ENTERPRISE INFORMATION PROTECTION

As the latest release of hundreds of thousands of classified USDOS documents by the website Wikileaks proves, a single privileged user can have the power to cause incalculable damage to missions reliant on the secure access and use of classified content.  Unfortunately, these incidents continue to expose and exploit the fundamental inability of infrastructure-dependent security models to prevent leaks.  Instead, securing classified information from rogue insiders requires an autonomous, integrated solution with surveillance, detection, prevention, and deterrence capabilities to ensure authorized users cannot mishandle information regardless of status. 

Digital Guardian is ideally designed to secure classified information from insider threats.  It is an infrastructure-agnostic security system that works equally in physical or virtual environments to monitor and control file, application, and system operations independent of user clearance.  Digital Guardian’s advanced security platform is designed and proven to address insider threats while supporting “need-to-know”, “need-to-share”, or “share-to-win” entitlement requirements at global scales. 

As a low-level endpoint sensor, Digital Guardian agents operate simultaneously in kernel and user-modes for precise situational and threat awareness.  Agents autonomously confirm potential threats defined by policy – and determine the correct enforcement response – using on-board logic relating user identity, security clearance, file categorization, and event risk.  Digital Guardian’s continuous event logging provides highly tamper-resistant forensic records to support IA/CND and LE/CI requirements, including:

• Disk inventory and file disposition
• User, file, application, network, and system activity
• Proof and disputation of intent  
• Chain-of-custody

The insider threat can be effectively neutralized by continuously monitoring and enforcing five policy-based security layers:  file access; file encryption; file operation; file movement; and deterrence: 

File access:  Once network access has been granted, the first security level to control insider threats is restricting individual file access.  As there may be a mix of classified information and/or users with varying clearance within the same environment, Digital Guardian is able to:

• Identify users and dynamically associate usage rights based on clearance
• Classify files at-rest, in-use, or in-motion by content or contextual attributes, and apply individual (“TS”) or nested (“TS” & “SCI“) classifications tags to enforce need-to-know access
• Persist classification tagging from parent to descendent files
• Enforce individual access policies for each classification type
• Enforce logical segregation for Organizational Conflict of Interest (OCI) restrictions

File encryption:  Digital Guardian agents autonomously encrypt files by policy, and automatically determine decryption rights on both a user-by-user and file-by-file basis without requiring end user intervention, or a separate PKI infrastructure.  Digital Guardian combines AES-256 cryptography (FIPS 140-2 certified) with a patented key management system to:

• Transparently encrypt/decrypt files via removable media, email, or network transfers among authorized users on machines where a certified Digital Guardian agent is operating
• Password encrypt files for use on machines without a Digital Guardian agent
• Encrypt files at-rest; or dynamically upon Save/Save As; copied to removable media, local or network drives, emailed, network uploaded, etc.
• Prevent unauthorized access to classified information if spilled to unclassified networks, or in the event of machine compromise on or off a classified network

File operation: If authorized to decrypt a classified document, one must then control what the user may do to the file or its content.  Digital Guardian enforces thousands of file restriction policies out of the box; when applied to Digital Guardian’s powerful tagging mechanism these controls can be made permanent, or until a change in file status is confirmed.  Common operations Digital Guardian policies can monitor and control include:  Open; Save/Save As; Delete; Copy/Paste; Print Screen; Export; and Send commands.

File movement:  If all other actions are authorized, it is still possible to prohibit the unauthorized movement of classified information – for which policy exceptions are not granted.  Digital Guardian prevents data spills from the following egress:

• Removable media (USB, CD/DVD, MP3 players, etc.)
• Email (web or internal)
• Network upload (including SSL, HTTPS, or SSH protocols)
• Network transfer (all protocols and ports)
• Printing (local or network)

Deterrence:  Finally, the most effective defense against insider threats is to make users aware before they act that unauthorized behavior will be logged and immediately flagged, if not prevented.  Digital Guardian is a highly tamper-resistant security platform capable of instantly detecting, alerting, preventing, and recording a single violation among hundreds of thousands of users, and supports investigations and prosecutions with evidentiary-quality event forensics.  Digital Guardian provides deterrent capabilities via multiple channels:

