Nailing the Company Spies

[InfoSec News <isn () C4I ORG>]

http://www.wired.com/news/business/0,1367,41968,00.html

by Jeffrey Benner
2:00 a.m. Mar. 1, 2001 PST

The end of the Cold War hit defense contractors such as Raytheon where
it hurts. In 1999, while commercial tech companies wallowed in cash,
Raytheon's profits were down 50 percent over the previous year, and
its stock price plummeted from $75 to $25.

Something had to be done. Raytheon decided to follow the money and put
its military technology experts to work figuring out how to cash in on
the tech boom. Last summer, it rolled out its first IT product, a
revolutionary network security program called SilentRunner. The
program, designed to "answer the insider threat," is powerful enough
to be used by the government's investigation agencies, yet it is for
sale on the commercial market.

According to SilentRunner's slick brochure, enemies lurk within the
corporate environment and they must be stopped.

"We know that 84 percent of your network threats can be expected to
come from inside your organization.... This least intrusive of all
detection systems will guard the integrity of your network against
abuses from unauthorized employees, former employees, hackers or
terrorists and competitors."

The program is a sophisticated information-gathering and analysis tool
that makes traditional keyword "sniffers" obsolete. It captures all
the information on a network, in any code or human language, and
translates it into easily decipherable three-dimensional diagrams of
network behavior.

Never heard of SilentRunner? The scores of companies and government
agencies using the program to keep tabs on their agents and employees
like it that way. Organizations using SilentRunner have adopted a
top-secret attitude about the product to match its military-strength
intelligence-gathering capabilities.

Until December 2000, when security services provider TruSecure
revealed it had purchased the "lite" version of the program, not one
organization, public or private, had admitted to buying SilentRunner.
On Feb. 1, the computer forensic division of consulting firm Deloitte
& Touche became the second to say it uses the program.

Both companies provide security services to client companies. No
organization has admitted to using SilentRunner to monitor its own
employees. Why all the secrecy? Opinions vary.

"What could be interpreted by the fact that a corporation is using SR
is admission that there's a problem. That's really where the secrecy
comes from," said Paul Gentile, vice president of business development
for Raytheon's information-assurance division.

TruSecure spokeswoman Susan Lee said the company's clients -- it
provides constant monitoring to nearly 400 companies -- have asked not
to be identified for fear hackers will be tempted to infiltrate
SilentRunner-protected networks just for sport.

But keeping SilentRunner under wraps has an added bonus. It allows
companies using the program to avoid scrutiny from groups concerned
about the erosion of privacy in the workplace.

The courts have established that so long as companies make clear to
their employees what sort of communication is company property, they
can legally monitor their networks with programs such as SilentRunner.
The law does not require employers to give details on monitoring --
such as the technology that would be used -- in order to do so
legally.

But privacy vs. security battles are still raging over gray areas such
as free e-mail accounts and password-protected private websites
accessed from work. In one recent case -- Konop vs. Hawaiian Airlines
-- the Ninth Circuit Court of Appeals ruled in favor of a pilot who
claimed his employer had accessed his website in violation of the
federal Wiretap Act.

Even Raytheon admits that a program as powerful as SilentRunner gives
employers the ability to step over the line.

"We train for legal uses," Gentile said. "What we cannot control is
abuse after licensing. It's like if we were Smith and Wesson, and you
bought a gun. We demonstrate appropriate uses, but we don't really
have any control over what they do after that."

What companies can do with SilentRunner is see everything going over
their network, from a panoramic view down to a detailed profile of
precisely what an individual worker is up to on the Net. What's more,
workers won't know if they are being watched.

"SilentRunner is completely undetectable to end users, and it captures
everything," said Kris Haworth, manager of the Deloitte & Touche
computer forensics lab in San Francisco.

Companies that suspect fraud inside their own organization can hire
the lab to investigate.

"On an individual user, we can see what you're e-mailing, where you
are surfing, if you send anything to be printed, collaborate with
anyone on a Word document, access or change the database -- basically
everything you're doing on the network," she said.

Although the program gives broad access, lab analysts are careful to
only scrutinize information pertinent to the case at hand, she said.

