Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

ISO/IEC27000: Data Leakage Monitoring

by Megan Daudelin
June 20, 2016

Organizations today are leveraging collaboration tools to communicate and access information from virtually anywhere. Although collaboration tools help support mobility needs, many organizations fail at monitoring employee activity and other behaviors that can place assets and confidential data at risk for data leakage. This Assurance Report Card (ARC) will report on cloud-based service activity, instant messenger events, and other sources of data leakage within the enterprise.

Data loss can happen inadvertently through unencrypted and unmanaged devices being lost or stolen. Access to personal cloud-based accounts for file sharing, personal email, or corporate email can also be additional sources for data leakage. Monitoring data-in-transit across all network endpoints will assist organizations in identifying and preventing sources of data leakage. This ARC aligns with the data leakage and data-in-transit controls of the ISO/IEC 27002 framework, which can help to prevent data leakage and keep confidential data secure.

As more organizations continue to expand their workforce, many employees rely on personal cloud-based accounts, personal devices, and BYOD policies to support communication and mobility needs. This increase in productivity can allow for more corporate data to be stored outside of the network that security teams can’t monitor. Many employees will undermine security policies to access unauthorized websites, use instant messenger clients, and plug in unmanaged devices that could be vulnerable. Monitoring employee activity will alert organizations to any suspicious behavior or unauthorized applications being used to transfer files. The most effective way to prevent data leakage is to gain insight into how data is moving within a network. Knowing how data is being transferred will leave organizations adequately prepared to detect, respond, and prevent data breaches from occurring.

Policy statements included within this ARC provide a baseline organizations can use to determine how well data leakage policies are protecting corporate data. Systems are monitored for potential data leakage and communications from outside of the network. This information may include systems communicating with botnets, or other malicious activity that should be investigated further by the analyst. Additional policy statements will report on activity from cloud services, instant messenger, and peer-to-peer clients. Cloud services and instant messenger clients are frequently used by end users, and should be monitored closely to prevent data from leaving the network. Each policy statement can be customized to meet organizational requirements. Other policy statements report on systems containing sensitive data such as Social Security and credit card numbers. This information is highly targeted by both internal and external attackers for malicious purposes. Organizations should encrypt highly sensitive information to ensure that all confidential data remains secure.

This ARC is available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The ARC can be easily located in the Feed under the category Compliance. The ARC requirements are:

  • SecurityCenter 5.3.1
  • Nessus 6.6.2
  • LCE 4.8.0
  • PVS 4.4.1

Tenable SecurityCenter Continuous View (SecurityCenter CV) is the market-defining continuous network monitoring platform. Tenable Log Correlation Engine (LCE) performs automatic discovery of users, infrastructure, and vulnerabilities across more technologies than any other vendor including operating systems, network devices, hypervisors, databases, tablets, phones, web servers, and critical infrastructure. Tenable Passive Vulnerability Scanner (PVS) provides deep packet inspection to continuously discover and track users, applications, cloud infrastructure, trust relationships, and vulnerabilities. SecurityCenter CV is continuously updated with information about advanced threats and zero-day vulnerabilities, and new types of regulatory compliance configuration audits. Using SecurityCenter CV, the organization will obtain the most comprehensive and integrated view of its network devices and sources of potential data leakage.

ARC Policy Statements:

No data leakage has been detected: This policy statement displays the number of systems where data leakage has been detected compared to total systems on the network. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Any type of data leakage, either intentional or unintentional, can result in the exposure of confidential or private information. This policy statement will help to measure the effectiveness of security controls in place on the network. Systems with detected data leakage should be investigated immediately to minimize potential security risks.

No systems with data leakage events communicate outside the network: This policy statement displays the number of systems that have reported data leakage events and communicate outside the network to all systems with data leakage events. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Data leakage events from systems that are communicating outside the network could be indicative of an intrusion or other malicious activity. Such systems should be investigated immediately to ensure that the outside communication is not exfiltrating sensitive data from the network.

Systems reporting cloud-based activity within the last 7 days: This policy statement displays the number of systems reporting cloud-based activity within the last 7 days to total cloud activity detected. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Cloud activity may include internal users accessing services such as Dropbox, OneDrive, Office 365, and various cloud-based email services. Systems should be restricted from accessing cloud-based services, as this will increase the risk of data leakage.

No systems are reporting credit card leakage activity: This policy statement displays the number of systems reporting credit card leakage activity to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Systems reporting credit card leakage should be investigated immediately to determine the source of the leak. Credit card data is considered confidential information, and leakage of this information can be devastating for the organization.

No systems are reporting Social Security number leakage activity: This policy statement displays the number of systems reporting Social Security number leakage activity to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Systems reporting Social Security number leakage should be investigated immediately to determine the source of the leak. Social Security numbers are considered confidential information, and leakage of this information can be devastating for the organization.

Less than 5% of systems are detecting Instant Messenger clients: This policy statement displays the number of systems with Instant Messenger clients to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Instant Messenger (IM) clients provide the ability to transfer files in and out of the network. Although many organizations use IM clients for internal communications, all IM activity should be monitored for potential data leakage.

No systems are reporting Peer-to-Peer (P2P) activity: This policy statement displays the number of systems reporting sensitive data leakage activity to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. P2P clients can include activity from BitTorrents that can allow malware to propagate, and confidential data to be exfiltrated. Organizations should prevent the use of P2P clients from being installed on a network.