Proofpoint_Plug_Leaks[1]

1 During a typical week, Procter & Gamble Co.’s corporate email systems receive more than 60,000 customer inquiriies according to former company Chief Information Officer Steve David. “All those messages made us a prime target for email, spam, phishing and other threats,” says David, now an advisor to Boston Consultiin Group, during a recent CIO Summit hostee by Ziff Davis Media Inc. “Throw in compliannc regulations, and managing email becomes quite a challenge for today’s corporations.” Indeed, email clients such as Microsoft Corp.’s Outlook and IBM Corp.’s Notes have received multiple facelifts over the last decade, but remain susceptible to security breaches and Internet scams. The first battle was on the virus front. There, many inbound content control solutions now strive to protect against viruses, spam, malware, phishing, denial of service (DoS) and directory harvesting attacks. More recently, companies seek to control and filter outbound messages, thereby mitigatiin the risk of confidential information leaking into public view. Progressive organizations now monitor all outgoing mail from Exchange Server and Notes. But that’s not a complete solution. Organizations must also keep close tabs on Web-based email systems, such as Google Inc.’s Gmail, Hotmail, Yahoo! Inc. Mail, America Online Inc.’s AOL Mail and Lycos webmail. Success depends on monitoriin all outbound protocols, from webmail and URL filtering to FTP and GDrive. When organizations start to monitor outbooun messages, managers become aware of the types of content that leaves organizations. They find their user population falls into two groups: good people doing bad things, and bad people doing bad things. Examples of good people doing bad things include accidenttall putting in the wrong person’s email address, not encrypting confidential informattion and sending big files to the Gmail account so they can do work at home. The IT PLUGGING THE LEAKS Proven approaches for securing corporate email2 manager’s worst nightmare is bad people doiin bad things, unseen by IT. Think of Gmail, with its two gigabytes of storage, used as a virtual hard drive to store corporate confi-dential data, for example. So how does the savvy IT manager deal with this? Read on ... Lingering Risks Even if a corporation blocks all of these mainstream webmail sites, there are thousaand of other Web-based email systems that can undermine corporate compliance. Just about every hosting facility offers email accounts with a Web-based email interface. Unfortunately, it’s impossible for IT to stop an employee from accessing Web-based mail without locking them out of all Internne access. Moreover, blocking all Web use is impractical in today’s digital world. The challenges don’t end there. Everincreeasin compliance mandates not only encompass Web-based email but logs, message boards and FTP-based activity. Unlike the neatly structured data residing in relational databases, outbound content—especially messages—have no pre-defined structure and can be sent from anywhere to anyone. According to Association of Information and Image Management (AIIM Internationnal) 90% of the information that organizaation must manage is unstructured1. How can CIOs address these challenges while maintaining compliance with the latest regulatory mandates? To date, many CIOs have addressed these problems with various point solutions—multiple, non-integrated products that each address only one specific need. Anti-spam and anti-virus programs are good examples of point solutions. This campaaig is beginning to fail because monitoring, supporting and maintaining multiple point solutions is unwieldy and cost-prohibitive. Just as IT defends against blended inbound attacks, the IT staff must use a blended approach to ensure outbound content compliaance These safeguards provide not only real-time analysis, but real-time action, checking to be sure no virus or malware are inadvertently included. And that content contains no confidential or proprietary informattio in the message or the attachments. Disclosing that confidential informatiio has accidentally left the premises can inflict immeasurable damage on the corporaat reputation. In one example, a financial institution in the United Kingdom does no ROI analysis when purchasing security tools; corporate leaders believe any securiit breach would be so detrimental to their brand that a price tag can not be put on it. The challenge is to stop confidential informatiio from leaving the enterprise in the first place. The first step is to acknowledge the risk of security breaches. Toward that end, companies need a single integrated solutiion from a single vendor, that provides: n Real-time monitoring of all messages – whether inbound or outbound n Automatic preventive measures – instead of simply reporting the violation, the solutiio should prevent, whenever possible, the violation from happening in the first place n The ability to scan attachments – from Excel spreadsheets to AutoCAD drawings n A robust action definition – IT should deal differently with outbound viruses than they do with offensive or noncompplian information n Easy to create content policies – ide-1 http://www.aiim.org/documents/currentstateofimc.pdf ally the line of business manager should determine what is non-compliant and be able to define and administer policies (and remediate violations) themselves Webmail With Google giving their email users over two and half gigabytes of space for free and Yahoo! and Microsoft MSN Hotmail providing one gigabyte and 250 megabytes for free, webmail is becoming a big, free virtual drive that is available anywhere, at any time. A gigabyte is more than sufficient to hold much of the confidential and proprietary of large multinatiiona