Data Loss Management: Tools and Practices

As you saw in Chapter 10, your company’s operations management strategy outlines the implementation of the tools and techniques needed for the everyday maintenance of your social media activities. These social media activities should be in accordance with your corporate policies, which are also discussed in Chapter 6. Monitoring compliance with internal policies and with regulatory requirements is a daily tactical activity. The three principal methods for data loss protection involve a combination of alerting systems, usage trend tracking, and log file archives.

Alerting Systems

As much as possible, monitoring systems should involve automatic processes that scan the content of the information that is published online, including data posted by employees, and send alerts to designated managers when company-defined keywords or phrases appear. Some alerting systems, such as the freely available Google Alerts, send notifications only after a mention is posted online. This and other systems are the best that can be done in terms of data posted by the general public, as you obviously cannot monitor and prevent the publication of that data before it is posted on the Web.

However, in the case of employees using company-provided equipment, systems should be implemented that alert the employee and those monitoring employees when certain keywords or phrases appear, or when employees attempt to access blocked sites. For example, if you use a web filter such as Websense, when an employee goes to a site blocked by company policy, he or she will get a message saying the site is blocked. Or if the employee sends an e-mail with the term “SSN” for social security number, the filter on the e-mail gateway would block it. These keywords and phrases may pertain to any data that is deemed to be sensitive, including intellectual property, trademarks, and possibly brand mentions. For instance, if a customer sends an e-mail to your help desk with customer-sensitive information such as an account number or social security number, the employee might reply to the e-mail and inadvertently send out that confidential customer information. That would be breaking the rules of most regulatory requirements. An alert should prevent the employee from sending out that e-mail. Such alerts serve to remind employees about potential breaches to agreed-upon corporate policies. Alerts are the first line of defense in data loss protection by acting as an immediate reminder of potential danger or misuse.

Usage Trend Tracking

In addition to alerts, data should be tracked for patterns related to social media websites, third-party applications, and keywords and phrases. By establishing a benchmark acceptable baseline, statistically significant deviances can be identified at the individual user level and rectified.

Usage trends also highlight how different departments and groups of employees use these sites and services, which should reflect their job responsibilities. For instance, it would be expected that communications-related staff, including roles related to Marketing, PR, and Advertising, would have higher usage rates for social media. These patterns should also reflect marketing campaigns and communication initiatives, including activity related to mainstream media reporting of company news. You may also want to track inappropriate access to websites. Usage trend data can serve to identify information leakage by helping determine where the volume of transactions and conversations are occurring.

In order to actually track this information, you have to have a software solution in place to track all activity proactively. We have mentioned several data loss prevention solutions already. For example, if you install the Specter Pro monitoring solution, you can track all employee activity, as shown in Figure 15-1.

Figure 15-1 Tracking employee usage and monitoring activity

Log File Archives

Log files may be easily overlooked in daily operations, but they are critically important in terms of compliance with auditing and regulatory requirements. Records of transactions, conversations, and social media activity must be logged and archived to facilitate the identification of how problems and breaches occurred. Log files can also be tied to alerting systems, which notify key personnel when certain types of predefined activities occur; for instance, you may want to log all failed login attempts to social media sites that you block, track all blog posts from within the company, track all IM conversations in social media forums from within the company, log all visits to social media sites, log the amount of time spent on social media sites, look at key search terms being used by employees, and track all software that might be downloaded and installed on company-owned resources. Finally, log files can be mined for data relating to longer-term trends that may not be picked up by more tactical tracking mechanisms and real-time dashboards, such as what content sites employees are visiting most, what search terms are being used to find social media content, and what employees may be doing that breaks company policy regarding social media usage.

When logging, the ideal is to store logs on a protected system that cannot be easily accessed or easily modified. There are a number of logging applications such as EventTracker, LogLogic, Splunk, and LogRhythm. These tools can log just about all network activity, including posts to social media websites. New logging services such as Actiance’s Socialite software as a service and Q1 Labs QRadar target specific social media activity. Socialite’s key features include the following:

Identity management Establishing a single corporate identity and tracking users across multiple social media platforms

Data leak prevention Preventing sensitive data from leaving the company, either maliciously or inadvertently

Granular application control Enabling access to Facebook, but not access to chat or allowing the downloading and installing of any applications in the gaming category

Moderator control For Facebook, LinkedIn, and Twitter, controlling content that must be preapproved by a corporate communications officer or other third party

Activity control Managing access to features, such as who can read, like, comment upon, or access nearly a hundred features

Log conversation and content Capturing all posts, messages, and commentary made to Facebook, LinkedIn, and Twitter in context, including exporting to an archive of choice for eDiscovery