eContent Intelligence™: An Organizational Perspective updated
Authors Name: Yiannis Vassiliades
Article Posted On: Wed Mar 26 2008
Introduction
Business in the 21st century has become more complex as the influence of the Internet enables immediate access to information. Organizations are learning to utilize the power of new IT systems to remain competitive, improve operational efficiencies, better handle risk assessment, and serve their markets and their customers faster. To maximize these benefits, corporations must be willing to “open their borders” and bring into play, value-add partners and outsourcing services, optimize their business process flows and share their data effectively.
While global commerce is transforming itself, so is IT Security. A paradigm shift has occurred where security systems can no longer protect the enterprise only at its network perimeter, since the perimeter has become dynamic through federated architectures, VPN connections and mobile technology. Therefore, IT Security solutions are evolving to also safeguard critical assets as well as data at rest and in transit. Considering the sensitivity of the data being shared amongst interested parties, government regulations, such as SOX, HIPAA, GLBA, ISO17799, etc., or best practices standards, like PCI, ITIL, etc. have emerged to enforce and guide organizations on safe ways to conduct electronic business.
To compound the complexity of electronic business is the increased sophistication of cyber threats, which unlike a few years ago are becoming targeted by financially motivated hackers or state sponsored espionage. The average cost per cyber incident in 2007 has more than doubled compared to 2006 to reach $350,000 (CSI Survey 2007, www.gocsi.org).
Business in the 21st century has become more complex as the influence of the Internet enables immediate access to information. Organizations are learning to utilize the power of new IT systems to remain competitive, improve operational efficiencies, better handle risk assessment, and serve their markets and their customers faster. To maximize these benefits, corporations must be willing to “open their borders” and bring into play, value-add partners and outsourcing services, optimize their business process flows and share their data effectively.
While global commerce is transforming itself, so is IT Security. A paradigm shift has occurred where security systems can no longer protect the enterprise only at its network perimeter, since the perimeter has become dynamic through federated architectures, VPN connections and mobile technology. Therefore, IT Security solutions are evolving to also safeguard critical assets as well as data at rest and in transit. Considering the sensitivity of the data being shared amongst interested parties, government regulations, such as SOX, HIPAA, GLBA, ISO17799, etc., or best practices standards, like PCI, ITIL, etc. have emerged to enforce and guide organizations on safe ways to conduct electronic business.
To compound the complexity of electronic business is the increased sophistication of cyber threats, which unlike a few years ago are becoming targeted by financially motivated hackers or state sponsored espionage. The average cost per cyber incident in 2007 has more than doubled compared to 2006 to reach $350,000 (CSI Survey 2007, www.gocsi.org).
Definition – eContent Intelligence (eCI)
eContent Intelligence (eCI) enables organizations to gain insight into how information flows by examining the ways data enter, leave or transverse their network. It helps answer important questions, such as “What was communicated?” “Who sent it?” “Who was the recipient?” “When did it happen?” Whether performing an enterprise audit, a departmental assessment or targeted monitoring, quick answers to these questions are imperative to minimize exposure to non-compliant users and sensitive information leakage. Yet, most existing security solutions are not capable of performing in depth data network analysis. There is a stark difference between eContent Intelligence and deep packet inspection security tools (like some Firewalls), or content filtering (like Data Leakage Prevention). eCI is designed to provide actionable information back to the enterprise as opposed to actively interfering with data flows. By analyzing network content without looking for specific data streams eCI systems gain a larger perspective on user communication patterns and session flows. This knowledge can be used by organizations not only for investigative work, but also to review the effectiveness of existing policy.
This paper examines the challenges, benefits and eCI best practice techniques of effectively harvesting actionable information as it relates to organizations of all sizes.
eContent Intelligence (eCI) enables organizations to gain insight into how information flows by examining the ways data enter, leave or transverse their network. It helps answer important questions, such as “What was communicated?” “Who sent it?” “Who was the recipient?” “When did it happen?” Whether performing an enterprise audit, a departmental assessment or targeted monitoring, quick answers to these questions are imperative to minimize exposure to non-compliant users and sensitive information leakage. Yet, most existing security solutions are not capable of performing in depth data network analysis. There is a stark difference between eContent Intelligence and deep packet inspection security tools (like some Firewalls), or content filtering (like Data Leakage Prevention). eCI is designed to provide actionable information back to the enterprise as opposed to actively interfering with data flows. By analyzing network content without looking for specific data streams eCI systems gain a larger perspective on user communication patterns and session flows. This knowledge can be used by organizations not only for investigative work, but also to review the effectiveness of existing policy.
