Proofpoint: Security, Compliance and the Cloud

Those of you who are litigators or legal IT professionals based on the east coast (and I know there are a few of you out there) may be interested in this Thompson Reuters event - Litigation Project Management for In-House Counsel-being held tomorrow (March 3, 2011) at the Westin Times Square in New York City. 

Our director of eDiscovery solutions, Robert Cruz, and Proofpoint customer Steven Heller, head of IT for legal firm Graubard-Miller will be participating, presenting a workshop on "Controlling the Costs of Data Identification and Collection."

More details and registration info on this event here -- http://westlegaledcenter.com/program_guide/course_detail.jsf?courseId=33705658 -- including the day's agenda.

For those of you who can't attend the NY event, but are interested in legal IT issues and eDiscovery in particular might want to register for our live web seminar next week:

Robert Cruz and Rami Habal (our director of product management and expert on all things DLP) will be on hand to talk about the many dimensions of social media risk and how you can apply today's security technologies (including cloud-based security solutions) to address these issues.

To register, visit this link—Social Media Risks in the Enterprise: Mitigating Data Loss, Compliance and Discovery Dangers—or simply fill out the form below:

Tip 'o' the blog to our resident eDiscovery expert, Robert Cruz, who pointed out an interesting Gartner press release from last week — see "Gartner Says by Year-End 2013, Half of All Companies Will Have Been Asked to Produce Material from Social Media Websites for E-Discovery" — that had slipped by me.

Gartner's announcement references a recent piece of Gartner research, authored by analyst Debra Logan, and published during December of 2010.

Not sure why they're just getting around to promoting that report now, but it's an interesting piece (Gartner subscribers can access a full copy of Social Media Governance: An Ounce of Prevention at http://www.gartner.com/resId=1498916). Many of the most interesting points in the full document are actually made in the press release. These include:

1. Social media content isn't special when it comes to eDiscovery: Says analyst Debra Logan, "Social media content is like all other content that is created by companies and individuals and is subject to the same rules, laws and customs." So, just as with email, companies will need to be able to quickly discover and produce social media content in response to legal or regulatory discovery requests.
   
   "In e-discovery, there is no difference between social media and electronic or even paper artifacts. The phrase to remember is 'if it exists, it is discoverable'," says Logan.
   
   
2. Keep social media policies simple and consistent: On the topic of policies, Logan suggests that, "Policymakers need to keep policies simple when it comes to what should and should not be done online. A good rule of thumb is that  whatever the company code of conduct is for in-person encounters, and whatever the rules are for general good behavior and common sense, apply in the online world as well."
   
   Additionally, Logan notes that the "legal landscape" around social media remains in flux due to "overlapping, conflicting and contradictory laws and regulations." Because there is no clear guidance, "the safest option is to have a consistent policy and apply it consistently."
   
   
3.  In the absence of technology controls, banning access might be appropriate: Says Logan, "If... a technology creates content that cannot be captured for archival purposes and that archive is required by law, then the organization must tell employees... not to use the technology, even unofficially." Gartner's press release also notes that Gartner estimates that, by the end of 2012, 50% of companies will attempt to block access to some or all social networking sites.
   
   Proofpoint's own research on this subject (see page 13 of our Outbound Email and Data Loss Prevention in Today's Enterprise, 2010 report) shows that roughly half of large enterprises already have policies that prohibit the use of popular social networking sites such as Facebook (53% ban by policy), YouTube (53% ban by policy) and Twitter (49% ban by policy) — whether they actually attempt to block access to such sites.

Of course, the problem with banning or blocking employee access to social media sites is that one is sacrificing the many benefits of social media in favor of security and compliance. As a result, many employees will attempt to "work around" such blocks and restrictions.  Over time, such situations won't be sustainable.

But the good news is that the technology to monitor, enforce compliance rules and retain/archive social media content actually exists today and is getting easier and less costly to deploy.

We'll be discussing this topic in detail in our upcoming (March 9, 2011) live web seminar, "Social Media Risks in the Enterprise: Mitigating Data Loss, Compliance and Discovery Dangers." To register, click the preceding link, or simply fill out the form below:

One of my favorite parts of RSA is the now traditional Security Bloggers Meetup, organized by the fine folks at the Security Bloggers Network.

