New Users
Home
Analysts & Consultants
People
Channel Advantage
Products
Technology
Case Studies
Awards
About This Guide
Dr. Lidror Troyansky, Defining and leading the Information Leak Prevention market
The Insider Threat Several high-profile breaches of private information and the progression of internal Sarbanes-Oxley efforts have focused the attention of top executives and board members squarely on data security and the insider threat. As the publicity around information leaks increases, demand for solutions that address these insider leaks grows at a strong pace. Solutions that deliver the highest levels of accuracy, data type compatibility, channel coverage and cost effectiveness will set the standards for the marketplace. While the metrics may vary across different market experts, they share a strong common denominator – the problem of information leakage will continue to grow for the foreseeable future. Below is a collection of industry statistics from leading analysts and publications that illustrate the trends around information leakage. Information Leak Statistics Frequency & Source 52% of CISOs say they have a “moat and castle” approach to network security, admitting that once the perimeter is penetrated the inner defenses are soft. Source: CSO Magazine, March 2005 More than 50% of identity theft cases are caused by insiders with legitimate access to sensitive customer information. Source: Michigan State University Identity Theft Lab, 2004 Of 1,115 U.S. sites reporting a security breach in the past year, 30% suspected unauthorized employees as being behind the incident, 17% suspected authorized workers, and 15% suspected former employees. Source: 2004 InformationWeek Global Information Security Survey 80 to 90% of data exposure incidents resulted from established businesses processes or employee error. Source: Gartner Research, February 2005 83% of companies surveyed experienced security breaches of some kind in 2004. 62% report attacks from an internal source. Source: 2004 Deloitte Global Security Survey The volume of business e-mail will grow 25 to 30 percent a year through 2009. Source: Gartner Research, 2004 Impact 51% of respondents did not report security incidents to law enforcement because they believed the negative publicity would hurt their stock or image. Source: 2004 CSI/FBI Computer Crime and Security Survey More than 1.4 million users have suffered from identity theft fraud, costing banks and card issuers $1.2 billion in direct losses in the past year. Source: Gartner Research, May 2004 An insider attack against a large company caused an average of $2.7M in damages, where the average outside attack cost $57,000. Source: 2003 Ernst & Young Global Information Security Survey Current estimates put the cost of proprietary information loss to U.S. companies at $133B. Source: Provizio competitive intelligence research, April 2005 Of 269 respondents, theft of proprietary information was the third most expensive category of loss, with an average financial loss of more than $11M. Source: 2004 CSI/FBI Computer Crime and Security Survey Awareness Less than a quarter of the 3,171 U.S. companies surveyed monitor the content of their companies' outbound e-mail messages. Source: 2004 InformationWeek Global Information Security Survey 61% have an active information security awareness and training program for all employees, including management, but only 37% have such a program for non-employee users such as consultants, contractors or temporary employees. Source: ISSA Information Security Survey, April 2005 One in five employees reported personal awareness of other individuals stealing from the employer. Source: 2004 Ernst & Young Global Information Security Survey Regulatory Compliance 66% of security executives surveyed cited loss of private customer data as a high or very high level of concern. Source: 2004 Ernst & Young Global Information Security Survey 50% of security executives surveyed cited financial fraud involving information systems as a high or very high level of concern. Source: 2004 Ernst & Young Global Information Security Survey 44% of respondents acknowledged managing third party information sharing as a top concern for privacy compliance. Source: 2004 Deloitte Global Security Survey
The Insider Threat Several high-profile breaches of private information and the progression of internal Sarbanes-Oxley efforts have focused the attention of top executives and board members squarely on data security and the insider threat. As the publicity around information leaks increases, demand for solutions that address these insider leaks grows at a strong pace. Solutions that deliver the highest levels of accuracy, data type compatibility, channel coverage and cost effectiveness will set the standards for the marketplace.
While the metrics may vary across different market experts, they share a strong common denominator – the problem of information leakage will continue to grow for the foreseeable future. Below is a collection of industry statistics from leading analysts and publications that illustrate the trends around information leakage.
Information Leak Statistics
Frequency & Source
52% of CISOs say they have a “moat and castle” approach to network security, admitting that once the perimeter is penetrated the inner defenses are soft. Source: CSO Magazine, March 2005
More than 50% of identity theft cases are caused by insiders with legitimate access to sensitive customer information. Source: Michigan State University Identity Theft Lab, 2004
Of 1,115 U.S. sites reporting a security breach in the past year, 30% suspected unauthorized employees as being behind the incident, 17% suspected authorized workers, and 15% suspected former employees. Source: 2004 InformationWeek Global Information Security Survey
80 to 90% of data exposure incidents resulted from established businesses processes or employee error. Source: Gartner Research, February 2005
83% of companies surveyed experienced security breaches of some kind in 2004. 62% report attacks from an internal source. Source: 2004 Deloitte Global Security Survey
The volume of business e-mail will grow 25 to 30 percent a year through 2009. Source: Gartner Research, 2004
Impact
51% of respondents did not report security incidents to law enforcement because they believed the negative publicity would hurt their stock or image. Source: 2004 CSI/FBI Computer Crime and Security Survey
More than 1.4 million users have suffered from identity theft fraud, costing banks and card issuers $1.2 billion in direct losses in the past year. Source: Gartner Research, May 2004
An insider attack against a large company caused an average of $2.7M in damages, where the average outside attack cost $57,000. Source: 2003 Ernst & Young Global Information Security Survey
Current estimates put the cost of proprietary information loss to U.S. companies at $133B. Source: Provizio competitive intelligence research, April 2005
Of 269 respondents, theft of proprietary information was the third most expensive category of loss, with an average financial loss of more than $11M. Source: 2004 CSI/FBI Computer Crime and Security Survey
Awareness
Less than a quarter of the 3,171 U.S. companies surveyed monitor the content of their companies' outbound e-mail messages. Source: 2004 InformationWeek Global Information Security Survey
61% have an active information security awareness and training program for all employees, including management, but only 37% have such a program for non-employee users such as consultants, contractors or temporary employees. Source: ISSA Information Security Survey, April 2005
One in five employees reported personal awareness of other individuals stealing from the employer. Source: 2004 Ernst & Young Global Information Security Survey
Regulatory Compliance
66% of security executives surveyed cited loss of private customer data as a high or very high level of concern. Source: 2004 Ernst & Young Global Information Security Survey
50% of security executives surveyed cited financial fraud involving information systems as a high or very high level of concern. Source: 2004 Ernst & Young Global Information Security Survey
44% of respondents acknowledged managing third party information sharing as a top concern for privacy compliance. Source: 2004 Deloitte Global Security Survey
Name: Dr. Lidror Troyansky Title: Chief Scientist Likes to be called: Lidor Company: PortAuthority Technologies
Serving as chief scientist, Dr. Lidror Troyansky has been instrumental in developing the fingerprinting technology that enables PortAuthority’s proprietary PreciseID Technology. The technology innovation he led serves as the backbone to the company’s innovative products and solutions. PortAuthority is the industry's most reliable, accurate and precise solution for monitoring and preventing information leaks. PortAuthority's PreciseID fingerprinting technology enables accurate content identification for information leak prevention. PreciseID technology generates an "information fingerprint": a faithful mathematical representation of the information in documents, messages or data fields of a database that facilitate extremely fast and accurate identification of the sensitive data and its metadata. With over 20 patents pending, only PreciseID technology protects data, not just databases and documents. Unlike simple hash or exact matching, PreciseID technology's advanced algorithms use granular data matching techniques and are therefore resilient to data manipulation. PreciseID technology is optimized for real-time applications and is secure against reverse engineering of sensitive content. PreciseID technology is data-format independent and requires no modification or tagging of the original data. Some content filtering solutions support such techniques as keywords and regular expressions; however they generate 30-40% false positives making them ineffective and unacceptable for monitoring and, especially, for preventing information leaks. PortAuthority's PreciseID technology delivers the industry's highest accuracy with the lowest false positives and false negatives. Enterprises can easily integrate PortAuthority with their existing content filtering solutions to preserve their investment while gaining the best-of-breed information leak prevention to ensure regulatory and corporate compliance. With this technology, PortAuthority has developed tools that organizations can easily and effectively implement to monitor outbound company information. As a result, of this advancement, PortAuthority customers have confidence that their internal data is secure, both for customer privacy and intellectual property concerns. With 70% of security incidents causing losses to enterprises involving trusted insiders, according to Gartner research, this tool has helped customers save substantial amounts of money in data leaks and recovery costs. Dr. Troyansky’s approach of using mathematics to enhance the technology of these products can be seen as an innovative and unique method to ensure low false positives and accurate detection tools. The IT community can learn from his interdisciplinary philosophy and analytical approach to solving a key problem in the security industry. Following is content from a Whitepaper written by Dr. Troyvansky outlining how Precise ID technology works and what PortAuthority is doing to change the face of Information Leak Prevention and information security. Information Identification: Critical Requirements for Effective Data Security By Dr. Lidror Troyansky Chief Scientist PortAuthority Technologies With the recent wave of security breaches in the news, executives are realizing that despite their best efforts, information leaks can affect organizations of all sizes and in any industry. Few organizations have found themselves immune to the insider threat: employees who expose sensitive information whether intentionally or accidentally. In the normal course of doing business, employees need the ability to communicate sensitive information with other employees, customer, partners, and other parties while maintaining data security. The high cost of failing to prevent these information leaks is causing companies to reexamine how they defend themselves against potentially disastrous consequences. Even so, most companies expose themselves to significant financial and legal liability because they cannot reliably and accurately identify sensitive content in transit. The Importance of Accuracy Information leaks occur, either accidentally or maliciously, because most firms have not guarded themselves against insider threats. This gap exists primarily because firms lack an efficient means to correctly recognize when a message containing sensitive content is headed to an unauthorized recipient. Therefore, a robust way to reliably and accurately identify information in real-time is a critical requirement for any solution that enforces distribution policies on sensitive content. Without a high degree of accuracy, a content monitoring system will overwhelm the IT staff with an insurmountable burden of false positives. What’s even worse is that any policy-based enforcement system plagued by false positives will cause business communications to be interrupted by a high rate of false positives or wrongly blocked messages. These false positives disrupt the normal flow of business and hinder productivity. While some solution providers offer policy enforcement platforms, simply blocking messages is not enough. The real challenge lies in identifying whether a message containing sensitive information is being sent to an inappropriate recipient, and then enforcing the appropriate security policy. The Difficulty in Identification Identifying sensitive content in transit is particularly difficult because: Sensitive information like contracts, employee offers, financial filings, and product specifications is often modified from an original document into derivations or excerpts. Multiple copies of sensitive information typically exist. Attempts to secure a particular file are thwarted by the reality that employees have access to identical or similar information elsewhere on the network. Sensitive information can be kept in multiple unstructured file formats or structured databases with different versions and compatibility. Fragments of sensitive content, such as credit card numbers, account numbers, customer records, and phone numbers, can be easily cut and pasted into other documents and messages, or simply posted to web sites. Sensitive content can be communicated through a variety of channels, including e-mail, web-mail, instant messaging, FTP, fax and P2P applications. To handle the variety of sensitive information, organizations need a set of classification and identification technologies that are flexible and robust enough to identify both structured content (such as records in a database) and unstructured content (such as MS-Word files, financial spreadsheets and Adobe PDF documents), as well as fragments and derivatives of either. These classification and identification technologies must work in real-time or they risk rendering communication media ineffective. Finally, these identification algorithms must account for the context of the content to accurately and correctly recognize which messages must be handled by which policies. Without a complete set of classification and identification technologies, real-time policy enforcement can not be applied with a high degree of precision and accuracy. PortAuthority helps organizations enforce their security policies by identifying any type of sensitive information (not just a specific file name) and classifying its content. PortAuthority uses several identification and classification methods which can identify document content and classify it in real-time. Limitations of Naïve Classification: Keywords and Key Phrases Simple methods of classification, such as keywords or key phrases, provide a first level of defense. Keywords or key phrases work on the assumption that the confidential content exists in its entirety and that classification holds for the entire document. The graphic below outlines three levels of classification that categorize sensitive content: Unfortunately, such classification techniques typically cause high levels of false positives and false negatives. Examples of these false positives and false negatives include: Misleading words. Using the word “confidential” causes false positives for any disclaimer of the type: “The content of this message may be confidential.” In this case, any message containing that disclaimer is automatically flagged for review. Word manipulation. If the keyword “black arrow” is used to designate confidential files for a particular project, it can easily be replaced with “yellow ribbon” and allow sensitive content or excerpts thereof to be released. Misinterpretation of words. Keywords may exist in another context with an innocent meaning. The name of a food company that is a candidate for M&A can appear in a simple recipe. A tax shelter can also be a resort location. While infosecurity users have been forced to accept the burden of false positives from monitoring solutions that use keywords and phrases, highly accurate identification is a requirement for moving from monitoring to real-time enforcement. Advanced Classification: Machine Learning More advanced methods for classification are based on machine learning. With machine learning, the system can learn to classify information using a limited set of previously classified information. System administrators need to provide the system two or more sets of information items, such as 1,000 “secret” information items and 1,000 “public” information items. The system extracts features or “tokens” that characterize the two sets and provides a function that allows discriminating new information items. If a machine-learning solution is properly implemented, then the number of false positives and false negatives can be acceptable. Machine-learning solutions are often useful for spam detection and message sorting for e-mail response in customer-relationship management applications. Two fundamental drawbacks limit the effectiveness of machine learning solutions for Information Leak Prevention: Training Time: Because administrators typically devote substantial time and effort to “teach” the system, the actual cost of machine learning can be high. Many machine-learning applications have not matured past proof of concept and into full adoption because of the extensive training time involved. Lack of Ownership and Proper Resolution: Advanced classification using machine learning does not outline clear responsibility for who updates information and resolves issues when they arise. For information leak prevention to work, information assets must have an owner, authorized senders, and authorized recipients. This lack of ownership often causes too many combinations and too many classes for a machine-learning solution to handle. Classification methods provide a first step toward visibility into information leaks. However, they are ineffective when it comes to enforcement, because of the precision required when messages are blocked or quarantined. To provide safe communication of sensitive information in real business processes, simple classification methods should be supplemented by accurate and robust identification capabilities that permit policy enforcement with a high degree of granularity. A Robust Combination of Information Identification & Classification Technique PortAuthority is the industry’s first and only real-time enforcement solution based on ultra-precise information fingerprinting technology that is used to identify information beyond any doubt. PortAuthority’s PreciseID technology identifies content in the same way that a person can be identified with his or her unique fingerprint. PortAuthority’s sophisticated and unparalleled PreciseID technology uses a combination of 27 patent-pending identification algorithms to quickly and accurately identify sensitive content. PortAuthority’s unique set of identification techniques operates similarly to how a police forensics investigator uses a combination of methods with various levels of accuracy to identify a suspect. A general description like “the suspect has brown hair” gives a relatively coarse level of identification. Adding details like “white male,” “six feet