This paper examines the challenges, benefits and eCI best practice techniques of effectively harvesting actionable information as it relates to organizations of all sizes.
You Can’t Manage what You don’t Know
2007 is the first year where financial losses associated with cyber crime are attributed to financial fraud over virus infections (CSI Survey 2007, www.gocsi.org). IT Security departments and incident response teams have to cope every day with the systemic challenge of turning raw data into actionable information. Each implemented product generates event logs that someone must have the knowledge and time to review. The same security professionals are also involved in internal and regulatory audits where they must ensure end-user adherence to regulatory and company policies. For example, it is an employee privacy violation to email unencrypted personal information, such as social security and credit card numbers. Yet, policy infractions like this happen regularly, mostly out of end-user neglect rather than malicious intention. The wide use of decentralized productivity applications, such as MS Word, MS Excel, etc. empowers end-users to generate unmanaged content, which becomes a further exposure for the organization, if these tools are used inappropriately. This situation raises an important challenge that every Chief Information Security Officer faces; how do you secure corporate data and end-users without affecting their productivity?
To cope with the risk of uncertainty security professionals have adopted the motto “trust, but verify.” But, how do you verify that your data leakage prevention system stopped your customer list from leaving your network?
To gain back control of their network businesses must amend their governance objectives surrounding “people, process and technology” with internal policies that include end-user education and implementation of appropriate technology and services that can provide actionable information.
2007 is the first year where financial losses associated with cyber crime are attributed to financial fraud over virus infections (CSI Survey 2007, www.gocsi.org). IT Security departments and incident response teams have to cope every day with the systemic challenge of turning raw data into actionable information. Each implemented product generates event logs that someone must have the knowledge and time to review. The same security professionals are also involved in internal and regulatory audits where they must ensure end-user adherence to regulatory and company policies. For example, it is an employee privacy violation to email unencrypted personal information, such as social security and credit card numbers. Yet, policy infractions like this happen regularly, mostly out of end-user neglect rather than malicious intention. The wide use of decentralized productivity applications, such as MS Word, MS Excel, etc. empowers end-users to generate unmanaged content, which becomes a further exposure for the organization, if these tools are used inappropriately. This situation raises an important challenge that every Chief Information Security Officer faces; how do you secure corporate data and end-users without affecting their productivity?
To cope with the risk of uncertainty security professionals have adopted the motto “trust, but verify.” But, how do you verify that your data leakage prevention system stopped your customer list from leaving your network?
To gain back control of their network businesses must amend their governance objectives surrounding “people, process and technology” with internal policies that include end-user education and implementation of appropriate technology and services that can provide actionable information.
eCI Benefits
IT security teams must have the right solutions in place to minimize cyber threats, but they must also be proactive in determining the organization’s risk posture. By becoming cognizant of how content moves around their networks they can,
Reduce security exposure: In the first half of 2007 out of the top 50 security risks, 65% were designed to steal personal identifiable information (Symantec Threat Report, 1H 2007). Are firewall rules adequate? Is proprietary content encrypted? What are the ways content is getting past current controls?
Minimize risk of failing an audit: By performing proactive assessments they can expose violations and plug security holes instead of reacting to audit findings. Regular testing with policy violation alerts provide the means to correct both security controls and user behavior.
Understand how employees are using company data: A better understanding of how network and system resources are being used can help modify existing architectures, like assigning more resources to a particular system to accommodate end-user demand.
Perform targeted investigations – mitigate damages: A system that has the capability to capture and analyze content crossing the network can be used in a targeted way in case there is probably cause to monitor a specific suspect or group. In order to mitigate potential damages, the ability to rapidly assess the level of exposure and risk is critical.