corporations and with high-speed Internet available at many hotspots and just about every hotel as well as at the office, it takes a few minutes to transfer corporate data to Web-based email. For instance, we took a CAD drawing of 10 megabytes, made it an attachment and mailed it to ourselves using Google’s Gmail. The transfer took less than a minute on our busy corporate network. All the Web-based email vendors do have limits on their attachments ranging from 10 megabytes to 20 megabytes. So what’s the savvy corporaat spy to do when they need to transfer files larger than the 20 megabytes? Well, for $7.95 a month, one can have their own domain at a hosting facility with 10 gigabytes of disk space. Now we can transfer files far larger than 20 megabytes in a matter of minutes. We were able to get an account and have an FTP destination in less than an hour and then transferred a 114 megabyte file in less than 12 minutes on our busy corporate network. Web Sites Corporations must also fight the war of unsanctioned and negative Web sites. Take your company domain and add the word “sucks”; if a site comes up, then you know there are some very disgruntled employees or customers out there. State Farm insurannc is a good example: type in http://www. statefarmsucks.com/and see what comes up. Also, notice the site does follow the rules of the Communications Decency Act (CDA) was Title V of the United States’ Telecommunications Act of 1996 and they do provide a proper disclaimer. For a corporaatio to confront such a site is bad but when the employees update the site during working hours using company resources, well, that truly adds insult to injury. Blogs Besides Web-based email, corporations are now scrutinizing blogs and with good reasoon They are growing at an exponential rate. Blog search engines Technorati and BlogPulse alone index 22 and 20 million blogs, respectively, and both are probably off by about 25 percent. If you count Web juggernaut MySpace pages as blogs (many do), the numbers skyrocket to new levels. There are many well-documented cases of blog postings damaging a business’s reputatiio and negatively impacting business. But there are additional risks related to blogs. Blogs and message boards are yet another avenue for a company’s confidential informatiion valuable intellectual property or private employee/customer data to be inappropriately exposed. Very similar to the webmail probleem blog and message board postings from company insiders can exit the enterprise via HTTP protocol. So a comprehensive data leak prevention policy must embrace not only email, but also the outbound Web channel. 3What is at stake with enterprise messaging securiity Everything from jobs to a company’s reputatiionthe very livelihood of the organization and its ability to compete. One important factor to consider is that the United States is moving to a knowledgeeconnomy Indeed, the information contained within documents amounts to about $3.3 trillion annually, representing a third of the total U.S. gross domestic product, according to estimates by BrightPlanet Corporation from Sioux Falls, South Dakota3. Outbound email and content compliance is on the top of minds for IT decision makers, according to research by Proofpoint and Forrester Consultiin of Cambridge, Mass. Working on behalf of Proofpoint, Forrester surveyed 332 email decisiio makers at U.S. enterprises with more than 1,000 employees. More than a third of companies (36.1%) employ staff to read or otherwise analyze outbound email, while 40% of companies with more than 20,000 employees do this. Alarminggly companies estimated that almost 1 in 4 outgoing emails (24.7%) contains content that poses a legal, financial or regulatory risk. The most common form of such “noncomplliant email contains confidential or proprietary business information. When asked about Web-based email, 70% of companies are “very concerned” or “concerned” about Web-based email (e.g., Hotmail, Gmail, etc.) as a conduit for exposure of confidential informatiion Regulators were not taking this lightly with more than 10% (10.5%) of companies being ordered by a court or regulatory body to produuc employee email in the past 12 months. What are the most common forms of inapproppriat content or non-compliant email? The Proofpoint survey broke it down as detaiile in the diagram on the right. Although formal policy training would appear to be a natural first step to address email security, just a little over half of organizations (53.9%) had conduccte a formal training on email security policies in the past 12 months. Large organizations (those with more than 20,000 employees) were more likely to have conducted such training sessions (68% reported doing so). Only 43.7% of organizations formally trained employees about external regulatiion that apply to that organization’s use of email. Again, large organizations are more likely to have conducted such training (62% reported doing so). Although training is a necessary component for compliance and more importantly, protecting the corporate knowledge assets, an automated proactive solution is what IT needs and demands. The solution must be highly flexible and enforce role-based policies. What’s At Stake Inappropriate or Non-Compliant Email Adult, obscene or potentially offensive content Confidential or proprietary business information about your organization Valuable intellectual property or trade secrets which should not leave the organization Don’t Know Personal healthcare, financial or identity data which may violate privacy and data protection regulations 14.5% 34.9% 10.2% 10.5% 29.8% 4 3 http://www.brightplanet.com/pdf/documentsValue.pdf Despite the possible danger posed by blogs, other companies are officially embraacin them as a way to