• Digital Guardian can interact with users in real time if they exceed privilege or scope with policy-specific prompts to warn of an impending violation and its consequences; make them aware their actions are being recorded; and provide steps to remain compliant. 
• Digital Guardian continuously captures user activity as sequenced, compressed, hashed, signed and encrypted log events on or offline; logs can then be securely retrieved from a host machine to a secure server from anywhere in the world over HTTP(S). 
• The Digital Guardian agent cannot be disabled by normal administrators, and can self-protect if an attempt to tamper is detected. 

Other high-value functions

• Continuous, rules-based logging of user, file, application, network, and system event forensics
• Advanced analytics to prove intent and chain-of-custody
• Data at rest discovery, disk inventory, and persistent file tagging/categorization
• Automated data-at-rest, data-in-use, and data-in-motion encryption (AES 256-bit)
• Removable media logging, control and encryption
• Policy-based access control and usage entitlement of files by data categorization, user identity, and clearance 
• Tactical, real‐time awareness prompting when users exceed privilege or scope
• Automated classified data spill detection, remediation (e.g. data from classified to unclassified using removable media)
• Organizational Conflict of Interest (OCI) detection, monitoring and control
• Integrated Advanced Persistent Threat (APT) live memory forensics detects and protects classified information from targeted attacks

Architecture and scalability

• Integrated software platform for insider threat monitoring, detection, deterrence, and prevention
• Provides continuous, rules-based capture of system activity as sequenced, compressed, hashed, signed, and encrypted log events
• Proven to scale beyond 500,000 agents reporting continuously to a single backend server
• Multi-tier reporting supports tactical or centralized CND analysis, and restricted LE/CI access
• Low load on network (50‐200KB per user/per day of log data); communicates from anywhere in the world on any port over HTTP(S)
• Tamper-resistant agent sources own  forensic data with kernel, user mode, and application layer visibility
• Hardened agent with configurable stealth and tamper resistance
• Data usage and movement monitoring and control addresses “share‐to‐win” requirements
• Provides cross‐domain data transfer assurance and accountability through monitoring and controlling transmit and receive points
• User anomaly detection with statistical analytics and optimized OLTP data warehouse
• Integrated, on-board AES 256-bit encryption for transparent or password-based file transfers; includes automated key management and recovery
• FIPS 140‐2 cryptography certification in-process
• Infrastructure agnostic, operates in physical or virtual/VDI environments
• Archived log data can be replayed for forensic, investigative or evidentiary purposes

O/S support (physical and virtual environments)

• Windows XP, Vista, and 7 (32 and 64-bit versions); Server 2005/2008 (32 and 64-bit versions)
• Linux distributions (kernel v2.6.1):  Redhat, Suse, Fedora, et al

Virtual environments:  VM; VDI; Citrix; Terminal Servers

The risk to classified information posed by trusted users will be around as long as there are secrets, and its effect is amplified by the urgent need to support rapid and secure data sharing across global operations.  Wikileaks is but the latest reminder that insider threats remain the most difficult security risks to manage; doing so requires a special class of enforcement technology that deters and prevents compromise without impacting the mission.  Digital Guardian is currently the only scalable solution shown to prevent most types of insider threats, while also generating evidentiary-quality event logs to support investigations and prosecutions.   

Digital Guardian agents surveil and control classified information, independent of user clearance, with the ability to remain stealth and/or tamper resistant at all times.  It identifies and compartmentalizes information at the moment of creation or discovery; transparently applies FIPS 140-2 certified encryption, usage controls, or tactical warnings to deter noncompliant use; and alerts central administrators to events of interest in real time from anywhere in the world. 

The Wikileaks use case, and those like it, can be largely secured by controlling the operating environment below where threatening behavior occurs.  Digital Guardian was specifically designed to meet the unique security and access requirements posed by insider threats with a dynamic, yet strictly controlled balance between trust, deterrence, and prevention.