IT security teams must have the right solutions in place to minimize cyber threats, but they must also be proactive in determining the organization’s risk posture. By becoming cognizant of how content moves around their networks they can,
eCI Process - What should be included?
In order to effectively provide intelligence on content rich communications, like emails with attachments, downloading video and pictures, online chat, or sending and receiving documents thru web mail, the right solution must be implemented to capture this data while it is in motion, on its way in and out of the enterprise network. This is not a simple task and close attention has to be placed in the amounts of data and the location of monitoring to provide maximum visibility. Additionally, network and system architectures change to meet enterprise operations demands, which in turn may introduce new security exposures. In such dynamic environments, security systems must also adapt and evolve with the rest of the enterprise.
1. Monitor & Collect
Clearly, this is the first and fundamental step in establishing the means to see data in motion. However, Depending on the purpose for data monitoring, it is important to consider the best network location(s) from which to collect, network data speeds, traffic loads and how long it is necessary to store captured data.
For example, for a general purpose security audit, data should be captured from various places of the enterprise network (See Appendix A: Technical Considerations) to gain a better understanding of how users are adhering to set policies. Furthermore, if the intention is to perform a targeted investigation, outside of the collection points the system can be setup to capture data only about the target, ignoring everyone else’s traffic for the purpose of the investigation. .
Another requirement of monitoring is the real time capability. eCI systems are designed to be passive, so they do not introduce any traffic on the network and consequently, they cannot block any communication. Instead, they can generate real time alerts or automatically pass instructions to other systems, like firewalls, routers or policy management systems.
2. Analyze
It is preferable for the eCI system to perform a lot of the required analysis as it captures data and not post capture. Although, this poses a strain on collection performance, it saves a lot of time on data analysis post collection. Furthermore, this capability enables the system to set off real time alerts on policy violations and other triggers the user deems important. So, analyzing content while collecting (and not post collection) gives the user the means to quickly ascertain what is happening instead of waiting (many times hours) before generating reports. For example, real time alerts and automatic reports can be triggered during session reconstruction of email (like SMTP), web traffic (like HTTP), attachments (regardless of file type: PDF, DOC, ZIP, etc.) facilitating quick identification certain conditions of interest, such as pornographic or other inappropriate content, access to restricted content, etc.
Analysis can also be performed on off line content. Instead of processing data from a real time network feed, the eCI system analyzes previously collected data thru its own archives or a network capture done by another method, like tcpdump (www.tcpdump.org). This capability can be used to perform historical analysis of a target communication type or it can be used forensically to determine probable cause for a particular action.
3. Correlate
Correlation is a very important component of the eCI process and a powerful differentiation feature, because the solutions that are capable of correlation help the user quickly discern other pertinent information surrounding an object of interest. For example, the identification of an email communication that violates a security policy because it contains an attachment with inappropriate content, or company proprietary data would trigger the investigator to dig deeper into what else the email author was doing surrounding the time they sent the email and historically. The system must present answers to this type of inquisitive thinking very fast and, in this case, provide information about other emails sent and received, websites visited, chat sessions, etc. that could paint a better picture about the end-user’s intentions.
The correlation process may additionally involve data from other systems. While eCI products are designed to look at network content, other systems correlate event data from log files. With some integration work these two competencies can come together to provide a more complete picture of network activity by providing intelligence on the network content that generated an event within a logging system. For example, a spam filter is triggered while an antivirus alert occurs. These two events can be automatically correlated using a Security Information and Event Management (SIEM) product, but there is another component that’s missing; the actual sessions that triggered those events. Knowing that an end-user visited a website and clicked on a picture, or opened an email attachment that downloaded a virus to perform a spam storm will be augmented with intelligence on other activities the end-user was performing online that will lead to the determination of whether the end-user’s actions were malicious or inadvertent.
4. Report
Without intuitive reporting any system’s usefulness becomes immediately very limited. There are multiple purposes to use eCI, which dictate the purpose of reporting.
Audits. Reporting provides proof, a paper trail, of policy infractions and an assessment of the company’s risk posture.