tall,” and “has a mustache” gives a more precise identification of an individual. Finally, with a fingerprint, a set of fingerprints, or DNA evidence a forensics investigator can identify the clearest, most reliable match. Like the forensics analogy, PortAuthority delivers unparalleled identification capabilities with multiple levels of granularity. The most powerful techniques based on contextual filters include PortAuthority’s revolutionary and patent-pending information PreciseID techniques. Three Types of Identification Techniques PortAuthority achieves unprecedented accuracy and reliability by using a combination of state-of-the-art approaches, including global, token-based, and contextual techniques, in addition to the PreciseID technology, creating an advanced set of identification and classification capabilities. PortAuthority’s main identification techniques include: 1. Global Filters Global (“Class 1”) filters provide capabilities for basic monitoring and enforcement. Global filters can be categorized into three types: File Type Filter Allows implementing a policy based on file type. An example is: “block .mp3 and .mpeg” or “convert MS-Word to PDF.” Recognizes file type based on its content, not its extension, so it cannot be circumvented by renaming the extension, such as from .doc to .jpg. Recognizes nested compressed files recursively. File-Based Binary Signature Assigns a number to a file that is a unique function of its content, thereby providing unique identification of any file, with a very high resolution. Small changes in the file completely change the signature. Provides very fast, but totally non-robust filtering. Text-based Binary Signature Assigns a number (hash) to a file that is a unique function of its textual content. Provides very fast identification. Offers a little more robustness than the file-based binary signature. (It is robust to changes in the file metadata). Allows monitoring the integrity of the content. Solutions using global classification provide basic monitoring and thus have a low rate of accuracy. They usually provide basic enforcement like blocking .exe or .src files. However, simple manipulations, such as changing one word and putting data into a .zip file or other company-allowed file format, easily thwarts this type of monitoring and enforcement. 2. Token-Based Filters Token-based filters (“Class 2”) provide another layer of protection and basic classification capabilities. Token-based approaches like e-mail filtering monitor content based on keywords, numbers, or patterns. Token-based filters are typically grouped into two types: Pattern Recognition Uses regular expressions to identify numbers and strings in certain common formats like credit card numbers (xxxx-xxxx-xxxx-xxxx) or Social Security numbers (xxxx-xx-xxxx). Uses an advanced form of pattern recognition that contains special logic and flexible settings to mitigate false positives. Pattern validation: e.g., credit-card numbers are checked against the LUHN formula to determine their validity. Potential Social security numbers are checked to see whether they were issued by the SSA (Social Security Administration). This validation scheme greatly reduces the false-positives rate. Heuristics: proximity of terms is used for false-positives mitigation. Supplies a number of default patterns and template policies for pattern recognition. Keyword and Key Phrase Allows detection of an unlimited number of numbers, keywords, and phrases. Enables policy application based on pre-defined dictionaries for HIPAA and Gramm-Leach-Bliley Act (GLBA) compliance. Contains “threshold policies” that apply a policy based on the accumulated number of words and numbers that were found, such as a message that contains more than five account numbers or more than 10 references to Social Security numbers. Token-based filters offer good visibility into the magnitude and nature of information distribution when deployed in monitoring mode. However, these Class 2 filters often do not provide the granularity or resolutions required for true leak prevention and data integrity, and therefore produces a high rate of false positives and false negatives. False alarms occur because these techniques cannot put commonly occurring words like “sensitive” and “confidential” in context. The rate of false alarms can limit token-based approaches’ reliability, because administrators may become conditioned to ignore alerts. False negatives occur simply because sensitive or confidential information does not contain the necessary patterns and keywords. To improve the accuracy of Class 2 filters, PortAuthority’s patent-pending pattern recognition algorithms add context awareness and business logic to identified patterns, dramatically reducing false positives and negatives. 3. Contextual Filters In addition to global and token-based techniques, PortAuthority uses a state-of-the-art contextual and linguistic approach, which marries comprehensive monitoring with sophisticated enforcement. PortAuthority combines multiple contextual identification algorithms, including records management, textual fingerprinting, matrix fingerprinting, graphics and CAD fingerprinting, and templates/ignored sections, to deliver accurate and reliable results. Information fingerprints are described in detail in the following section. An effective Information Leak Prevention solution must address contextual (“Class 3”) filters. Each contextual filter is optimized to detect certain types of information, achieving extremely accurate information identification with top performance. These contextual filters can be organized into five major categories: Records Management Filter Allows the application of Boolean logic to various fields within an individual record. For example, this allows PortAuthority to quarantine the message if both a customer’s account number and date of birth are found in a single message or to encrypt the e-mail if the person’s name and the corresponding Social Security number appear in the same message. Greatly reduces false positives and false negatives by applying multiple criteria within a record. Applies intrinsic logic to detect instances that are more likely to result in damaging information leakage. The PortAuthority platform’s records management filter allows sophisticated rules to be set up against records organized in tables as seen in the diagram below. For example, a rule stating that information from no more than three rows may be sent in a single communication would stop an e-mail containing the account numbers 177355142, 123233486, and 342923776. Similarly, another rule might state that if more than two fields (columns) from a single record are sent in a message, that message should be quarantined. In this example, the PortAuthority platform would quarantine a message containing L. Chen, Account Number 288377464 and DOB 7/2/79. The ability to detect multiple fields from a single record or multiple records within a single message greatly improves the ability to intercept truly suspicious messages. Textual Fingerprint Allows extremely robust identification of content, including fragments or derivatives. The PortAuthority platform is resilient to all types of data manipulation attempts, such as cutting and pasting, reformatting, and retyping. Converts unstructured text into a series of mathematical representations known as “information fingerprints.” Is based on a unidirectional process, which means that original content cannot be reverse engineered from a fingerprint. Matrix Fingerprint Converts content from a tabular or spreadsheet format into a series of mathematical representations, while capturing its many idiosyncrasies. Is resistant to manipulation of content by applying certain proportionality checks against the content to ensure accurate identification of protected content. For example, it detects spreadsheets converted from dollars to euros. Utilizes a vectored-representation of the data that captures the original content’s many idiosyncrasies. Is based on a unidirectional process, which means that original content cannot be reverse engineered from a fingerprint. CAD/CAM Fingerprint Utilizes an approach that interprets the value associated with a diagram despite changes in its physical appearance like rotation or inversion. Is resilient to “reasonable” changes in the drawing. The PortAuthority platform’s CAD/CAM fingerprint filter solves this hard problem. Is based on a unidirectional process, meaning original content cannot be reverse engineered from a fingerprint. Template/Boilerplate Fingerprint Improves the accuracy of detection by accounting for false similarity and screens out commonly recurring text in similar documents, including boiler plates, disclaimers, template descriptions, forms, and contract terms. PortAuthority is the only solution that employs sophisticated filters to account for templated content. This technique dramatically reduces the false positives associated with basic identification techniques, which often stumble over templated content. Information Fingerprints Information fingerprints are highly optimized, mathematical representations of sensitive content that allow for extremely reliable and accurate identification of information. Just as human fingerprints include different elements that can be used to identify a person with great accuracy, information files can be threaded with the same concept. PortAuthority’s proprietary PreciseID technology delivers robust, contextual information identification. Using a unidirectional process, PortAuthority examines the content of documents or raw data and extracts a set of mathematical descriptors or “information fingerprints”. These fingerprints are compact and faithfully describe the underlying content. By assigning unique identities to each information asset, PortAuthority’s PreciseID technology can track information in motion with great precision. Original content cannot be recreated or reverse engineered from PortAuthority’s PreciseID information fingerprint. The power of PortAuthority’s PreciseID techniques is its ability to detect sensitive information despite manipulation, reformatting, or other modification. Fingerprints enable the protection