Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:30 PM
Brian White
Brian White
Connect Directly
E-Mail vvv

What The TSA Teaches Us About IP Protection

Data loss prevention solutions are no longer effective. Today's security teams have to keep context and human data in mind, as the TSA does.

Every day, U.S. companies are targeted by foreign nations trying to steal their intellectual property (IP). But today’s spies aren’t trained outsiders; they’re folks working in accounting or programmers in the back office. In the modern world, espionage takes place online, using user accounts that have been compromised via phishing or even blackmail. News headlines scream about consumer passwords and customer data that end up in hackers’ hands in data breaches. But source code, product road maps, and customer lists are being stolen behind the scenes as well.  

Data loss prevention (DLP) solutions are commonly used to attempt to solve this problem. But because they’re based on static rules and don’t consider context, DLP isn’t effective these days. The technology can’t determine when it’s acceptable for information to leave the enterprise or when such activity indicates theft or data exfiltration. For example, when businesses use DLP to stop potentially malicious outbound emails in transit, users can be frustrated by delays caused when the technology returns false positives -- such as erroneously stopping an email with a large, compressed attachment. When infosec tools become too cumbersome, people look for ways around them, making the tools entirely ineffective.

Let’s compare DLP solutions, which scan hundreds of gigabytes of a business’s data per hour, to the Transportation Security Administration (TSA), whose agents screened 449 million travelers nationwide during the first five months of 2016. Having previously served as Counselor of the Office of the Deputy Secretary at the Department of Homeland Security, I know firsthand that TSA agents in airport security checkpoints are a main line of defense for keeping contraband and terrorists off of airplanes. Agents look at scanner machines for outlines of guns, knives, and other banned items. (The TSA Instagram account shows a fascinating array of prohibited items that passengers have tried to take onto planes.)

Agents also check the passenger’s flight ticket and passport or driver’s license. But the agents don’t know much about a person’s behavior and they don’t have visibility into a traveler’s patterns. This forces the TSA to treat all passengers the same, based on a list of static rules, much like DLP solutions. Because agents also lack full context about each passenger, just like DLP, the result is many false positives, forcing agents to flag passengers for extra security screening based solely on their appearance or because they’ve packed liquids over the three-ounce rule, failing to account for items needed for health reasons, for example.

It’s equally important for airports to monitor for the threat from within -- with deep context and no static set of rules. TSA agents and airport employees can also pose a risk because they’re granted privileged access as part of their jobs. A recent example involving a lapse in airport security illustrates the risk of relying on rote security rules rather than factoring in situational context. Workers at John F. Kennedy International Airport were caught on security cameras entering restricted areas without proper TSA authorization, according to CBS News. Clearly, the airport needs to tighten security so employees can access only the areas necessary for their jobs. Key-card entry points should be programmed so that only those who are expected in their normal workday to be within a certain perimeter have permission and accessibility to do so. This principle of least privilege minimizes insider risk and discourages the normalization of deviance.

Whether at an airport or in the enterprise, how can an organization spot a problem person once he is already on the “inside”? Organizations need to analyze data sources that truly deliver rich context -- that is, the seemingly unimportant pieces of information about individual human behavior, sentiment, and relationships to provide situational awareness about the malicious actor.

Fortunately for businesses, there are indicators in network traffic that can signal this. Whether we like it or not, we signal intentions and expose our risks as potential insiders with the little things we do and our patterns of behavior. For example, before some employees give notice, they start storing information on thumb drives or downloading it to online services and outside email accounts, which results in bursts of email activity -- much of it after work hours.

The key to stopping IP theft is having a broad view of the organization, employees, and normal business operations, and being able to spot even the minutest discrepancies that don’t fit into the context of business as usual. One company I work with found that an employee embedded sensitive information into a compressed file along with his vacation photos to avoid detection by the firm’s DLP software. The company caught him only after it added security analytics software on top of its existing DLP. Another company discovered that some of its employees were being blackmailed in exchange for inside information. DLP products completely missed these cases.

What’s At Stake?

At least 70% of a company’s value is in its intangible assets, and the Intellectual Property Commission Report estimates that IP loss costs U.S. companies $300 billion a year or more. Yet organizations have no idea how much IP is being siphoned off, either intentionally by thieves, spies, and disgruntled employees, or unintentionally by compromised insiders or misuse of outside file-sharing services, or even careless use of social media. The risk of IP theft isn’t limited to source code and nation-state espionage; it can often be valuable information about pending mergers and acquisition activity that could be used to buy and sell stock before a deal, or sensitive corporate information that could benefit a competitor.

Many companies rely on DLP to safeguard against IP loss and theft, but that technology is ineffective on its own because it’s limited in scope. It requires accurate rules to generate accurate alerts, which means you have to know exactly what you’re looking for or it will get overlooked. However, people are fallible and unpredictable, and human data is the hardest thing to secure in an organization. Content inspection technologies such as DLP often to fail to consider unexpected events and the unpredictability of human behavior.  

While airport security is a separate issue from IP theft at corporations, similar rules apply with regard to having appropriate protections in place to detect and stop threats. In both cases, context and human data are critical to spotting risks.

Related Content:


Brian White serves as the chief operating officer of RedOwl, an insider threat analytics firm focused on both information security and regulatory surveillance. Previously, Brian served as a principal at the Chertoff Group, a senior official at the Department of Homeland ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
9/19/2016 | 9:39:23 AM
Hacking attempts
Great article. I always take extra caution in maintaining my online privacy and security. I deploy vpn server, purevpn, to maintain my online integrity and to avoid any type of scams and phishy threats. 
User Rank: Apprentice
8/12/2016 | 12:43:20 PM
Pretty Bad DLP Smear
It is pretty sad that the author is actually not really savvy as it relates to DLP capabilities.  The author must be aware of the ability of many DLP systems to detect data based on content fingerprinting, especially the ability to detect multi data values such as Last_name and SSN or Last_name and Driver License etc...  GTB Technologies, as an example, can support more than 20 Billion fields without network degradation.  Such DLP policies would detect and prevent many breaches including the ones mentioned in this article.  Unfortunately the TSA and Homeland Security are using advisors that have no clue.

Uzi Yair


GTB Technologies.
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-04
Cross-site request forgery (CSRF) vulnerability in [Calendar01] free edition ver1.0.0 and [Calendar02] free edition ver1.0.0 allows remote attackers to hijack the authentication of administrators via unspecified vectors.
PUBLISHED: 2020-08-04
[Calendar01], [Calendar02], [PKOBO-News01], [PKOBO-vote01], [Telop01], [Gallery01], [CalendarForm01], and [Link01] [Calendar01] free edition ver1.0.0, [Calendar02] free edition ver1.0.0, [PKOBO-News01] free edition ver1.0.3 and earlier, [PKOBO-vote01] free edition ver1.0.1 and earlier, [Telop01] fre...
PUBLISHED: 2020-08-04
Privilege escalation vulnerability in SKYSEA Client View Ver.12.200.12n to 15.210.05f allows an attacker to obtain unauthorized privileges and modify/obtain sensitive information or perform unintended operations via unspecified vectors.
PUBLISHED: 2020-08-03
A GET-based XSS reflected vulnerability in Plesk Obsidian 18.0.17 allows remote unauthenticated users to inject arbitrary JavaScript, HTML, or CSS via a GET parameter.
PUBLISHED: 2020-08-03
A GET-based XSS reflected vulnerability in Plesk Onyx 17.8.11 allows remote unauthenticated users to inject arbitrary JavaScript, HTML, or CSS via a GET parameter.