get their message across. Several employees from Macromediia the San Francisco company known for such products as Shockwave and Flash, create blogs a few months ago as a way to communicate with customers about a produuc launch. Microsoft alone has about 150 Microsoft employees that maintain personal blogs. Ensuring that blog postings are approppriat and do not contain confidential or otherwise prohibited information is a growiin area of concern for companies, regardlees of their official policies on employee use of blog and online message boards. Other Outbound Protocols Public companies have always been concerrne about insider information leaving their premises — be it financial statements, earning reports or staff changes. Today there are so many ways for information to leave the enterprise that is it a daunting task for most IT leaders. Back-up tapes have been in the news recently; a U.S.-based bank lost a back-up tape. The news made it to the CEO within minutes of the realization that the tape was missing. The CEO stopped everything he was doing and put the entire organization on alert to find the tape. After a week of searching the tape was found in a dumpster. It turned out the tape was accidenttall marked as a scratch tape ready for disposal. This CEO understood the severe ramifications of missing data without actualll knowing it fell into the wrong hands. Organization leaders may not be aware of how much information is leaving the enterpriise A hospital recently realized that its MRI machines were sending patient results and record information via FTP to an archhiv system. The hospital never asked for this feature nor did they turn the feature on — the machine was designed to do this automatically. To make matters worse, the information being sent was not encrypted Here are some initial best practices for managing content in and out of the enterprise. 1 Understand the hidden risk – Organizations must first realize there is a risk and how to mitigate it. 2 Deploy technology to monitor and proactivvel address content security breaches – One can’t control what one is unaware of and it is downright impossible to manually monitor all communications. Once IT leaders know what the loopholes are, they need to stop the violations before they occur. 3 Set policies – Role-based security is the best way to go, but this requires a complete and well defined directory structure. 4 Educate – Most policy violation and content security breaches are inadvertent — the result of “good people doing bad things”—and can be prevented, in part, by consistent and consttan education. 5 Communicate – It is imperative that IT not only communicate with users when they are alerted of possible violations but also with HR, legal and “C” level executives to be sure they have a complete, in-depth, understanding of all proprietary and confidential information. What You Should Do 5and was available for all to see in clear text format. Without outbound monitoring of ALL protocols, the hospital would have never known it was violating HIPAA regulations. The Cost of Non-Compliance The days of placing all confidential informatiio in the corporate safe are gone. The world is digital and protecting an organization’s con-fidential information is a challenge at best. Besiide the obvious business need to safeguard their proprietary information from competitoors news organizations, financial institutions and the general public, there are very serious penalties for disclosure of certain types of private, sensitive and confidential information. The following are some highlights of the regulations enacted to protect the disclosure of personal information. n The Health Insurance Portability and Accountability Act of 1996 (HIPAA) specifies rules for U.S. organizations involved in healthcare. Among the many roles HIPAA defines are technical safeguaard for maintaining patient privacy via Protected Health Information (PHI). HIPAA details implementation of policiie and controlling access to PHI. It also specifies that PHI must be sent over networks in secure (encrypted) form and establishes reporting procedures for incidents. Non-compliance with the Security Rule requirements may carry criminal penalties of up to $250,000 in fines and jail time of up to 10 years. • A good example of a possible HIPAA violation that could have been avoided with outbound content compliance involves Eli Lilly. An employee emailed the users of Medi-messenger, an email service that reminded subscribers to take their medications, to announce the termination of the service. Because of a human error, the message disclosed the names and email addresses of all the service subscribers in the “To:” line. n The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA), provides rules for U.S. financial institutions that record consumers’ personal financial informatiion The emphasis is on protecting customers’ nonpublic information, such as account, social security and credit card numbers from loss, unauthorized access, or misuse. Violations have seveer penalties in fines and prison terms of up to five years for individuals. • The Federal Trade Commission has charged two mortgage companies with violating the agency’s Gramm-Leach-Bliley Safeguards Rule by not having reasonable protections for customers’ sensitive personal and financial informatiion An administrative action was filed against Nationwide Mortgage Group, Inc. and Sunbelt Lending Services, Inc. for failing implement safeguards to proteec its customers’ names, social securiit numbers, credit histories, bank accooun numbers, income tax returns, and other sensitive financial information. n The Sarbanes-Oxley Act of 2002 (SOX) specifies rules for U.S. public companiie that regulate the public disclosure of sensitive information, as