as sensitive, and then they manage where those assets go across the network."

"From a compliance point of view, it allows users to maintain information on who has accessed what and how many times they accessed this exact file. In terms of compliance initiatives and regulatory concerns, [companies using these content monitoring tools] will be well covered with these controls," Liebert said.

According to Rich Mogull, research vice president at Stamford, Conn.-based Gartner Inc., the content monitoring and filtering (CMF) market is expected to have grown from $25 million in 2005 to $60 million in 2006. That number could be higher if "some people have very good fourth quarters," he said. "Next year, I think we'll break $100 million. A lot depends on what some of the bigger vendors do."

Liebert has it "pegged at $125 million, with no signs of slowing down." The technology is important for protecting a company's brand and competitive advantage. But it's also important to compliance, Liebert said.

Content monitoring doesn't just identify and alert an organization about exposed data. It also recognizes references and descriptions of sensitive information. It picks up on risky behavior in general, such as employees who vent over email about job dissatisfaction or who visit hacker Web sites.

Liebert said some vendors, such as Vericept, can spot an email with oblique references to sensitive data. "A person might send out an email informing someone that the company's financial results are not as good as they thought they would be. They're not actually sending out numbers, but it will still flag that. They [the employer] will still know that person is trying to inform someone else of the financials. You can tag information that is not directly pulled from the actual document."

Paul Pilotte, senior product manager at Denver-based Vericept, said these risks usually come in two forms: inadvertent and premeditated, malicious disclosures of data.

Inadvertent disclosures might be the result of a broken business process, Pilotte said. "A person may inadvertently email information that our platform identifies as sensitive. It will provide a control mechanism that prevents that information from being sent out. It puts the control not just within a system administrator's hands, but back within the user's hands. The users themselves can be warned that they are sending out email that contains personal healthcare information about a patient. The user can then take a look at it and decide whether it should go out. And they have an option to send out the email encrypted."

Malicious insider behavior is also covered. Pilotte described an employee who might be preparing to take a job with a competitor. That person might start gathering customer lists and other pieces of valuable information and email it to his personal email account. With content monitoring technology, customers can establish keyword-based monitors to track this behavior.

More on security
Insider threats: Watch out for the quiet ones

Midmarket CIOs take the heat for security snafus
Pilotte said customers can create a "resignation" keyword category that "looks for some of the phrases that someone might be sending out in email. 'I'm very stressed here. I should find a new job.'"

That alone may not be enough to flag someone as a problem, but combine that with other behaviors such as downloading customer lists, contacting competitors, etc., and it could be "indicative of someone who is disgruntled and thinking of leaving the company," Pilotte said.

Jonathan Penn, principal analyst at Cambridge, Mass.-based Forrester Research Inc., said old monitoring tools would track acceptable use policies, watching for visits to banned Web sites or harassing messaging between employees. "But those tools do not protect critical data from being misused."

Penn said content monitoring tools look beyond messaging, to per-to-peer file transfers, print files, desktop use of CD-ROM drives and USB drives to determine risk of data loss.

Sharon Finney, information security administrator at Dekalb Medical Center in Decatur, Ga., started assessing data security risks within her organization's three hospitals soon after the Health Insurance Portability and Accountability Act took effect.

Finney determined that her Internet point of presence (POP), where her network met the Internet, was her biggest vulnerability.

"We had no monitoring at that time regarding what was going in and out of our Internet POP," Finney said. "We started looking for a product that would monitor our POP and allow us to identify protected health care information. We also wanted to identify other types of traffic that presented a network security issue, such as people going to hacker Web sites."

Finney said she also wanted to get an idea how the medical center's Internet access was being used by employees, for reasons of both productivity and risk. "Our employees have some of the highest-level access to sensitive information about patients," she said.

Finney adopted the Risk Management Platform from Vericept. She said she wasn't surprised by what the technology revealed.

"We've had some Internet abuse issues occur with employees," she said. "Fortunately, that's been unintentional abuse where our employees don't understand our policy. When email leaves our facility, they assumed it goes directly to the recipient, with no stops or traffic lights in between. They're not aware of the security issues. The shocking part was looking at how little people really know about the computers they use every day, and how little education they receive on using computers. We've gone in and implemented some very basic computer classes: This is an operating system, this is a CD-ROM drive, this is security. It's helped a great deal."

Finney said she never worried about being labeled "Big Sister" by the 3,500 users whose online behavior is monitored by Vericept.

"People don't have a problem following policies and procedures as long as they know why and what risks they protect against," she said. "If you don't educate people about what you're doing, then you're just setting yourself up for failure."

Forrester's Penn said, "Generally, people are getting used to this idea. They need to be made aware that this is not about trying to catch people in the act. The idea is to avoid it altogether. Let people know what you're doing. You don't have to give them a tremendous amount of detail on how you're doing it. But let them know that you're monitoring activity and why you're doing it."

Let us know what you think about the story; email: Shamus McGillicuddy, News Writer

Dig Deeper on Enterprise information security management

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.