Code Green Offers Affordable Data Leak Prevention

New small and midsize enterprises can absorb both the financial and PR damage inflicted by serious breaches targeting sensitive data. And yet, they're often underprotected because data leak prevention, or DLP, products are, overall, simply too expensive. The three entries in our most recent DLP review range from $25,000 to $50,000--to start.

Meanwhile, there's been a significant upswing in cybercrime after a steady five-year decline, according to the 2007 CSI Computer Crime and Security Survey. Insider abuse of network assets is the most prevalent attack, ahead even of viruses, with average losses of around $350,000.

Code Green Networks, which was launched by the founders of SonicWall, aims to tackle this problem. Code Green's newest offering, the CI-750 Content Inspection Appliance, is geared specifically for networks with 250 or fewer users and offers the same features and functionality as its higher-end products, starting at $10,000.

The CI-750 uses "fingerprints" to identify both structured data such as Social Security or credit card numbers, and unstructured data such as documents, files, source code, and so on. Where many DLP products for smaller businesses rely on filtering for certain file types or provide only basic keyword or pattern matching, Code Green's technology creates hash values of the actual data to be protected and scans outgoing traffic for matches.

We found Code Green's fingerprinting technology accurate, and a built-in mail transfer agent lets administrators quarantine SMTP traffic that contains sensitive information. However, without the help of third-party proxies, the appliance is blind to encrypted data, and it can't stop movement of internetwork and Web-based traffic. This means the appliance represents only part of a robust DLP system.

FINGERPRINT TRAIL

The CI-750 can be deployed in a variety of ways. Included in our kit was a network tap device, which let us passively monitor traffic flowing through our WAN connection, and a mail transfer agent. Customers can route outgoing messages from their mail servers through the mail transfer agent for additional mail-filtering abilities; questionable e-mail can be held until approved by an administrator. Admins also can create policies to encrypt e-mail carrying sensitive information. This functionality is provided via Code Green's partnership with the Voltage Security Network, which offers e-mail encryption as a service.

After connecting the device to our network, we selected sources of data that the appliance should protect. It has built-in functionality to fingerprint both structured and unstructured data such as that in CIFS. Setup for CIFS was simply a matter of providing the server and share name, along with appropriate access credentials. The device then scans the share at user-defined intervals. CIFS scanning was trouble-free and didn't cause performance issues on our Windows file server.

However, it's incumbent on IT to ensure that content to be fingerprinted gets placed into the appropriate CIFS share. This can be problematic. For example, our company relies heavily on private wiki pages and not shared volumes for most of our internal information. Code Green's suggested workaround is to have a script that dumps the contents of our wikis to a CIFS share on a regular basis. Given the uptick in collaborative workspaces such as wikis in the business community, we'd like to see a fully automated way to get such data fingerprinted.

It also would make more sense if the device could use Web pages as sources directly; support for other data stores also would increase the out-of-the-box functionality of this appliance and eliminate the need for extra scripting. It should be noted, however, that many competing offerings, some substantially more expensive, don't even offer database integration.

After selecting data sources for fingerprinting, IT then defines traffic to monitor and what actions should be taken in the event a leak is detected. We configured some very widely scoped rules and found that the CI-750 did an outstanding job alerting us to data leaks occurring within e-mail, Web, IM, and even compressed archive transmissions.

We included a two-sentence excerpt from a contract in an e-mail to a client. A moment later, we had an e-mail stating that there had been a violation. The administrator interface on the appliance showed that an e-mail had been sent to our customer and had the full context of the e-mail to show the violation. The interface can also display past violations that may have been related.

PARTIAL PREVENTION

While we were impressed with the accuracy of the fingerprinting, the appliance wasn't able to actually quarantine the message because it was sent via Web mail. Companies that want robust blocking of Web and network traffic will have to invest in a proxy device. The Code Green appliance can be configured as an Internet Content Adaptation Protocol server when connected to an ICAP proxy, such as those from Blue Coat Systems or Squid. When so connected, Code Green can block HTTP, HTTPS, and FTP traffic. It also can decrypt traffic for inspection.

Laptops also will pose a problem for Code Green customers. The company offers an endpoint agent that controls the use of removable media such as flash drives and CDs. It also can enforce encryption of data saved to removable media, and the agent tracks the file names and types that are read from or stored on this media. However, laptops that are off the corporate network also are outside the policy controls of the Code Green appliance, meaning sensitive data can be sent via the Web or network protocols.

Taylor Boyko is CTO and co-owner of Pacific Swell Networks, a VoIP specialty company. Write to him at [email protected].