well as other aspects of good business practice. SOX 6aims to put the responsibility on CEOs and CFOs, who must certify that their companies’ financial reports are compllet and do not contain any inaccurate or misleading statements. SOX almost encourages employees to report violatiion by providing protection against retaliation for an employee who reports what he or she reasonably believes to be fraudulent activity. Section 404 is the key IT component of SOX and directly addresses outbound content compliance requiring organizations closely monitor any disclosure of sensitive information and to detect such events in real time or near real time. Non-compliance may lead to fines of up to $5 million for individuaal and up to $25 million for entities and prison sentences of up to 20 years. • One Cisco employee accidentally sent the company’s final quarterly results to everyone in the firm before they were released. In order to stay compliant, Cisco had to immediately publish its financials ahead of its release date. About Proofpoint, Inc. Proofpoint provides messaging security solutions for large enterprises to stop spam, protect against email viruses, ensure that outbooun messages comply with both corporate policies and external regulations and prevent leaks of confidential information via email and other network protocols. The company’s flagship products, the Proofpoint Messaging Security Gateway™ and Proofpoint Protectiio Server® provide future-proof messaging security using Proofpoint MLX™ technology, an advanced machine learning system developpe by Proofpoint scientists and engineers. Proofpoint Solutions for Outbound Data Privacy Protection, Content Security and Regulatory Compliance Proofpoint’s software and appliance-based messaging security solutions defend against all types of inbound and outbound messageboorn threats. Proofpoint provides a variety of modular defenses for protecting enterprisee against the threats described in this report. Enforcing Acceptable Use Policies Proofpoint Content Compliance™ makes it easy to define and enforce corporate accepttabl use policies for message content and attachments. A convenient point-andcllic interface simplifies the process of defining complex logical rules related to file types, message size, and message content. Proofpoint’s content compliance features can be used to identify and prevent a wide variety of inbound and outbound policy violations—including offensive language, harassment, file sharing, acceptable attachmeen types and much more. Non-compliaan messages can be acted on with a wide variety of options, including quarantine, reroute, reject, annotate, and other actions. Preventing Leaks of Confidential and Proprietary Information As email has become the most important communication channel in today’s enterpprise email systems have become the main repository for sensitive, confidential, and mission-critical information. The optioona Proofpoint Digital Asset Security™ module keeps valuable corporate assets and confidential information from leakiin outside your organization via email (and other network protocols). Power-7ful MLX machine learning technology analyzes and classifies your confidential documents and then continuously monitoor for that information in the outbound message stream—stopping content securrit breaches before they happen. Protecting Private Data and Compliance with Data Protection Regulations The Proofpoint Regulatory Compliance™ module helps enforce best practices for protecctin private data about customers and emplooyee and helps protect your organization from liabilities associated with data protectiio regulations such as HIPAA and GLBA. Pre-defined rules automatically scan for non-public information, including protected health information and personal financial informaation and act on non-compliant communicattions rejecting or encrypting messages as appropriate. Proofpoint’s Dynamic Updaat Service™ ensures that your compliance dictionaries and rules are always up to date. Multi-Protocol Content Monitoring and Filtering Proofpoint’s advanced content security featuure can optionally be extended to protect additiiona message streams including Web-based email, blog postings, message board postings and other HTTP-or FTP-based activity. The Proofpoint Network Content Senttr™ is a separate appliance that inspects all outbound network traffic in real-time, monitoring for confidential information, private customer or employee data (includiin private healthcare, financial or identity information) and other sensitive content that may leak outside the enterprise. When such breaches are detected, the Proofpoint Network Content Sentry actively alerts managers (such as compliance officers) so appropriate actions can be taken. The Network Content Sentry appliance can be administered from the same easyttouse, centralized, Web-based console used to manage SMTP email policies. ♦ Company at a Glance Proofpoint, Inc. U.S. Headquarters Proofpoint, Inc. 10201 Torre Ave., Suite 100 Cupertino, CA 95014 408.517.4710 info@proofpoint.com Executive Management Eric Hahn, Founder & Chairman Gary Steele, Chief Executive Officer Strategic Focus Proofpoint is the leading provider of enterprisecllas messaging security solutions that protect organizations from the threats and risks of both inbound and outbound email and other messaging streams. Web Site www.proofpoint.com Key Products Proofpoint Content Compliance Proofpoint Digital Asset Security Proofpoint Messaging Security Gateway P-Series Proofpoint Messaging Security Gateway X-Series Proofpoint Network Content Sentry Proofpoint Protection Server Proofpoint Regulatory Compliance Proofpoint Secure Messaging Proofpoint Spam Detection Proofpoint Virus Protection Proofpoint Zero-Hour Anti-Virus 8