Investigations. Reporting presents evidence to establish probable cause.
Ongoing monitoring. Regular reporting give statistical information and trending analysis indicating the level of policy adherence over time.
In any of the above cases, eCI systems must effectively display information derived from hundreds (or thousands) of simultaneous sessions, like emails, IM chats, web traffic, etc. While reports should be done within the system’s graphical user interface it is also necessary to provide flexibility on external reporting that can be shared with other individuals or systems. Some common report types are,
Statistical graphical and tabular reports describing particular content flows for management
Business Intelligence – Integration to a reporting tool (Cognos, Crystal Reports, etc.) for custom data manipulation and correlation with other data points
Export function in .csv or XML formats for easy manipulation outside of the eCI system
Print capability
In order to effectively provide intelligence on content rich communications, like emails with attachments, downloading video and pictures, online chat, or sending and receiving documents thru web mail, the right solution must be implemented to capture this data while it is in motion, on its way in and out of the enterprise network. This is not a simple task and close attention has to be placed in the amounts of data and the location of monitoring to provide maximum visibility. Additionally, network and system architectures change to meet enterprise operations demands, which in turn may introduce new security exposures. In such dynamic environments, security systems must also adapt and evolve with the rest of the enterprise.
1. Monitor & Collect
Clearly, this is the first and fundamental step in establishing the means to see data in motion. However, Depending on the purpose for data monitoring, it is important to consider the best network location(s) from which to collect, network data speeds, traffic loads and how long it is necessary to store captured data.
For example, for a general purpose security audit, data should be captured from various places of the enterprise network (See Appendix A: Technical Considerations) to gain a better understanding of how users are adhering to set policies. Furthermore, if the intention is to perform a targeted investigation, outside of the collection points the system can be setup to capture data only about the target, ignoring everyone else’s traffic for the purpose of the investigation. .
Another requirement of monitoring is the real time capability. eCI systems are designed to be passive, so they do not introduce any traffic on the network and consequently, they cannot block any communication. Instead, they can generate real time alerts or automatically pass instructions to other systems, like firewalls, routers or policy management systems.
2. Analyze
It is preferable for the eCI system to perform a lot of the required analysis as it captures data and not post capture. Although, this poses a strain on collection performance, it saves a lot of time on data analysis post collection. Furthermore, this capability enables the system to set off real time alerts on policy violations and other triggers the user deems important. So, analyzing content while collecting (and not post collection) gives the user the means to quickly ascertain what is happening instead of waiting (many times hours) before generating reports. For example, real time alerts and automatic reports can be triggered during session reconstruction of email (like SMTP), web traffic (like HTTP), attachments (regardless of file type: PDF, DOC, ZIP, etc.) facilitating quick identification certain conditions of interest, such as pornographic or other inappropriate content, access to restricted content, etc.
Analysis can also be performed on off line content. Instead of processing data from a real time network feed, the eCI system analyzes previously collected data thru its own archives or a network capture done by another method, like tcpdump (www.tcpdump.org). This capability can be used to perform historical analysis of a target communication type or it can be used forensically to determine probable cause for a particular action.
3. Correlate
Correlation is a very important component of the eCI process and a powerful differentiation feature, because the solutions that are capable of correlation help the user quickly discern other pertinent information surrounding an object of interest. For example, the identification of an email communication that violates a security policy because it contains an attachment with inappropriate content, or company proprietary data would trigger the investigator to dig deeper into what else the email author was doing surrounding the time they sent the email and historically. The system must present answers to this type of inquisitive thinking very fast and, in this case, provide information about other emails sent and received, websites visited, chat sessions, etc. that could paint a better picture about the end-user’s intentions.
The correlation process may additionally involve data from other systems. While eCI products are designed to look at network content, other systems correlate event data from log files. With some integration work these two competencies can come together to provide a more complete picture of network activity by providing intelligence on the network content that generated an event within a logging system. For example, a spam filter is triggered while an antivirus alert occurs. These two events can be automatically correlated using a Security Information and Event Management (SIEM) product, but there is another component that’s missing; the actual sessions that triggered those events. Knowing that an end-user visited a website and clicked on a picture, or opened an email attachment that downloaded a virus to perform a spam storm will be augmented with intelligence on other activities the end-user was performing online that will lead to the determination of whether the end-user’s actions were malicious or inadvertent.