of whole or partial documents, antecedents, and derivative versions of the protected information, as well as snippets of the protected information whether cut and pasted or retyped. Explaining PortAuthority PreciseID Technology PortAuthority’s PreciseID process works through a series of automated processes to create a fingerprint library and checks messages for sensitive content in real time. The system uses a compact and faithful numerical representation of the information, and supports multiple types of fingerprints for various information objects and business needs. PortAuthority also offers a relevant measure of similarity from the business perspective to ascertain the uniqueness of content. Robust information identification is based on two main elements: The compact and faithful mathematical representation of information. A similarity measure that reflects the relevant similarity of the information items, using representations. With PortAuthority PreciseID, fingerprinting occurs in two processes: an automated process to extract fingerprints from originating content and a real-time process to match communications against known fingerprints. The diagram below outlines the steps at a high level. Based on a specific time interval, PortAuthority PreciseID creates fingerprints using the following automated process: Parsing: The textual (alpha-numeric) content of the information item is first extracted. The extraction is conducted from about 300 different formats, which make the encapsulation and format essentially transparent. Normalization: The text is then “canonized” (or brought to a standard form) and preprocessed. Information that does not contribute to the identification process is removed, such as disclaimers, boiler plates, and some frequently used words. The canonized, pre-processed text is then transformed to the numerical domain using multiple hash functions, so there is a unique number for each segment of text. The length and structure of the segments and the overlap between the segments are carefully optimized, using PortAuthority’s PreciseID technique. This set of numbers comprises a redundant representation of all the segments. Encoding: To promote efficiency and security, a representative subset is thereafter selected from the redundant set, using a carefully tuned dilution scheme, which facilitates fast, robust efficient and accurate identification. This representative set is referred to as the primal textual fingerprint of information. Storage: If time and storage are not a problem, one could simply store the information and compare two items using a standard comparison program. This, however, is not practical when there is a need to monitor intensive digital traffic and to decide if a certain message should be taken out of millions of confidential documents. In this case, a compact and faithful numerical representation of the information—a fingerprint—is required. Fingerprinting an organization’s confidential information is simplified with the PortAuthority PreciseID file-system agent and user interface. The user can start by targeting directories with sensitive or confidential information and assigning the required policies to these directories. The file-system agent then recursively fingerprints all the information in these directories and stores the fingerprints together with the corresponding policies in a secure database. Finger-printing a very large file system can take days, but the process is automatic, and enforcement is operative from the start. From that point, the information is protected. All monitored traffic is compared with the stored fingerprint, and once a match is found, the corresponding policy (block, quarantine, encrypt, audit, or notify) is applied. The policy is assigned to information, not individual files. Even if a section is retyped from a protected document with some spelling errors and formatting changes, the system will detect and identify the breach. PortAuthority provides several default values and can be easily tuned to various types of users’ requirements. Real-Time Fingerprint Matching Whenever PortAuthority receives a message from a messaging server or application, the PreciseID fingerprinting engine creates a real-time fingerprint of that message and its associated attachments and stores it in memory. That real-time fingerprint is compared against the database of known fingerprints to identify any full or partial matches. Because the PreciseID algorithms are optimized for real-time performance, matching occurs in sub-second time in the same way anti-virus or anti-spam systems work, with no noticeable impact on messaging performance. To provide real-time accurate detection and identification, PortAuthority has developed algorithms that allow fast comparison of the fingerprints of the analyzed traffic with fingerprints of multiple-millions of documents and to apply a context-sensitive similarity measure with adaptive thresholds. The similarity measure can detect, for example, a cut from a confidential document that was edited and then embedded in another large document, and can eliminate false positives that stem from non-relevant similarity. PortAuthority’s PreciseID real-time fingerprint matching capabilities are agnostic to the communication channel it monitors. A PortAuthority agent can be installed on any monitored communication channel and can extract fingerprints and other relevant information from the traffic in the channel and sends it for analysis. The agent then applies any relevant policy based on the results of the analysis. How Are Contextual Identification Techniques Superior? Contextual identification techniques provide significant advantages over less granular identification methods. While they can complement these earlier approaches, contextual identification techniques offer several key benefits: Significantly more accurate than global and token-based approaches alone. Extremely fast identification of sensitive content from millions of items indexed in a fingerprint library. Resilient to cut-and-paste attacks. Agnostic to the communication channel. Not file-specific, so the information itself is protected. Ability to identify information regardless of the format, encapsulation, and possible edits or changes to text. The Next Step—Effective Policy Enforcement Enterprises and financial organizations, as well as military and government agencies, are required to control and monitor the communications of sensitive information to protect customer data, confidential information and trade secrets. Unauthorized disclosure of this sensitive information can be prevented with robust information identification technology. Less granular forms of information identification, such as detecting the binary signatures of files, can be rendered ineffective by any small change in a protected file. Robust information identification can identify the information, regardless of the format and reasonable edit changes. These highly reliable and accurate information identification techniques are necessary to establish visibility into the magnitude and frequency of incidents. While some solutions provide detailed reporting and audit trails on leakage incidents, they typically do not prevent the actual transmissions of sensitive content. Simply monitoring for sensitive information in transit is insufficient. Real-time policy enforcement is the other critical component of a complete Information Leak Prevention solution. Real-time policy enforcement requires a high degree of granularity to enforce information leak prevention policies on real business processes. PortAuthority’s advanced technology for robust information identification permits truly effective Information Leak Prevention. The system’s ability to assign identity to each information asset and to track information in motion is extremely powerful. In particular, PortAuthority’s combination of techniques provides the high granularity required to enforce information distribution policies for real business processes. PortAuthority can mirror specific internal policies to prevent unintended information leakage. For example, a rule may specify that document X, written by user Y, can only be sent by user Y or Z and only to recipients within the finance department. In addition, PortAuthority is resilient enough to handle the normal modification of sensitive information. Administrators can easily define exactly who can send exactly what to whom under which circumstances in PortAuthority. Real-life business processes often require that information to be edited, cut and pasted, or altered in some way, but the distribution of that information still needs to be controlled. Ultimately, business-oriented policy enforcement should identify information regardless of the format and edit changes, and then apply the appropriate policies. Information Leak Prevention solutions must support, not hinder, existing business processes and should be transparent to users. Methodological aspect: the P3: Prioritizing Information Identification Efforts Many organizations grapple with how to address their Information Leak Prevention issues. PortAuthority Technologies uses the P3methodology for prioritizing information identification efforts. The P3methodology consists of: Principal Identify the principal business information in your organization. This 1% to 5% of information is the most proprietary and critical. Owners should know the exact whereabouts of principal information and what controls are in place to prevent its loss. Firms must fingerprint this critical information, assign information owners, and establish policies for the information. Pareto Next, determine which 20% of the business information represents 80% of the value. Pareto represents the middle layer of information. This commonly used information typically resides in a few major data sources. This class of sensitive information should also be fingerprinted with specific owners designated and specific distribution policies outlined. Progressive Finally, identify the lower-priority information assets that should be protected. Progressive information is often protected in phases, in which certain types of information assets are added in stages.
Serving as chief scientist, Dr. Lidror Troyansky has been instrumental in developing the fingerprinting technology that enables PortAuthority’s proprietary PreciseID Technology. The technology innovation he led serves as the backbone to the company’s innovative products and solutions. PortAuthority is the industry's most reliable, accurate and precise solution for monitoring and preventing information leaks. PortAuthority's PreciseID fingerprinting technology enables accurate content identification for information leak prevention. PreciseID technology generates an "information fingerprint": a faithful mathematical representation of the information in documents, messages or data fields of a database that facilitate extremely fast and accurate identification of the sensitive data and its metadata. With over 20 patents pending, only PreciseID technology protects data, not just databases and documents. Unlike simple hash or exact matching, PreciseID technology's advanced algorithms use granular data matching techniques and are therefore resilient to data manipulation. PreciseID technology is optimized for real-time applications and is secure against reverse engineering of sensitive content. PreciseID technology is data-format independent and requires no modification or tagging of the original data. Some content filtering solutions support such techniques as keywords and regular expressions; however they generate 30-40% false positives making them ineffective and unacceptable for monitoring and, especially, for preventing information leaks. PortAuthority's PreciseID technology delivers the industry's highest accuracy with the lowest false positives and false negatives. Enterprises can easily integrate PortAuthority with their existing content filtering solutions to preserve their investment while gaining the best-of-breed information leak prevention to ensure regulatory and corporate compliance. With this technology, PortAuthority has developed tools that organizations can easily and effectively implement to monitor outbound company information. As a result, of this advancement, PortAuthority customers have confidence that their internal data is secure, both for customer privacy and intellectual property concerns. With 70% of security incidents causing losses to enterprises involving trusted insiders, according to Gartner research, this tool has helped customers save substantial amounts of money in data leaks and recovery costs. Dr. Troyansky’s approach of using mathematics to enhance the technology of these products can be seen as an innovative and unique method to ensure low false positives and accurate detection tools. The IT community can learn from his interdisciplinary philosophy and analytical approach to solving a key problem in the security industry. Following is content from a Whitepaper written by Dr. Troyvansky outlining how Precise ID technology works and what PortAuthority is doing to change the face of Information Leak Prevention and information security.
Information Identification: Critical Requirements for Effective Data Security By Dr. Lidror Troyansky Chief Scientist PortAuthority Technologies
With the recent wave of security breaches in the news, executives are realizing that despite their best efforts, information leaks can affect organizations of all sizes and in any industry. Few organizations have found themselves immune to the insider threat: employees who expose sensitive information whether intentionally or accidentally. In the normal course of doing business, employees need the ability to communicate sensitive information with other employees, customer, partners, and other parties while maintaining data security.
The high cost of failing to prevent these information leaks is causing companies to reexamine how they defend themselves against potentially disastrous consequences. Even so, most companies expose themselves to significant financial and legal liability because they cannot reliably and accurately identify sensitive content in transit.
The Importance of Accuracy
Information leaks occur, either accidentally or maliciously, because most firms have not guarded themselves against insider threats. This gap exists primarily because firms lack an efficient means to correctly recognize when a message containing sensitive content is headed to an unauthorized recipient. Therefore, a robust way to reliably and accurately identify information in real-time is a critical requirement for any solution that enforces distribution policies on sensitive content.
Without a high degree of accuracy, a content monitoring system will overwhelm the IT staff with an insurmountable burden of false positives. What’s even worse is that any policy-based enforcement system plagued by false positives will cause business communications to be interrupted by a high rate of false positives or wrongly blocked messages. These false positives disrupt the normal flow of business and hinder productivity. While some solution providers offer policy enforcement platforms, simply blocking messages is not enough. The real challenge lies in identifying whether a message containing sensitive information is being sent to an inappropriate recipient, and then enforcing the appropriate security policy.
The Difficulty in Identification Identifying sensitive content in transit is particularly difficult because:
Sensitive information like contracts, employee offers, financial filings, and product specifications is often modified from an original document into derivations or excerpts.
Multiple copies of sensitive information typically exist. Attempts to secure a particular file are thwarted by the reality that employees have access to identical or similar information elsewhere on the network.
Sensitive information can be kept in multiple unstructured file formats or structured databases with different versions and compatibility.
Fragments of sensitive content, such as credit card numbers, account numbers, customer records, and phone numbers, can be easily cut and pasted into other documents and messages, or simply posted to web sites.
Sensitive content can be communicated through a variety of channels, including e-mail, web-mail, instant messaging, FTP, fax and P2P applications.
To handle the variety of sensitive information, organizations need a set of classification and identification technologies that are flexible and robust enough to identify both structured content (such as records in a database) and unstructured content (such as MS-Word files, financial spreadsheets and Adobe PDF documents), as well as fragments and derivatives of either. These classification and identification technologies must work in real-time or they risk rendering communication media ineffective. Finally, these identification algorithms must account for the context of the content to accurately and correctly recognize which messages must be handled by which policies. Without a complete set of classification and identification technologies, real-time policy enforcement can not be applied with a high degree of precision and accuracy.
PortAuthority helps organizations enforce their security policies by identifying any type of sensitive information (not just a specific file name) and classifying its content. PortAuthority uses several identification and classification methods which can identify document content and classify it in real-time.
Limitations of Naïve Classification: Keywords and Key Phrases Simple methods of classification, such as keywords or key phrases, provide a first level of defense. Keywords or key phrases work on the assumption that the confidential content exists in its entirety and that classification holds for the entire document. The graphic below outlines three levels of classification that categorize sensitive content:
Unfortunately, such classification techniques typically cause high levels of false positives and false negatives. Examples of these false positives and false negatives include:
Misleading words. Using the word “confidential” causes false positives for any disclaimer of the type: “The content of this message may be confidential.” In this case, any message containing that disclaimer is automatically flagged for review.
Word manipulation. If the keyword “black arrow” is used to designate confidential files for a particular project, it can easily be replaced with “yellow ribbon” and allow sensitive content or excerpts thereof to be released.
Misinterpretation of words. Keywords may exist in another context with an innocent meaning. The name of a food company that is a candidate for M&A can appear in a simple recipe. A tax shelter can also be a resort location.
While infosecurity users have been forced to accept the burden of false positives from monitoring solutions that use keywords and phrases, highly accurate identification is a requirement for moving from monitoring to real-time enforcement.
