I've seen the technology in action. Some companies clearly pass their press releases through it.
Brit infosec firm lets hackers think they've stolen something
Security strategies generally concentrate on keeping the bad guys out, but British security outfit ClearSwift has stumbled upon another approach: if the bad guys get in, let them out with something. But scrub it clean on the way out the door. ClearSwift is the latest home for content-screening technologies first developed in …
COMMENTS
-
Thursday 14th August 2014 01:50 GMT asdf
sounds nice on paper
>The redaction happens as a result of policies that describe data forbidden to go beyond he firewall.
Bet its fun keeping those policies up to date. Bet its also fun dealing with sales or marketing or even legal if any false positives (or even true positives) are triggered on their documents going out to customers, etc.
-
-
-
Thursday 14th August 2014 19:18 GMT GuyAtClearswift
Re: sounds nice on paper
So the corporate policy should be not to allow the user to send encrypted - but to enable encryption at the corporate level. You can readily detect and block encrypted content. Having corporate encryption also ensures that should the organization be asked to produce email (and attachments) for legal reasons, they don't get caught out not being able un-encrypt it.
-
-
-
-
Thursday 14th August 2014 06:11 GMT Khaptain
Questions
How exactly how does the firewall know when an internal machine has been hacked ? The hacker might be simply emailing/ftping/telneting/wputting data to an external address just as someone might be doing this as part of their normal job ?
Where exactly does this device/sftware sit, between the router and the firewall or between the firewall and the lan ?
I presume that the internal client machines need some kind of client, what happens when that client is switched off, or do they encrpt all of their inhouse data in advance and the client "simply" unencrpts on the fly ?
The article is very vague as to what is really going on.
-
Thursday 14th August 2014 15:19 GMT h4rm0ny
Re: Questions
It doesn't need to know if the machine has been hacked or if some employee is deliberately trying to email out data (for example). It just knows that matching data should never leave. E.g. it could scan for patterns that match credit card numbers or national insurance numbers, or if the file has certain metadata attached to it.
This is quite interesting. I'm now envisaging an intruder trying to modify the data on the inside so that they can extract it without triggering the rules. Zipping them up would be the obvious thing to do, I would assume.
-
-
Thursday 14th August 2014 09:47 GMT auburnman
Honeypot
If you're accepting that bad guys will get in the door and walk out with something, why not have your servers littered with useless files called LOGINS.txt and ADMIN_ID_LIST.xls? Fill them with crap data that looks like real logins, and rig a red alert klaxon to ring whenever these are accessed?
-
Thursday 14th August 2014 10:58 GMT Phil O'Sophical
"contains nothing of use."
Sounds like a missed opportunity. Why not use steganography methods to put a unique watermark or other identifier into the data at the same time as the useful stuff is being taken out. Then when it appears on someone's website or social media page somewhere they can trace back to the culprit?
-
Thursday 14th August 2014 13:52 GMT Anonymous Coward
Headed for the door?
I think the magic must be in how they identify the data that is 'headed for the door'.
My first thoughts were musings on how to spoof the exit door so the software doesn't see it as an exit.
But then I realized that wouldn't be nearly as much fun as tricking the software into seeing *everything* as an exit door! <evil grin /> Heh. They'll shut that software off so fast it's left bits will continue to twirl about!
-
Thursday 14th August 2014 19:18 GMT GuyAtClearswift
Re: Headed for the door?
We can apply this to internal traffic as well... but it is done on purpose. Bringing Data Loss Prevention inside the organization is now a way to further reduce risk. The key thing about Adaptive Redaction is that the communication goes through - even if some of the information has been removed. So the person at the other end isn't left waiting for something that has been quarantined and left for good.
-