Users eye tools for blocking rogue e-mail transmissions

31.01.2005
Von Jaikumar Vijayan

Concerns about insider abuse of corporate information are spawning a market for security tools that can inspect outbound network traffic for unauthorized uses of data such as customer account numbers, health records and intellectual property.

And last week, San Francisco-based Vontu Inc. added a new twist when it announced upgraded software that not only monitors communications for leaks of confidential data but also blocks e-mail messages containing such information from leaving corporate networks.

Like rival products, Vontu 4.0 uses a combination of exact data matching, contextual analysis and predefined policies to alert administrators when protected information is illegally transmitted via e-mail, instant messages, news lists or chat rooms. The tools store copies of suspect messages for further analysis.

But simply monitoring e-mail and saving messages with questionable content doesn"t stop those messages from being sent. So Vontu 4.0 also has the ability to redirect or quarantine suspicious e-mail. "We"ve always had the point of view that the market will go from monitoring products to blocking products," said Michael Wolfe, Vontu"s vice president of engineering.

A West Coast-based financial services firm has started implementing the blocking function on outbound e-mail messages, said the company"s chief security officer, who requested anonymity.

"The capability of seeing what is happening is useful," he said. "But we"re looking ahead to being able to actually interdict these messages before they get out."

Being able to stop messages that violate corporate data policies could be useful in a regulated industry such as health care, said Sharon Finney, information security administrator at DeKalb Medical Center in Lithonia, Ga.

The hospital is using software from Englewood, Colo.-based Vericept Corp. to make sure that protected health information isn"t being illegally transmitted out of its networks. The technology flags roughly 15,000 "events" every day, according to Finney.

But whether blocking tools really work will depend on the accuracy with which such technologies can identify rogue messages while allowing legitimate e-mail traffic to pass through unhindered, Finney said. "Finding that balance is crucial," she noted.

Perpetual Entertainment, a San Francisco-based developer of multiplayer online games, uses network monitoring technology from Tablus Inc. in San Mateo, Calif., to protect its source code from being stolen, as happened to one of its gaming rivals.

Adding a blocking function, while useful, would also mean dedicating workers to look at blocked messages, said Mark Rizzo, Perpetual"s vice president of technology. "If you block something that"s supposed to go out and you don"t know about it, you"re going to have some pretty unhappy customers," he said.

Vericept CEO Terry Larrew said his company plans to add support for quarantining suspicious traffic later this year.

But vendors of data monitoring tools must ensure that their products don"t end up like intrusion-detection tools, which fell out of favor with users because of their tendency to generate very large volumes of alerts, said Trent Henry, an analyst at Burton Group in Midvale, Utah.

"False positives aren"t a very big issue when you"re only monitoring," he said. "But there"s going to be a dramatically higher concern (with blocking)."