Each year, a growing number of bloggers from the field of IT security get together to meet, greet, exchange ideas, have a cocktail and acknowledge the "best of the best" in the annual "Social Security Awards." That's Alan Shimel (of the excellent AShimmy blog) and Rich Mogull (analyst at Securosis) presenting this year's awards.

Somehow, yours truly wound up presenting the award for "Single Best Security Blog Post of the Year" which was a new category this year.

Anyway, the winner in that category was Chris Eng's excellent video "How to be an Information Security Thought Leader," which has to be one the most awesome uses of the (very odd) Xtranormal online video creator I've yet seen. Unfortunately I can't seem to embed the video here in the blog, so you'll have to follow the link (or click the preview image at left).

Believe me, it's well worth checking out...

In addition to be an impromptu award presenter, I also met some great new contacts (that I hope to feature here as guest bloggers on occasion) and catch up with friends like our pal Richi Jennings (who had an excellent post yesterday at Computerworld about the aftermath of attacks on security firm HBGary).

My thanks again to the organizers and sponsors of this year's event for a great time! 

Our live web seminar series continues on Wednesday, March 9th at 11 AM Pacific Time, 2 PM Eastern Time, with "Social Media Risks in the Enterprise: Mitigating Data Loss, Compliance and Discovery Dangers."

We post here about social media risks, policies and trends fairly regularly here (see the social media category), and our annual research on data loss issues shows that social media channels (including Facebook, LinkedIn, Twitter and other sites) are increasingly the source of data breaches (see this post for a video overview of our 2010 findings).

In response, about half of organizations simply prohibit access to popular social media sites. But over the long term, that approach will be less effective as social media becomes more and more ingrained into how companies do business. So our feeling is that companies need to address social media risks in the same way that most of them address email security risks—via a combination of policy and technology.

In addition to data loss and compliance issues, one very new area of concern is the archiving, retention and discovery of social media content. In many cases, social media communications such as corporate tweets, Facebook posts/messages, etc. can be considered business records and could be subject to the same sorts of discovery rules as corporate emails.  (See this recent CIO article for an interesting overview and introduction to this topic, "Why Your Records Retention Policy Should Include Social Media").

Our upcoming webinar will have both Robert Cruz, our director of eDiscovery solutions, and Rami Habal, our director of product management and expert on all things DLP, on hand to talk about the many dimensions of social media risk and how you can apply today's security technologies (including cloud-based security solutions) to address these issues.

To register, visit this link—Social Media Risks in the Enterprise: Mitigating Data Loss, Compliance and Discovery Dangers—or simply fill out the form below:

Thanks to the hundreds of you that tuned in for our first live web seminar of the new year, "2011 Predictions: Top 10 Privacy Issues" where co-presenter Ken Liao and I looked into the crystal ball to expose the cultural, policy, technology and regulatory trends that will dominate privacy discussions this year! My thanks especially for all of the great questions and feedback on the seminar.

If you missed it, or if you'd like to refer back to the web seminar, it's now available as a replay. For those of you who registered for the live event, a direct link to the replay file has been sent to you via email, as usual.

In our presentation, Ken and I shared quite a few links to various privacy-related resources that I promised to share with you here as clickable links, so here they are, by prediction:

Intro: Why Privacy Matters Today

Privacyrights.org's running list of data breaches can be found here:
http://www.privacyrights.org/data-breach

Proofpoint's 2010 research on data loss events was referenced multiple times during the presentation. You can download a copy of our full report, Outbound Email and Data Loss Prevention in Today's Enterprise, 2010 here:
http://www.proofpoint.com/outbound

Prediction 1: Mobility & Location-based Info Becomes a Major Concern

We had a little extra comedy in yesterday's webinar as our slide on this first prediction had mysteriously disappeared. Click the image at left to see the slide we had intended to display!

Predictions 2-4: At Least One Major Social Media Site Will Experience a Serious Breach, Evolution of Social Media Policies, More Organizations will Formalize Acceptable Use Policies

The data/charts in these slides on social media data loss events, social media/web services that large organizations prohibit access to, and acceptable use policy adoption are all from the aforementioned Proofpoint research at http://www.proofpoint.com/outbound.

