Simon Says – Musings of a Technology CTO

This week, datalossdb.org reported the first major suspected PII breach of the year, reported by George Russel, Superintendant of the Eugene School District of Oregon. You can find the full story on the KVAL news site.

Apparently some suspicious activity was noticed on one of their internal servers, which was subsequently shut down and isolated before being analyzed. The server in question had PII related to around 2,500 individuals, but was connected to other servers containing records of 13,000 former employees of the school district, and around 13,000 vendors. Total possible exploit of around 26,000 records.

While the school district is to be praised for its responsiveness in notifying people of the possible breach, interestingly what stands out from their reports is effective forensic analysis on the issue really could have helped them understand the exact nature of the breach.

The press reports on this issue indicate that there’s no evidence any personal information was exposed, but simply, because they are not sure, they have to err on the side of the worst-case situation (as most laws require) and tell everyone. From the school districts public release:

“Although unlikely, it is possible that the individuals responsible may have accessed names, addresses, dates of birth, Social Security numbers, tax identification numbers and direct-deposit bank account information for current and former staff members,”

How different the situation would be if, for example, they had a Mcafee Network DLP Monitor box quietly monitoring PII based traffic? If they could have determined exactly if, or how much PII had leaked out, we might not be hearing about this story at all – it might have been a simple Zombie attack, with no leak of PII whatsoever (ie, a non-event).

We often think about DLP only in terms of the “prevention” part – this is probably partly due to the way McAfee, our peers and the analysts in this space encourage us to think that the only value in “Data Leakage Prevention” products is in that, active mode.

Personally, I think that we forget the incredible value solutions which provide historical forensic capabilities give us after the “suspected breach” has occurred.

If you’re not ready to push the red button on active prevention, or if your business processes simply don’t yet allow for it, you could at least be in the powerful position of having full knowledge of the movement of sensitive information around your network. That could mean the difference between a quick cleanup of a machine, and a full blown regulatory investigation, public disclosure and fines.

It’s a common discussion in the data protection group whether we should rebadge the McAfee DLP Monitor appliance with some Forensic moniker.