Security Manager's Journal: Did DLP tool prevent an assault?
A data loss prevention tool flags keywords that lead to the discovery of a possible conspiracy to commit a crime.
The plain view doctrine allows law enforcement officials to seize, without a search warrant, evidence or contraband perceptible during a lawful observation. As an example, if a police officer who is exercising a warrant to search a house for illegal weapons sees drugs on the kitchen counter, in plain sight, then the officer can confiscate the illegal drugs and charges could be filed, even though the search was for weapons.
DLP monitor instigates an investigation that uncovers what seems to be an employee's plan to attack his wife's lover.Action plan: Bring the evidence to HR and Legal and go from there.
I mention this doctrine because it intersects to a certain extent with a company policy that states that employees have no expectation of privacy when using company computers and networks. We are basically saying that we will judge anything on them as being in plain view.
This policy is what allows my analysts to monitor network activity for security breaches and other illegal activity. Naturally, we are mostly interested in detecting attempts to leak any sensitive company information. To that end, we have indexed a fairly small set of key documents for our data loss prevention (DLP) tool to look for. But we also look for certain number sequences and keywords suggesting credit card numbers, Social Security numbers or other personally identifiable information, and we look for keywords that might indicate illegal activity such as downloading child pornography. That's because we don't want to be surprised someday with a search warrant that could disrupt our business and result in some bad press for us. It's better to be on top of such things and alert law enforcement anytime we come across anything suspicious.
And sometimes we do find something. The other day, one of my analysts sent me data he was investigating that suggested someone in the company might be involved with child pornography. Our DLP monitor had flagged some traffic containing keywords that we had included in the rules we use to turn up anything that might be related to such activity. Soon enough, we found out that this wasn't a child pornography case, but something else that we needed to bring to the attention of law enforcement.
The analyst had uncovered an instant-messaging chat between one of our employees and someone from outside the company. The chat rather baldly outlined a conspiracy between the two men to assault a third man that our employee suspected was having an affair with his wife. In that conversation, our employee discussed a plan to use his wife's cellphone to text the man and persuade him to visit a park for what he thought would be a meeting with the employee's wife. At the appointed time and place, the two conspirators would attack him.
The discussion was incredibly detailed and incriminating: They talked about the type of weapon that would be best for the attack, their alibis and even the best way to wash blood off clothing and hands.
I printed out a transcript, along with information about the employee, and met with our legal department and human resources. HR's impulse was to give the employee the benefit of doubt, but our general counsel, concerned that we could be charged with negligence if an assault occurred, disagreed and said we needed to contact law enforcement immediately. I then told the employee's manager to confiscate his laptop until the matter is resolved.
I checked in the other day to find out what is happening and learned that the police investigation is ongoing and that HR has put the employee on administrative leave. There is still a chance that the entire thing was a hoax, but the incident nonetheless provides further justification for our investment in DLP.
All in all, though, I'd be happier with other sorts of justification for such a valuable initiative.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at email@example.com.
Join in the discussions about security! Computerworld.com/blogs/security
Read more about security in Computerworld's Security Topic Center.