Advanced Classification: Machine Learning More advanced methods for classification are based on machine learning. With machine learning, the system can learn to classify information using a limited set of previously classified information. System administrators need to provide the system two or more sets of information items, such as 1,000 “secret” information items and 1,000 “public” information items. The system extracts features or “tokens” that characterize the two sets and provides a function that allows discriminating new information items.
If a machine-learning solution is properly implemented, then the number of false positives and false negatives can be acceptable. Machine-learning solutions are often useful for spam detection and message sorting for e-mail response in customer-relationship management applications. Two fundamental drawbacks limit the effectiveness of machine learning solutions for Information Leak Prevention:
Training Time: Because administrators typically devote substantial time and effort to “teach” the system, the actual cost of machine learning can be high. Many machine-learning applications have not matured past proof of concept and into full adoption because of the extensive training time involved.
Lack of Ownership and Proper Resolution: Advanced classification using machine learning does not outline clear responsibility for who updates information and resolves issues when they arise. For information leak prevention to work, information assets must have an owner, authorized senders, and authorized recipients. This lack of ownership often causes too many combinations and too many classes for a machine-learning solution to handle. Classification methods provide a first step toward visibility into information leaks. However, they are ineffective when it comes to enforcement, because of the precision required when messages are blocked or quarantined.
To provide safe communication of sensitive information in real business processes, simple classification methods should be supplemented by accurate and robust identification capabilities that permit policy enforcement with a high degree of granularity.
A Robust Combination of Information Identification & Classification Technique PortAuthority is the industry’s first and only real-time enforcement solution based on ultra-precise information fingerprinting technology that is used to identify information beyond any doubt. PortAuthority’s PreciseID technology identifies content in the same way that a person can be identified with his or her unique fingerprint. PortAuthority’s sophisticated and unparalleled PreciseID technology uses a combination of 27 patent-pending identification algorithms to quickly and accurately identify sensitive content.
PortAuthority’s unique set of identification techniques operates similarly to how a police forensics investigator uses a combination of methods with various levels of accuracy to identify a suspect. A general description like “the suspect has brown hair” gives a relatively coarse level of identification. Adding details like “white male,” “six feet tall,” and “has a mustache” gives a more precise identification of an individual. Finally, with a fingerprint, a set of fingerprints, or DNA evidence a forensics investigator can identify the clearest, most reliable match.
Like the forensics analogy, PortAuthority delivers unparalleled identification capabilities with multiple levels of granularity. The most powerful techniques based on contextual filters include PortAuthority’s revolutionary and patent-pending information PreciseID techniques.
Three Types of Identification Techniques PortAuthority achieves unprecedented accuracy and reliability by using a combination of state-of-the-art approaches, including global, token-based, and contextual techniques, in addition to the PreciseID technology, creating an advanced set of identification and classification capabilities.
PortAuthority’s main identification techniques include:
1. Global Filters Global (“Class 1”) filters provide capabilities for basic monitoring and enforcement. Global filters can be categorized into three types:
File Type Filter
Allows implementing a policy based on file type. An example is: “block .mp3 and .mpeg” or “convert MS-Word to PDF.”
Recognizes file type based on its content, not its extension, so it cannot be circumvented by renaming the extension, such as from .doc to .jpg.
Recognizes nested compressed files recursively.
File-Based Binary Signature
Assigns a number to a file that is a unique function of its content, thereby providing unique identification of any file, with a very high resolution. Small changes in the file completely change the signature.
Provides very fast, but totally non-robust filtering.
Text-based Binary Signature
Assigns a number (hash) to a file that is a unique function of its textual content. Provides very fast identification.
Offers a little more robustness than the file-based binary signature. (It is robust to changes in the file metadata).
Allows monitoring the integrity of the content.
Solutions using global classification provide basic monitoring and thus have a low rate of accuracy. They usually provide basic enforcement like blocking .exe or .src files. However, simple manipulations, such as changing one word and putting data into a .zip file or other company-allowed file format, easily thwarts this type of monitoring and enforcement.
2. Token-Based Filters Token-based filters (“Class 2”) provide another layer of protection and basic classification capabilities. Token-based approaches like e-mail filtering monitor content based on keywords, numbers, or patterns. Token-based filters are typically grouped into two types:
Pattern Recognition
Uses regular expressions to identify numbers and strings in certain common formats like credit card numbers (xxxx-xxxx-xxxx-xxxx) or Social Security numbers (xxxx-xx-xxxx).
Uses an advanced form of pattern recognition that contains special logic and flexible settings to mitigate false positives.
Pattern validation: e.g., credit-card numbers are checked against the LUHN formula to determine their validity. Potential Social security numbers are checked to see whether they were issued by the SSA (Social Security Administration). This validation scheme greatly reduces the false-positives rate.
Heuristics: proximity of terms is used for false-positives mitigation.
Supplies a number of default patterns and template policies for pattern recognition.
Keyword and Key Phrase
Allows detection of an unlimited number of numbers, keywords, and phrases. Enables policy application based on pre-defined dictionaries for HIPAA and Gramm-Leach-Bliley Act (GLBA) compliance.
Contains “threshold policies” that apply a policy based on the accumulated number of words and numbers that were found, such as a message that contains more than five account numbers or more than 10 references to Social Security numbers.
Token-based filters offer good visibility into the magnitude and nature of information distribution when deployed in monitoring mode. However, these Class 2 filters often do not provide the granularity or resolutions required for true leak prevention and data integrity, and therefore produces a high rate of false positives and false negatives.
False alarms occur because these techniques cannot put commonly occurring words like “sensitive” and “confidential” in context. The rate of false alarms can limit token-based approaches’ reliability, because administrators may become conditioned to ignore alerts. False negatives occur simply because sensitive or confidential information does not contain the necessary patterns and keywords. To improve the accuracy of Class 2 filters, PortAuthority’s patent-pending pattern recognition algorithms add context awareness and business logic to identified patterns, dramatically reducing false positives and negatives.
3. Contextual Filters In addition to global and token-based techniques, PortAuthority uses a state-of-the-art contextual and linguistic approach, which marries comprehensive monitoring with sophisticated enforcement. PortAuthority combines multiple contextual identification algorithms, including records management, textual fingerprinting, matrix fingerprinting, graphics and CAD fingerprinting, and templates/ignored sections, to deliver accurate and reliable results. Information fingerprints are described in detail in the following section.
An effective Information Leak Prevention solution must address contextual (“Class 3”) filters. Each contextual filter is optimized to detect certain types of information, achieving extremely accurate information identification with top performance. These contextual filters can be organized into five major categories:
Records Management Filter
Allows the application of Boolean logic to various fields within an individual record. For example, this allows PortAuthority to quarantine the message if both a customer’s account number and date of birth are found in a single message or to encrypt the e-mail if the person’s name and the corresponding Social Security number appear in the same message.
Greatly reduces false positives and false negatives by applying multiple criteria within a record.
Applies intrinsic logic to detect instances that are more likely to result in damaging information leakage.
The PortAuthority platform’s records management filter allows sophisticated rules to be set up against records organized in tables as seen in the diagram below. For example, a rule stating that information from no more than three rows may be sent in a single communication would stop an e-mail containing the account numbers 177355142, 123233486, and 342923776.
