Code Green Plugs Data Leaks

Code Green Networks' DLP product is good with alerts, but requires help with prevention.

November 16, 2007

7 Min Read
Network Computing logo

Few small and midsize enterprises can absorb both the financial and PR damage inflicted by serious breaches targeting sensitive data. And yet, they're often underprotected because data leak prevention products are, overall, simply too expensive. The three entries in our most recent DLP review ranged from $25,000 to $50,000—to start. So it's unfortunate that there's been a significant upswing in cybercrime after a steady five-year decline, according to the 2007 CSI Computer Crime and Security Survey. Insider abuse of network assets is the most prevalent attack, ahead even of viruses, with average losses of around $350,000.

Data Privacy
Immersion Center


Code Green Networks, which was launched by the founders of SonicWall, aims to tackle this problem. Code Green's newest offering, the CI-750 Content Inspection Appliance, is geared specifically for networks with 250 or fewer users and offers the same features and functionality as its higher-end products, starting at $10,000.

The CI-750 uses "fingerprints" to identify both structured data, such as social security or credit card numbers, and unstructured data like documents, files, source code and so on. Where many DLP products for smaller businesses rely on filtering for certain file types or provide only basic keyword or pattern matching, Code Green's technology creates hash values of the actual data to be protected and scans outgoing traffic for matches.

We found Code Green's fingerprinting technology accurate, and a built-in MTA (mail transfer agent) lets administrators quarantine SMTP traffic that contains sensitive information. However, without the help of third-party proxies, the appliance is blind to encrypted data, and it can't stop inter-network or Web-based traffic. This means the appliance represents only part of the actual cost of a robust DLP system.Examining Fingerprints

The CI-750 can be deployed in a variety of ways. Included in our kit was a network tap device, which allowed us to passively monitor traffic flowing in and out of our WAN connection, and an MTA. Customers can route outgoing messages from their mail servers through the MTA for additional mail-filtering abilities; questionable e-mail can be held until approved by an administrator. Admins can also create policies to encrypt e-mail carrying sensitive information. This functionality is provided via Code Green's partnership with the Voltage Security Network, which offers e-mail encryption as a service.

After connecting the device to our network, we selected sources of data that the appliance should watch for. It has built-in functionality to fingerprint both structured (database) and unstructured (CIFS and uploaded file) data. For CIFS, setup was simply a matter of providing the server and share name, along with appropriate access credentials. The device is then set to regularly scan the share at user-defined intervals. CIFS scanning was trouble free and didn't cause performance issues on our Windows file server.

However, it's incumbent on IT to ensure that content to be fingerprinted gets placed into the appropriate CIFS share. This can be problematic. For example, our company relies heavily on private wiki pages for most of our internal information. Code Green's suggested workaround is to have a script that dumps the contents of our wikis to a CIFS share on a regular basis. Given the uptick in collaborative workspaces such as wikis in the business community, we'd like to see a fully automated way to get such data fingerprinted.

It would also make more sense if the device could use Web pages as sources directly, and support for other data stores, such as SVN, would also increase the out-of-the-box functionality of this appliance and eliminate the need for extra scripting. It should be noted, however, that many competing offerings, some substantially more expensive, don't even offer database integration.

After selecting data sources for fingerprinting, IT then defines traffic to monitor and what actions should be taken in the event a leak is detected. We configured some very widely scoped rules and found that the CI-750 did an outstanding job alerting us of data leaks occurring within e-mail, Web, IM, and even compressed archive transmissions.As an example, I included a two-sentence excerpt from a contract we had saved on one of our CIFS shares in an e-mail to a client. Moments later, I had an e-mail in my inbox stating that there had been a violation. The administrator interface on the appliance showed that an e-mail had been sent by me to our customer and had the full context of the email to show the violation. The interface can also display past violations that may have been related.

Partly Prevention
While we were impressed with the accuracy of the fingerprinting, the appliance wasn't able to actually quarantine the message because it was sent via Web mail. Companies that want robust blocking of Web and network traffic will have to invest in a proxy device. The Code Green appliance can be configured as an ICAP server when connected to an ICAP proxy, such as those from Blue Coat Systems or Squid. When connected to the proxy, Code Green can block HTTP, HTTPS and FTP traffic. It can also decrypt traffic for inspection.

Laptops will also pose a problem for Code Green customers. The company offers an endpoint agent that controls the use of removable media such as flash drives and CDs. It can also enforce encryption of data saved to removable media, and the agent tracks the file names and types that are read from or stored on this media. However, laptops that are off the corporate network are also outside the policy controls of the Code Green appliance, meaning sensitive data can be sent via the Web or network protocols.

Another concern with DLP products in general is that if they store actual copies of sensitive data, they may become a target of attack. This is not an issue with Code Green; the only information stored on the device are hash values.

Low Touch
As you'd expect with such a product, we spent some time familiarizing ourselves with what filtering rules best matched our business needs, and invested several days in tweaking those rules.For instance, the CI-750 offers the ability to set up regular-expression filters. We tested the social security number filter, and unfortunately found that the device reported a large number of false positives. That's because any nine-digit number string triggered the alert system. When we decreased the alert level of this filter to notify us only if a large quantity of nine-digit numbers was detected in a single transmission, alerts dropped substantially.

After this initial break-in phase, operation was completely hands-off. The device automatically scanned our CIFS shares daily and e-mailed us only for policy violations. The CI-750 has 250 GB of storage for data fingerprints, which allows the device to register approximately 20 million data elements, from Microsoft Office documents to image files to database tables.

Taylor Boyko is CTO and co-owner of Pacific Swell Networks, a VoIP specialist company. Write to him at [email protected]

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights