Security Manager's Journal: Did DLP tool prevent an assault?

A data loss prevention tool flags keywords that lead to the discovery of a possible conspiracy to commit a crime.

By Mathias Thurman, Computerworld |  Security, Data Loss Prevention, DLP

The plain view doctrine allows law enforcement officials to seize, without a search warrant, evidence or contraband perceptible during a lawful observation. As an example, if a police officer who is exercising a warrant to search a house for illegal weapons sees drugs on the kitchen counter, in plain sight, then the officer can confiscate the illegal drugs and charges could be filed, even though the search was for weapons.

Trouble Ticket

DLP monitor instigates an investigation that uncovers what seems to be an employee's plan to attack his wife's lover.Action plan: Bring the evidence to HR and Legal and go from there.

I mention this doctrine because it intersects to a certain extent with a company policy that states that employees have no expectation of privacy when using company computers and networks. We are basically saying that we will judge anything on them as being in plain view.

This policy is what allows my analysts to monitor network activity for security breaches and other illegal activity. Naturally, we are mostly interested in detecting attempts to leak any sensitive company information. To that end, we have indexed a fairly small set of key documents for our data loss prevention (DLP) tool to look for. But we also look for certain number sequences and keywords suggesting credit card numbers, Social Security numbers or other personally identifiable information, and we look for keywords that might indicate illegal activity such as downloading child pornography. That's because we don't want to be surprised someday with a search warrant that could disrupt our business and result in some bad press for us. It's better to be on top of such things and alert law enforcement anytime we come across anything suspicious.

And sometimes we do find something. The other day, one of my analysts sent me data he was investigating that suggested someone in the company might be involved with child pornography. Our DLP monitor had flagged some traffic containing keywords that we had included in the rules we use to turn up anything that might be related to such activity. Soon enough, we found out that this wasn't a child pornography case, but something else that we needed to bring to the attention of law enforcement.

Originally published on Computerworld |  Click here to read the original story.
Join us:






Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question