Similarly, another rule might state that if more than two fields (columns) from a single record are sent in a message, that message should be quarantined. In this example, the PortAuthority platform would quarantine a message containing L. Chen, Account Number 288377464 and DOB 7/2/79. The ability to detect multiple fields from a single record or multiple records within a single message greatly improves the ability to intercept truly suspicious messages.
Textual Fingerprint
Allows extremely robust identification of content, including fragments or derivatives.
The PortAuthority platform is resilient to all types of data manipulation attempts, such as cutting and pasting, reformatting, and retyping.
Converts unstructured text into a series of mathematical representations known as “information fingerprints.”
Is based on a unidirectional process, which means that original content cannot be reverse engineered from a fingerprint.
Matrix Fingerprint
Converts content from a tabular or spreadsheet format into a series of mathematical representations, while capturing its many idiosyncrasies.
Is resistant to manipulation of content by applying certain proportionality checks against the content to ensure accurate identification of protected content. For example, it detects spreadsheets converted from dollars to euros.
Utilizes a vectored-representation of the data that captures the original content’s many idiosyncrasies.
CAD/CAM Fingerprint
Utilizes an approach that interprets the value associated with a diagram despite changes in its physical appearance like rotation or inversion.
Is resilient to “reasonable” changes in the drawing. The PortAuthority platform’s CAD/CAM fingerprint filter solves this hard problem.
Is based on a unidirectional process, meaning original content cannot be reverse engineered from a fingerprint.
Template/Boilerplate Fingerprint Improves the accuracy of detection by accounting for false similarity and screens out commonly recurring text in similar documents, including boiler plates, disclaimers, template descriptions, forms, and contract terms.
PortAuthority is the only solution that employs sophisticated filters to account for templated content. This technique dramatically reduces the false positives associated with basic identification techniques, which often stumble over templated content.
Information Fingerprints Information fingerprints are highly optimized, mathematical representations of sensitive content that allow for extremely reliable and accurate identification of information. Just as human fingerprints include different elements that can be used to identify a person with great accuracy, information files can be threaded with the same concept.
PortAuthority’s proprietary PreciseID technology delivers robust, contextual information identification. Using a unidirectional process, PortAuthority examines the content of documents or raw data and extracts a set of mathematical descriptors or “information fingerprints”. These fingerprints are compact and faithfully describe the underlying content. By assigning unique identities to each information asset, PortAuthority’s PreciseID technology can track information in motion with great precision. Original content cannot be recreated or reverse engineered from PortAuthority’s PreciseID information fingerprint.
The power of PortAuthority’s PreciseID techniques is its ability to detect sensitive information despite manipulation, reformatting, or other modification. Fingerprints enable the protection of whole or partial documents, antecedents, and derivative versions of the protected information, as well as snippets of the protected information whether cut and pasted or retyped.
Explaining PortAuthority PreciseID Technology PortAuthority’s PreciseID process works through a series of automated processes to create a fingerprint library and checks messages for sensitive content in real time. The system uses a compact and faithful numerical representation of the information, and supports multiple types of fingerprints for various information objects and business needs. PortAuthority also offers a relevant measure of similarity from the business perspective to ascertain the uniqueness of content.
Robust information identification is based on two main elements:
The compact and faithful mathematical representation of information.
A similarity measure that reflects the relevant similarity of the information items, using representations.
With PortAuthority PreciseID, fingerprinting occurs in two processes: an automated process to extract fingerprints from originating content and a real-time process to match communications against known fingerprints. The diagram below outlines the steps at a high level.
Based on a specific time interval, PortAuthority PreciseID creates fingerprints using the following automated process:
Parsing: The textual (alpha-numeric) content of the information item is first extracted. The extraction is conducted from about 300 different formats, which make the encapsulation and format essentially transparent.
Normalization: The text is then “canonized” (or brought to a standard form) and preprocessed. Information that does not contribute to the identification process is removed, such as disclaimers, boiler plates, and some frequently used words. The canonized, pre-processed text is then transformed to the numerical domain using multiple hash functions, so there is a unique number for each segment of text. The length and structure of the segments and the overlap between the segments are carefully optimized, using PortAuthority’s PreciseID technique. This set of numbers comprises a redundant representation of all the segments.
Encoding: To promote efficiency and security, a representative subset is thereafter selected from the redundant set, using a carefully tuned dilution scheme, which facilitates fast, robust efficient and accurate identification. This representative set is referred to as the primal textual fingerprint of information.
Storage: If time and storage are not a problem, one could simply store the information and compare two items using a standard comparison program. This, however, is not practical when there is a need to monitor intensive digital traffic and to decide if a certain message should be taken out of millions of confidential documents. In this case, a compact and faithful numerical representation of the information—a fingerprint—is required.
Fingerprinting an organization’s confidential information is simplified with the PortAuthority PreciseID file-system agent and user interface. The user can start by targeting directories with sensitive or confidential information and assigning the required policies to these directories. The file-system agent then recursively fingerprints all the information in these directories and stores the fingerprints together with the corresponding policies in a secure database. Finger-printing a very large file system can take days, but the process is automatic, and enforcement is operative from the start.
From that point, the information is protected. All monitored traffic is compared with the stored fingerprint, and once a match is found, the corresponding policy (block, quarantine, encrypt, audit, or notify) is applied. The policy is assigned to information, not individual files. Even if a section is retyped from a protected document with some spelling errors and formatting changes, the system will detect and identify the breach. PortAuthority provides several default values and can be easily tuned to various types of users’ requirements.
Real-Time Fingerprint Matching Whenever PortAuthority receives a message from a messaging server or application, the PreciseID fingerprinting engine creates a real-time fingerprint of that message and its associated attachments and stores it in memory. That real-time fingerprint is compared against the database of known fingerprints to identify any full or partial matches. Because the PreciseID algorithms are optimized for real-time performance, matching occurs in sub-second time in the same way anti-virus or anti-spam systems work, with no noticeable impact on messaging performance.
To provide real-time accurate detection and identification, PortAuthority has developed algorithms that allow fast comparison of the fingerprints of the analyzed traffic with fingerprints of multiple-millions of documents and to apply a context-sensitive similarity measure with adaptive thresholds. The similarity measure can detect, for example, a cut from a confidential document that was edited and then embedded in another large document, and can eliminate false positives that stem from non-relevant similarity.
PortAuthority’s PreciseID real-time fingerprint matching capabilities are agnostic to the communication channel it monitors. A PortAuthority agent can be installed on any monitored communication channel and can extract fingerprints and other relevant information from the traffic in the channel and sends it for analysis. The agent then applies any relevant policy based on the results of the analysis.
How Are Contextual Identification Techniques Superior? Contextual identification techniques provide significant advantages over less granular identification methods. While they can complement these earlier approaches, contextual identification techniques offer several key benefits:
Significantly more accurate than global and token-based approaches alone.
Extremely fast identification of sensitive content from millions of items indexed in a fingerprint library.
Resilient to cut-and-paste attacks.
Agnostic to the communication channel.
Not file-specific, so the information itself is protected.
Ability to identify information regardless of the format, encapsulation, and possible edits or changes to text.
The Next Step—Effective Policy Enforcement Enterprises and financial organizations, as well as military and government agencies, are required to control and monitor the communications of sensitive information to protect customer data, confidential information and trade secrets. Unauthorized disclosure of this sensitive information can be prevented with robust information identification technology.