Prediction 5: Blended Threats Will Continue to Increase

For more on the VBMania outbreak and other recent blended threats, see my blog post about "Blended Threats Old and New." On the topic of spam's holiday vacation and subsequent return, see "Spam Volume Makes a Comeback After Holiday Hiatus."

Prediction 6: New, Stricter Privacy Regulations Will be Adopted Worldwide

Not mentioned in the slide, but here's a good article explaining the European reactions to privacy implications of Google Street View.

Prediction 7: Expect a US National Data Breach Notification Law

Here's the link to the Federal Trade Commission's report on Protecting Consumer Privacy. And here's information on the new White House "Enhancing Online Trust and Privacy" initiative.

Prediction 8: At Least One Enforcement Action Under Massachusetts 201 CMR 17

Links for the State of Massachusetts FAQ on 201 CMR 17, and interesting ThreatPost article about a possible 201 CMR 17 test case in 2011.

Prediction 9: More Organizations Will Encrypt More Data

Find more product information about Proofpoint Encryption here. Also, http://www.proofpoint.com/outbound is referenced again (data on adoption of data loss prevention technologies).

Prediction 10: Increased Adoption of Secure/Managed File Transfer

Statistic about level of concern around FTP as a source of data loss risk is, once again, from http://www.proofpoint.com/outbound. And visit this link for information on the Proofpoint Secure File Transfer solution. 

Q&A Session

In my comments, I mentioned recent email breach of personal information of all GSA personnel.

Thanks again to everyone who joined us for this web seminar. If you missed it and would like to see the replay, please visit:

 http://www.proofpoint.com/id/top10privacy/index.php?id=6

eDiscovery and archiving are top-of-mind at Proofpoint today as we issued our predictions about the top ten trends in eDiscovery for 2011. As part of that announcement, we've published a new CEO series video where Gary Steele discusses "Three Key Trends in Archiving and eDiscovery."

Check out the video and then read on after the jump for our top 10 eDiscovery trends for 2011 (see the "Click to Jump" button below...)

As reported by NetworkWorld (seeSpam volumes drop as Rustock, other botnets go quiet), spam volumes have dropped recently and, thus far, there's no clear explanation as to the reason.

The chart at right (click for larger view) shows daily spam volume for some of Proofpoint's email "spam traps" over the past month. While there's a bit of a slowdown early in the month, the activity is pretty normal and exhibits the bursty behavior of spam campaigns that we typically see.

However, on Christmas Eve (December 24, 2010), spam volumes took a fairly precipitous drop, falling to a low level baseline that we've seen before. And since that time, elevated spam activity has not yet resumed. Normally, spam volumes fluctuate fairly rapidly between low and high activity periods with low level periods lasting for hours or not more than a day or two.

This isn't to say that spam has vanished, looking at one of my many spam quarantines this morning (see screengrab at right - click for larger image) there's plenty of spam there, but it's interesting in that the bulk of it would seem to be pharmaceutical-related promotional spam. Not a lot of diversity of spam themes, no obvious phishing attacks and no virus-infected messages in this particular batch.

As an aside, you can also see that Proofpoint has scored all of these messages (even foreign language messages) as "100" indicating that it's absolutely sure of their spammy nature.

Some are attributing this drop in spam to sudden inactivity (at least, email sending inactivity) of a couple of the botnets suspected to be the source of most spam email. 

Of course, there are many uses for the massive computing power and network access controlled by botnets and one wonders what those botnets are doing right now instead of sending spam.

While an extended holiday break from spam is a nice thing, it's no time to get complacent. As we've seen in recent months, new and aggressive attacks can break out at any time (revisit, for example, the "VBMania outbreak from September 2010") and cause serious problems.

Other commentators have noted that perhaps spammers are focusing more on social media rather than email. While I think it's true that there's an increased focus on fraudulent activity related to social networks, it's certainly not an "either/or" proposition for spammers. There's certainly no lack of profit to be generated via email-based scams (see my recent post on recent money mule prosecutions here in the US) and we expect that spam volumes will once again rise, likely using clever techniques to improve deliverability.

