Data Loss Prevention with eDiscovery

←All Posts Posted on October 3, 2014 By admin

Information security is no laughing matter. Several recent incidents clearly demonstrate the damage that an information security breach can cause to a company’s brand and reputation. This article discusses the application of eDiscovery and Computer Forensics methods to help lessen the risk of your data falling into the wrong hands. To address this issue correctly, we must first distinguish the differences between Data Loss Prevention and Data Leak Prevention (DLP). Data loss occurs when data is leaked and falls into the hands of another party (such as a hacker or your competition). On the contrary, a leak can be defined as when control of data is lost although it still has not been accessed by a malicious party. Still, such a loss of control may eventually lead to the loss of this information entirely. So, we will use the acronym DLP interchangeably when referring to either event.

We can break the focus of DLP down into the monitoring of data in three different states. These are:

• In-motion data. This is defined as data that is transmitted over a network. Network systems can monitor such data; detecting and preventing the transmission of data that has been flagged as sensitive. Note that in-motion detection ONLY works when a computer is connected to the organisation’s network; this DLP system will remain “on the wire” and constantly pick up on network traffic. It will scan for keywords and other parameters (such as the title of a PDF document) that may signify sensitive information is in transit. If the computer connected to a different network, this “real-time” monitoring cannot take place.

• At-rest is a DLP system that is installed as either a normal application or one that is considered to be extremely lightweight and only left in the memory of the computer. The challenge with any installed software is that it can severely limit the operating resources and the memory of the computer in question. The latter version is seen to be much more versatile and as it exists only in the memory of the computer, it will disappear after the computer is rebooted. Once again, these DLP agents can track keywords, phrases and any other parameters that may signal sensitive information is being compromised. The prime issue is installing an agent across disparate operating systems such as Window, Linux and Mac.

• In-use protection requires a local agent to be installed on every computer within a network. The agent limits the tasks that a user is able to perform such as copying and pasting material or sharing protected files through the use of an external storage hardware. This method can severely restrict the capabilities of the user and with the proliferation of cloud file-sharing services can be easily circumvented.

For DLP to be effective, all information within the organisation needs to be classified according to its sensitivity (secret, sensitive, internal or public). This enables the DLP software to effectively monitor all necessary metrics and “flag” suspicious activity.

Business leaders are less worried about DLP technology and methods. Instead they are concerned with how information is being viewed and handled by internal employees, third-party contractors and how well this information is protected from hackers. Regulatory risks are also increasing. Regulators have renewed their focus on data protection requirements, breach notification rules and introduced significant enforcement penalties. In practise, we have noted that less than thirty per cent of businesses employ a document classification system. Even less have implemented any type of control framework due to the prohibitive cost and effort in regards to DLP management. DLP is complex, expensive to implement, and most likely to be deployed in large regulated corporations and those organisations with secrets to protect.

While the challenges are profound, the advances in Electronic Discovery (or eDiscovery) have enabled DLP efforts to be complimented with analytical power used in computer investigations. In essence, eDiscovery is primarily used in civil litigations and it focuses upon the identification and intelligent processing of relevant documents or topics within large volumes of unstructured data. While DLP can be the “broadsword”, eDiscovery can be seen as the “scalpel”.

Electronic Discovery offers advanced data analytics methods to discover past, present and potential data leaks. An example of this can be the use of similar document identification technology, the ability to identify drafts, revisions and communications, which relate to the chosen topic in question. When dealing with large amounts of data, grouping files in different formats (PDF, DOC, TXT, EML, MSG) containing similar text is a powerful way to locate relevant, sensitive information and skip whole groups of documents that aren’t relevant. Computer forensic techniques can be used to dig further to identify: who, when, where and how the information leaked out. Essentially, a dedicated DLP solution represents a control system in place, however it is difficult and expensive to deploy or maintain.

An eDiscovery approach to DLP initially focuses on email, because it is the most likely vector of data leakage. It presents organisations with an overview of problems that exist throughout the organisation’s structure. The IT administrator of a company exports all or selected email folders from the email server. The user is not aware of this collection. The emails folders are then loaded into an eDiscovery platform. The Electronic Discovery workflow needs to be modified specifically for DLP.

Some of the processing and analytics functions will include:

• A “named entities” identification, which uses pattern matching to extract company names from collected data during processing.

• Identifying emails send to or received from specific domains and conducting social network analysis (not to be confused with analysing online user activities on Twitter or Facebook). By grouping these into a centralised display, it is easy to observe the sensitive information flow internally and externally.

• Keyword searches can find keywords across all emails or within a domain such as @enron.com. Sensitive documents can be found in this way; a likely policy violation.

•  Visual analytics provide the ability to understand timelines and network communications in a graphical format. This data can be further refined into groups such as email addresses, persons involved, dates, language or attachment file format (to name a few methods). This can help with the correlation of physical events such as the leakage of data on a certain day.

These methods are further bolstered by the ability to identify and “pull” certain relevant and irrelevant text within the documents themselves. This makes use of the powerful and modern textual analytics technology. In the past, processing terabytes of data was time consuming and expensive task. Today, using eDiscovery technology for Data Leak Protection has become a reality.

For organisations that concerned with the security of their information, Elvidence offers an effective “health check”. So, potential or ongoing threats can be identified and dealt with before they cost your organisation a great deal of time and money.