Less granular forms of information identification, such as detecting the binary signatures of files, can be rendered ineffective by any small change in a protected file. Robust information identification can identify the information, regardless of the format and reasonable edit changes. These highly reliable and accurate information identification techniques are necessary to establish visibility into the magnitude and frequency of incidents. While some solutions provide detailed reporting and audit trails on leakage incidents, they typically do not prevent the actual transmissions of sensitive content. Simply monitoring for sensitive information in transit is insufficient.
Real-time policy enforcement is the other critical component of a complete Information Leak Prevention solution. Real-time policy enforcement requires a high degree of granularity to enforce information leak prevention policies on real business processes.
PortAuthority’s advanced technology for robust information identification permits truly effective Information Leak Prevention. The system’s ability to assign identity to each information asset and to track information in motion is extremely powerful. In particular, PortAuthority’s combination of techniques provides the high granularity required to enforce information distribution policies for real business processes.
PortAuthority can mirror specific internal policies to prevent unintended information leakage. For example, a rule may specify that document X, written by user Y, can only be sent by user Y or Z and only to recipients within the finance department. In addition, PortAuthority is resilient enough to handle the normal modification of sensitive information. Administrators can easily define exactly who can send exactly what to whom under which circumstances in PortAuthority.
Real-life business processes often require that information to be edited, cut and pasted, or altered in some way, but the distribution of that information still needs to be controlled. Ultimately, business-oriented policy enforcement should identify information regardless of the format and edit changes, and then apply the appropriate policies. Information Leak Prevention solutions must support, not hinder, existing business processes and should be transparent to users.
Methodological aspect: the P3: Prioritizing Information Identification Efforts Many organizations grapple with how to address their Information Leak Prevention issues. PortAuthority Technologies uses the P3methodology for prioritizing information identification efforts. The P3methodology consists of:
Principal
Identify the principal business information in your organization. This 1% to 5% of information is the most proprietary and critical. Owners should know the exact whereabouts of principal information and what controls are in place to prevent its loss. Firms must fingerprint this critical information, assign information owners, and establish policies for the information.
Pareto
Next, determine which 20% of the business information represents 80% of the value. Pareto represents the middle layer of information. This commonly used information typically resides in a few major data sources. This class of sensitive information should also be fingerprinted with specific owners designated and specific distribution policies outlined.
Progressive
Finally, identify the lower-priority information assets that should be protected. Progressive information is often protected in phases, in which certain types of information assets are added in stages.
Organizations that need to protect private customer information, confidential corporate documents or proprietary plans, rely on PortAuthority Technologies to proactively identify and stop leaks before they occur. PortAuthority Technologies’ early leadership in defining and providing solutions for the Information Leak Prevention (ILP) market is reflected in strong customer traction and rapid growth. PortAuthority Technologies takes pride in the level of trust we have developed with our clients as well as their high degree of customer satisfaction. Global 2000 companies across the financial services, life sciences, government and technology industries have chosen PortAuthority to prevent breaches of sensitive information and to achieve compliance with privacy regulations like Gramm-Leach-Bliley, HIPAA, CA SB 1386/CC 1798, and PIPEDA. As the issue of information leak prevention continues to remain at the forefront of corporate consciousness and a necessary investment in industries where customer data or company information must be protected on all sides, Dr. Troyansky is committed to ongoing advances and innovation with PortAuthority products and technology.
Organizations that need to protect private customer information, confidential corporate documents or proprietary plans, rely on PortAuthority Technologies to proactively identify and stop leaks before they occur. PortAuthority Technologies’ early leadership in defining and providing solutions for the Information Leak Prevention (ILP) market is reflected in strong customer traction and rapid growth.
PortAuthority Technologies takes pride in the level of trust we have developed with our clients as well as their high degree of customer satisfaction. Global 2000 companies across the financial services, life sciences, government and technology industries have chosen PortAuthority to prevent breaches of sensitive information and to achieve compliance with privacy regulations like Gramm-Leach-Bliley, HIPAA, CA SB 1386/CC 1798, and PIPEDA.
As the issue of information leak prevention continues to remain at the forefront of corporate consciousness and a necessary investment in industries where customer data or company information must be protected on all sides, Dr. Troyansky is committed to ongoing advances and innovation with PortAuthority products and technology.
Serving as chief scientist, Dr. Lidror Troyansky contributes his unique expertise to the development of PortAuthority Technologies’ ultra-precise fingerprinting technology. He is a published algorithms specialist with extensive experience in the fields of computational learning, pattern recognition and signal processing. Before joining PortAuthority Technologies, Troyansky had led a variety of computer security projects. He received a Bachelor’s degree in Mathematics and Physics from Tel-Aviv University (Cum Laude) a Master’s degree in Physics from the Weizmann Institute of Science (Cum Laude) and a Ph.D. in Computer Science at the Hebrew University of Jerusalem, where he received the Sir Charles Clore fellowship for academic distinction. Dr. Troyansky is a well-known visionary for his work as an algorithms specialist with extensive experience in the fields of computational learning, pattern recognition and signal processing. He is a co-author of an important work regarding computational complexity, which was published in “Nature", with a follow-up report in the N.Y. Times science section, and has held a variety of leadership roles and led a number of computer security projects throughout his career as a distinguished scientist. As PortAuthority Technologies’ Chief Scientist, Dr. Troyansky has been instrumental in developing the fingerprinting technology that enables PortAuthority’s proprietary PreciseID™ Technology. The technology innovation he led serves as the backbone to the company’s innovative products and solutions. As the issue of information leak prevention continues to remain at the forefront of corporate consciousness and a necessary investment in industries where customer data or company information must be protected on all sides, Dr. Troyansky is committed to ongoing advances and innovation with PortAuthority products and technology.
Serving as chief scientist, Dr. Lidror Troyansky contributes his unique expertise to the development of PortAuthority Technologies’ ultra-precise fingerprinting technology. He is a published algorithms specialist with extensive experience in the fields of computational learning, pattern recognition and signal processing. Before joining PortAuthority Technologies, Troyansky had led a variety of computer security projects. He received a Bachelor’s degree in Mathematics and Physics from Tel-Aviv University (Cum Laude) a Master’s degree in Physics from the Weizmann Institute of Science (Cum Laude) and a Ph.D. in Computer Science at the Hebrew University of Jerusalem, where he received the Sir Charles Clore fellowship for academic distinction. Dr. Troyansky is a well-known visionary for his work as an algorithms specialist with extensive experience in the fields of computational learning, pattern recognition and signal processing. He is a co-author of an important work regarding computational complexity, which was published in “Nature", with a follow-up report in the N.Y. Times science section, and has held a variety of leadership roles and led a number of computer security projects throughout his career as a distinguished scientist.
As PortAuthority Technologies’ Chief Scientist, Dr. Troyansky has been instrumental in developing the fingerprinting technology that enables PortAuthority’s proprietary PreciseID™ Technology. The technology innovation he led serves as the backbone to the company’s innovative products and solutions.
PortAuthority Technologies 2445 Faber Place, Suite 100 Palo Alto CA 94303-3347 USA Tel: 1-650-739-0100
Recommend this to others:
HOME |
ADVERTISE WITH US |
TELL US ABOUT YOURSELF |
UPDATED PRIVACY POLICY |
Copyright © 2006 Silicon Valley Communications - All rights reserved.