Another thing to keep in mind is that different organizations have very different spam profiles and, while some are seeing volume drops, others are just as vexed as ever by spam. We regularly see very targeted attacks directed at certain domains or email recipients associated with a given domain. It's also likely that spammers and scammers are continuing to focus on compromising private data through hacks in order to gather the addresses and personal data required to launch more effective, targeted campaigns.

On this eve of the new year, I wanted to take a moment to thank all of our customers, partners, friends and fans -- on behalf of everyone here at Proofpoint -- for yet another terrific year! We couldn't have done it without your support.

It was a year of great milestones for Proofpoint, including being named once again to the "Leaders" quadrant in Gartner's 2010 Magic Quadrant for Secure Email Gateways, reaching our seventh consecutive year of record revenue, launching new versions of our SaaS email security, data loss prevention and email archiving solutions, publishing our seventh-annual survey on email/social media data loss prevention risks, a new look and feel for our brand and much more.

We're looking forward to another great year in 2011 and wish you a happy, successful and safe new year!

A couple of good 2010 IT security year in review articles caught my eye this week that are worth checking out:

eSecurity Planet has a roundup of key security events for the year in "IT Security 2010: The Year in Review," and on the other side of the pond, the UK's IT Pro has an extensive overview in "Security: Year in review 2010".

See you in 2011!

Over at Baseline magazine this week, writer Nick Wreden has a good article on "Social Media Policy Development," summarizing that organizations need to develop firmly written, clearly communicated policies around all types of electronic communications, including those conducted via social media channels.

This is still a sometimes-overlooked area of policy development and, if your organization hasn't yet communicated specific policies around keeping confidential (or regulated) information secure over social media channels, I'd suggest you put this on your "to do" list for the new year.

Nick quotes our oft-cited statistics about data loss and social media in large enterprises, noting that our 2009 research found that "34 percent reported that a loss of sensitive information had affected business. The same study found that 13 percent had investigated troublesome Twitter usage, and 15 percent had disciplined employees for unauthorized posting of videos on YouTube and similar sites."

Note that these numbers increased in 2010 (and you can get a copy of our latest report, "Outbound Email and Data Loss Prevention in Today's Enterprise, 2010" at http://www.proofpoint.com/outbound. Our report also shows that, while acceptable use policies for email are almost universally adopted, there are still a substantial number of organizations that do not yet have formal policies in place around the use of social media sites (including blogs, message boards, social networks, short message services like Twitter and media sharing sites like YouTube).

As I always suggest when considering acceptable use policies for email, when creating these sorts of policies for social media, I'd encourage organizations to focus on the data loss and compliance risks associated with social media sites, not just the "time wasted" aspects of same.

Keep in mind that the cost of a single low-performing employee (who, for example, spends too much time at work engaged in non-work-related social media) is completely bounded by that employee's salary (and such problems are fairly easily addressed). However, a single data loss/breach incident can cost hundreds of thousands or even millions of dollars in remediation costs, potential fines, brand damage and lost business.

The article over at Baseline has some other good suggestions around social media policy development and some real-world examples of what enterprises such as EMC, Xerox and Mel-O-Cream are doing to address the risks associated with social media.

Note also that I'll be touching on this topic a bit in our next live web seminar (January 12th), "Top 10 Privacy Issues for 2011." Do join me! You can register here: http://www.proofpoint.com/id/top10privacy/index.php

Hard to believe another year has almost come to a close... Proofpoint's live web seminar series will kick off another terrific year of programming on Wednesday, January 12th, 2011 with:

2011 Predictions: Top 10 Privacy Issues »

I'll be making one of my occasional webinar appearances, discussing the top policy, technology and regulatory trends that will dominate privacy discussions in the coming year with our resident email security and data loss prevention expert, Ken Liao.

In addition to our top 10 privacy predictions for 2010, we'll also be sharing some actionable advice about what organizations should do today, to better protect sensitive information in the coming year.

As regular readers of this blog know, data loss risks are generally on the upswing and your customers and business partners are more concerned than ever about how you handle their private data. I'm sure this will be a lively presentation — touching on diverse topics including social media, email, encryption regulations, acceptable use policies and a lot more — and as always, we'll answer your questions during the live Q&A period. 

Register here (and, as usual, all registered attendees will receive a link to the webinar replay).

I hope you'll join me... In the meantime, have a happy and safe holiday season!