4. Report
Without intuitive reporting any system’s usefulness becomes immediately very limited. There are multiple purposes to use eCI, which dictate the purpose of reporting.
In any of the above cases, eCI systems must effectively display information derived from hundreds (or thousands) of simultaneous sessions, like emails, IM chats, web traffic, etc. While reports should be done within the system’s graphical user interface it is also necessary to provide flexibility on external reporting that can be shared with other individuals or systems. Some common report types are,
Summary
Organizations must share their data effectively with supply chain and customer relationship management systems, in order to minimize time to market and serve clients faster. Technology innovation has enabled more immediate access to information, but unchecked it also introduces unmanaged risk. Enterprises of all sizes must have clear objectives and policies surrounding data sharing as well as mechanisms to ensure their data is used in the manner for which it was intended.
eContent Intelligence enables organizations to analyze content as it flows through the network. This complex, but very important capability is paramount to perform a complete risk assessment, security audit, or target investigation. Along with other assessment and auditing technologies, analysis of content data flows provides the necessary insight required to establish the appropriate policies and procedures to ensure these policies are effective.
Appendix A. Technical Considerations – Network Architecture and Data Storage
Data Capturing Techniques
There are two ways for an eCI product to monitor network traffic:
1. Network switch span/mirror port
This port is configured to mirror all network traffic sent or received by any other switch port
2. Network tap
A tap is an in-line device that enables monitoring of ingress or egress network traffic. Note that both of these methods are passive and do not introduce additional traffic into the network, unlike a network scanner. However, the correct placement of any network based solution is imperative to prevent erroneous results. There are three areas of the network most commonly monitored:
Common Network Capture Points
1. Gateway
This is the organization’s perimeter boundary. Network monitoring at this location exposes all communications that enter or leave the organization’s internal network from and to the Internet. It provides information on data leakage (over the network). Note, that many large enterprise architectures have several gateway points for load balancing and to prevent a single point of failure.
Traffic Types
Most prevalent examples of such traffic are email (SMTP) and web (HTTP, HTTPS), VPN (IPsec, HTTPS) although in some cases TELNET and FTP are also used.
Traffic Speeds
Traditionally, network speeds at this location range between T1 to multiple T3 (1.4Mbps to multiple 45Mbps lines)
Typical Security Technology
Gateway points are protected by firewalls, gateway antivirus and antispam, intrusion prevention systems and other “edge” devices
2. Network Core
The network core is the backbone of the organization’s network and it is designed to quickly transfer internal data from various local branches and departments. Content monitoring at this location is difficult due to very high data rates
Traffic Types
There is a much richer mix of protocol types compared to the Gateway, many of which can be proprietary. Typical internal protocols are SMB/CIFS, VoIP, NetBIOS, MAPI, IM, routing protocols, ERP related protocols, FTP, TELNET and other remote access protocols, etc.
Traffic Speeds
The standard has become 1Gbps, but 10Gbps network cores are starting to be implemented
Typical Security Technology
Internal firewalls, router access lists, intrusion prevention systems, etc.
3. Local network segment/Department
Local networks connect a whole building, a floor, or the computers in a room (server room, development lab, etc.) This is the point closest to the end-user and normally used for targeted monitoring of a suspect
Traffic Types
Traffic mix is very similar to what’s found in the network core, including wireless protocols, like 802.11ab/g/n with WEP, WAP, etc.
Traffic Speeds
The range is 10Mbps – 1Gbps.