SilentRunner's "collector" recognizes over 1,400 different protocols.
It can detect and analyze Web pages, e-mail, digital video and sound
files, spreadsheets, word documents, FTP, instant messages, passwords
-- you name it.

"The product is pretty incredible," said Dave Capuano, TruSecure's VP
of product management. "It can collect any traffic on the network.
We've seen it collect at 195,000 packets per second. That's about
twice as fast as traditional collectors. It can get all the data on a
250-terminal network in about 20 minutes."

For TruSecure's needs -- it generally uses SilentRunner to locate the
most valuable parts of a client's network -- the program actually
captures too much information, Capuano said.

"As a service provider, I don't want to collect e-mail information" on
a client, he said, citing liability concerns. "If their tool is going
to succeed in the market, they'll have to create some filters for it."

Unlike the FBI's Carnivore as well as commercially available "sniffer"
programs that search for keywords, SilentRunner uses algorithms to
analyze data 25 different ways. It assesses data on the "packet" or
binary level, clustering similar patterns of ones and zeroes.

This grouping mechanism allows the program to diagram conversations on
specific topics going on among members of a network. For example, a
cabal spending a lot of time e-mailing one another about inside
trading information would light up the screen. Messages passing
outside the usual channels of information would stick out as well --
for example, from an R&D lab to an out-of-network e-mail account.

SilentRunner presents the results of data analysis in
three-dimensional diagrams, which, reportedly, any lay person can
easily decipher. "You can actually 'see' an attack on the network,"
Haworth said.

Functioning at a binary level affords SilentRunner some extraordinary
capabilities. For example, given a writing sample, the program can
easily identify any other document written by the same author, so long
as both are written in the same language or code.

"An e-mail could be fed to the system as a template, and then it would
cluster others like it," said Christopher Scott, a chief architect of
the software. "It's like a DNA sample of someone's writing."

The program analyzes text of any language with equal acuity, he said.

According to Gentile, in addition to unnamed government agencies,
buyers thus far include financial houses worried about insider
trading, drug companies with valuable intellectual property to
protect, banks with accounts to secure, and health care organizations
with confidential medical records stored online.

Raytheon (RTN.A) has sold 140 copies of SilentRunner for a total of
$8.4 million. The top-of-the-line edition costs $65,000. A less
powerful version goes for $25,000. The average customer gets one
license, but one government agency bought 50.

Does the "internal threat" demand this new level of technology and
vigilance?

Security experts say it does. A study of 3,180 businesses worldwide
conducted by Omni Consulting used the data to estimate that worldwide
corporate losses due to insecure networks jumped from $4.3 billion in
1999 to $11.6 billion in 2000.

While crackers get the bulk of media attention, Omni manager Frank
Bernhard attributed the dramatic losses to the sharp increase in
telecommuting and "employee transience" -- the tendency of workers to
change jobs frequently, often taking valuable information with them.
And, with the rise of the knowledge-based economy, information has
become a larger portion of assets.

"The loss is happening so quickly because more and more value is
knowledge-based, and information is portable," Bernhard said.
"Employee mobility is one of the single biggest threats to an
organization's security. Due to telecommuting, people are working on
less secure networks."

Omni measured a 19 percent increase in telecommuting from 2000 over
1999 alone. It also found a 44 percent increase in corporate spending
on network security in 2000 over the year before, with 62 percent of
that spent on securing networks from internal threats.

In 1999, Raytheon took action against some of its own employees it
suspected of compromising company information. Some of them learned
the hard way that talking about one's employer "privately," and even
anonymously, can be risky.

In February of that year, Raytheon sued 21 "John Does" for $25,000 in
damages due to criticisms of the company made on Internet message
boards. Raytheon said it suspected current and former employees were
responsible for the anonymous postings, accusing them of revealing
confidential information. The company successfully subpoenaed Yahoo to
find out who made the comments, then abruptly dropped the suit. At
least four of the 21, including one VP, resigned after being
identified.

International Data Corporation estimates the worldwide corporate
market for network monitoring and filtering products will rise from
$62 million in 1999 to $561 million in 2004. At a presentation to
investors on Feb. 7, Raytheon set a revenue target for its IT security
division -- of which SilentRunner is the centerpiece -- at $250
million by 2005.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".