Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:30 PM
Brian White
Brian White
Connect Directly
E-Mail vvv

What The TSA Teaches Us About IP Protection

Data loss prevention solutions are no longer effective. Today's security teams have to keep context and human data in mind, as the TSA does.

Every day, U.S. companies are targeted by foreign nations trying to steal their intellectual property (IP). But today’s spies aren’t trained outsiders; they’re folks working in accounting or programmers in the back office. In the modern world, espionage takes place online, using user accounts that have been compromised via phishing or even blackmail. News headlines scream about consumer passwords and customer data that end up in hackers’ hands in data breaches. But source code, product road maps, and customer lists are being stolen behind the scenes as well.  

Data loss prevention (DLP) solutions are commonly used to attempt to solve this problem. But because they’re based on static rules and don’t consider context, DLP isn’t effective these days. The technology can’t determine when it’s acceptable for information to leave the enterprise or when such activity indicates theft or data exfiltration. For example, when businesses use DLP to stop potentially malicious outbound emails in transit, users can be frustrated by delays caused when the technology returns false positives -- such as erroneously stopping an email with a large, compressed attachment. When infosec tools become too cumbersome, people look for ways around them, making the tools entirely ineffective.

Let’s compare DLP solutions, which scan hundreds of gigabytes of a business’s data per hour, to the Transportation Security Administration (TSA), whose agents screened 449 million travelers nationwide during the first five months of 2016. Having previously served as Counselor of the Office of the Deputy Secretary at the Department of Homeland Security, I know firsthand that TSA agents in airport security checkpoints are a main line of defense for keeping contraband and terrorists off of airplanes. Agents look at scanner machines for outlines of guns, knives, and other banned items. (The TSA Instagram account shows a fascinating array of prohibited items that passengers have tried to take onto planes.)

Agents also check the passenger’s flight ticket and passport or driver’s license. But the agents don’t know much about a person’s behavior and they don’t have visibility into a traveler’s patterns. This forces the TSA to treat all passengers the same, based on a list of static rules, much like DLP solutions. Because agents also lack full context about each passenger, just like DLP, the result is many false positives, forcing agents to flag passengers for extra security screening based solely on their appearance or because they’ve packed liquids over the three-ounce rule, failing to account for items needed for health reasons, for example.

It’s equally important for airports to monitor for the threat from within -- with deep context and no static set of rules. TSA agents and airport employees can also pose a risk because they’re granted privileged access as part of their jobs. A recent example involving a lapse in airport security illustrates the risk of relying on rote security rules rather than factoring in situational context. Workers at John F. Kennedy International Airport were caught on security cameras entering restricted areas without proper TSA authorization, according to CBS News. Clearly, the airport needs to tighten security so employees can access only the areas necessary for their jobs. Key-card entry points should be programmed so that only those who are expected in their normal workday to be within a certain perimeter have permission and accessibility to do so. This principle of least privilege minimizes insider risk and discourages the normalization of deviance.

Whether at an airport or in the enterprise, how can an organization spot a problem person once he is already on the “inside”? Organizations need to analyze data sources that truly deliver rich context -- that is, the seemingly unimportant pieces of information about individual human behavior, sentiment, and relationships to provide situational awareness about the malicious actor.

Fortunately for businesses, there are indicators in network traffic that can signal this. Whether we like it or not, we signal intentions and expose our risks as potential insiders with the little things we do and our patterns of behavior. For example, before some employees give notice, they start storing information on thumb drives or downloading it to online services and outside email accounts, which results in bursts of email activity -- much of it after work hours.

The key to stopping IP theft is having a broad view of the organization, employees, and normal business operations, and being able to spot even the minutest discrepancies that don’t fit into the context of business as usual. One company I work with found that an employee embedded sensitive information into a compressed file along with his vacation photos to avoid detection by the firm’s DLP software. The company caught him only after it added security analytics software on top of its existing DLP. Another company discovered that some of its employees were being blackmailed in exchange for inside information. DLP products completely missed these cases.

What’s At Stake?

At least 70% of a company’s value is in its intangible assets, and the Intellectual Property Commission Report estimates that IP loss costs U.S. companies $300 billion a year or more. Yet organizations have no idea how much IP is being siphoned off, either intentionally by thieves, spies, and disgruntled employees, or unintentionally by compromised insiders or misuse of outside file-sharing services, or even careless use of social media. The risk of IP theft isn’t limited to source code and nation-state espionage; it can often be valuable information about pending mergers and acquisition activity that could be used to buy and sell stock before a deal, or sensitive corporate information that could benefit a competitor.

Many companies rely on DLP to safeguard against IP loss and theft, but that technology is ineffective on its own because it’s limited in scope. It requires accurate rules to generate accurate alerts, which means you have to know exactly what you’re looking for or it will get overlooked. However, people are fallible and unpredictable, and human data is the hardest thing to secure in an organization. Content inspection technologies such as DLP often to fail to consider unexpected events and the unpredictability of human behavior.  

While airport security is a separate issue from IP theft at corporations, similar rules apply with regard to having appropriate protections in place to detect and stop threats. In both cases, context and human data are critical to spotting risks.

Related Content:


Brian White serves as the chief operating officer of RedOwl, an insider threat analytics firm focused on both information security and regulatory surveillance. Previously, Brian served as a principal at the Chertoff Group, a senior official at the Department of Homeland ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
9/19/2016 | 9:39:23 AM
Hacking attempts
Great article. I always take extra caution in maintaining my online privacy and security. I deploy vpn server, purevpn, to maintain my online integrity and to avoid any type of scams and phishy threats. 
User Rank: Apprentice
8/12/2016 | 12:43:20 PM
Pretty Bad DLP Smear
It is pretty sad that the author is actually not really savvy as it relates to DLP capabilities.  The author must be aware of the ability of many DLP systems to detect data based on content fingerprinting, especially the ability to detect multi data values such as Last_name and SSN or Last_name and Driver License etc...  GTB Technologies, as an example, can support more than 20 Billion fields without network degradation.  Such DLP policies would detect and prevent many breaches including the ones mentioned in this article.  Unfortunately the TSA and Homeland Security are using advisors that have no clue.

Uzi Yair


GTB Technologies.
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-11-22
nsGreen.dll in Naver Vaccine 2.1.4 allows remote attackers to overwrite arbitary files via directory traversal sequences in a filename within nsz archive.
PUBLISHED: 2019-11-22
A cross-site request forgery (CSRF) vulnerability in the Activity module 6.x-1.x for Drupal.
PUBLISHED: 2019-11-21
An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter.
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/http-kernel.
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. T...