Typical Security Technology
Internal firewalls, endpoint security systems, intrusion detection/prevention systems
Data and Storage Considerations
Another very important consideration when monitoring and analyzing content rich communications is the amount of disk space required to store the data. FTP transfers/downloads, email attachments, streaming video, etc. can be very large. No two networks are alike, but most exhibit similar behaviors. For example, employees are most active online commonly in the morning and lunch hours. Nevertheless, benchmarking traffic patterns is highly recommended to approximate storage requirements. The main factors to consider are,
Network location where monitoring occurs
Duration of data capture
Duration of data kept in storage
Monitoring full duplex data streams, egress or ingress only
About the Author
Yiannis Vassiliades, Vice President, Product Management for Chronicle Solutions is a long term industry veteran with 15 years of experience in product management, marketing and business development. His experience in the IT industry ranges from virtualization, to security risk management and contingency planning. Having held Product Management leadership positions at both entrepreneurial companies like Fortisphere and industry leaders like CA, IBM, Raytheon, and SilentRunner, Yiannis has robust experienced within the large enterprise as well as with strategic IT deployments. Having been one of the pioneers regarding network content forensics and monitoring, Yiannis is pleased to share some of his insights within this paper.
About Chronicle Solutions
Chronicle Solutions® was founded for the express purpose of addressing some of the challenges and risks associated with online content. Today, Chronicle is the leading provider of eContent intelligence solutions that help Law Enforcement, Government, Enterprise Security and Consulting professionals address key efforts ranging from Rapid Risk Assessments and Suspect Driven Investigations to long term Online Behavioral Intelligence.
Online behaviour and electronic communications are generally recognized as being “out of control”. Organisations have recognized this problem and have been deploying “blocking and tackling” technologies for many years to attempt to minimise access to inappropriate sites and content. eDiscovery tools have also been developed to find the dreaded “smoking gun” email. Firewalls have been extensively deployed. Compliance and data leakage prevention systems have been installed to manage potential policy breaches.
While all of these technologies are important and have reduced the risks, online problems continue to escalate exponentially. It is agreed that no one technology represents a “silver bullet”. Chronicle has developed a complementary set of solutions that help with today’s online challenges.
Concerns ranging from cyber crime and child protection to insider threat, data leakage and digital espionage all have one thing in common: understanding what is occurring within online content and communications. It is for this reason Chronicle’s solutions are deployed as a means to catch online evil-doers, audit and assess internal issues such as adherence to policy as well as monitor key communications and resources. Essentially, with visibility comes insight which in-turn facilitates control.
With headquarters in London (UK) and New York metropolitan (US) areas, sales offices in Washington (US), New York (US) and London (UK), and representations in Canada, Mexico, Brazil, Germany, France, Switzerland, Austria and Russia, our company is perfectly placed to fulfill its mission.
To learn more about Chronicle Solutions please visit: www.chroniclesolutions.com or call us at 1-866-475-1984
Organizations must share their data effectively with supply chain and customer relationship management systems, in order to minimize time to market and serve clients faster. Technology innovation has enabled more immediate access to information, but unchecked it also introduces unmanaged risk. Enterprises of all sizes must have clear objectives and policies surrounding data sharing as well as mechanisms to ensure their data is used in the manner for which it was intended.
eContent Intelligence enables organizations to analyze content as it flows through the network. This complex, but very important capability is paramount to perform a complete risk assessment, security audit, or target investigation. Along with other assessment and auditing technologies, analysis of content data flows provides the necessary insight required to establish the appropriate policies and procedures to ensure these policies are effective.
Appendix A. Technical Considerations – Network Architecture and Data Storage
Data Capturing Techniques
There are two ways for an eCI product to monitor network traffic:
1. Network switch span/mirror port
This port is configured to mirror all network traffic sent or received by any other switch port
2. Network tap
A tap is an in-line device that enables monitoring of ingress or egress network traffic. Note that both of these methods are passive and do not introduce additional traffic into the network, unlike a network scanner. However, the correct placement of any network based solution is imperative to prevent erroneous results. There are three areas of the network most commonly monitored:
Common Network Capture Points
1. Gateway
This is the organization’s perimeter boundary. Network monitoring at this location exposes all communications that enter or leave the organization’s internal network from and to the Internet. It provides information on data leakage (over the network). Note, that many large enterprise architectures have several gateway points for load balancing and to prevent a single point of failure.
Most prevalent examples of such traffic are email (SMTP) and web (HTTP, HTTPS), VPN (IPsec, HTTPS) although in some cases TELNET and FTP are also used.
Traditionally, network speeds at this location range between T1 to multiple T3 (1.4Mbps to multiple 45Mbps lines)
Gateway points are protected by firewalls, gateway antivirus and antispam, intrusion prevention systems and other “edge” devices
2. Network Core
The network core is the backbone of the organization’s network and it is designed to quickly transfer internal data from various local branches and departments. Content monitoring at this location is difficult due to very high data rates
There is a much richer mix of protocol types compared to the Gateway, many of which can be proprietary. Typical internal protocols are SMB/CIFS, VoIP, NetBIOS, MAPI, IM, routing protocols, ERP related protocols, FTP, TELNET and other remote access protocols, etc.
The standard has become 1Gbps, but 10Gbps network cores are starting to be implemented
Internal firewalls, router access lists, intrusion prevention systems, etc.
3. Local network segment/Department
Local networks connect a whole building, a floor, or the computers in a room (server room, development lab, etc.) This is the point closest to the end-user and normally used for targeted monitoring of a suspect
Traffic mix is very similar to what’s found in the network core, including wireless protocols, like 802.11ab/g/n with WEP, WAP, etc.
The range is 10Mbps – 1Gbps.
Internal firewalls, endpoint security systems, intrusion detection/prevention systems
Data and Storage Considerations
Another very important consideration when monitoring and analyzing content rich communications is the amount of disk space required to store the data. FTP transfers/downloads, email attachments, streaming video, etc. can be very large. No two networks are alike, but most exhibit similar behaviors. For example, employees are most active online commonly in the morning and lunch hours. Nevertheless, benchmarking traffic patterns is highly recommended to approximate storage requirements. The main factors to consider are,
About the Author
Yiannis Vassiliades, Vice President, Product Management for Chronicle Solutions is a long term industry veteran with 15 years of experience in product management, marketing and business development. His experience in the IT industry ranges from virtualization, to security risk management and contingency planning. Having held Product Management leadership positions at both entrepreneurial companies like Fortisphere and industry leaders like CA, IBM, Raytheon, and SilentRunner, Yiannis has robust experienced within the large enterprise as well as with strategic IT deployments. Having been one of the pioneers regarding network content forensics and monitoring, Yiannis is pleased to share some of his insights within this paper.
About Chronicle Solutions
Chronicle Solutions® was founded for the express purpose of addressing some of the challenges and risks associated with online content. Today, Chronicle is the leading provider of eContent intelligence solutions that help Law Enforcement, Government, Enterprise Security and Consulting professionals address key efforts ranging from Rapid Risk Assessments and Suspect Driven Investigations to long term Online Behavioral Intelligence.
Online behaviour and electronic communications are generally recognized as being “out of control”. Organisations have recognized this problem and have been deploying “blocking and tackling” technologies for many years to attempt to minimise access to inappropriate sites and content. eDiscovery tools have also been developed to find the dreaded “smoking gun” email. Firewalls have been extensively deployed. Compliance and data leakage prevention systems have been installed to manage potential policy breaches.
While all of these technologies are important and have reduced the risks, online problems continue to escalate exponentially. It is agreed that no one technology represents a “silver bullet”. Chronicle has developed a complementary set of solutions that help with today’s online challenges.
Concerns ranging from cyber crime and child protection to insider threat, data leakage and digital espionage all have one thing in common: understanding what is occurring within online content and communications. It is for this reason Chronicle’s solutions are deployed as a means to catch online evil-doers, audit and assess internal issues such as adherence to policy as well as monitor key communications and resources. Essentially, with visibility comes insight which in-turn facilitates control.
With headquarters in London (UK) and New York metropolitan (US) areas, sales offices in Washington (US), New York (US) and London (UK), and representations in Canada, Mexico, Brazil, Germany, France, Switzerland, Austria and Russia, our company is perfectly placed to fulfill its mission.
To learn more about Chronicle Solutions please visit: www.chroniclesolutions.com or call us at 1-866-475-1984
Comment on this Article Review all Comments on this Article Bookmark It