Re: Identity Finder

[Richard A MacLaughlin <ramaclau () VALDOSTA EDU>]

This might actually be in response to a message I sent the listserv right
before the Christmas break.  I still have to look through all the responses
I got because there was a lot of useful information.

Richard A. MacLaughlin
Information Security
Valdosta State University
Phone:  (229) 333-5974
Fax    :  (229) 245-4349


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Felecia Vlahos
Sent: Saturday, December 19, 2009 7:15 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Identity Finder

Randy,

We are using the free find_ssn at San Diego State University in
conjunction with commercial RSA DLP (previously Tablus Content Sentinel).
We did a detailed analysis of several products in 2008 and RSA DLP came
out slightly better than Identity Finder.  We tested multiple platforms,
deployment methods (i.e. enterprise versus each system), software
dependencies, file types, and SSN configurations.  VT Spider was an
amazing product for free, great work!   We had an "up and coming" product,
Safe Vantage Deep Scout, that was good but not as full featured as the
other commercial products.

The RSA DLP campus license was ridiculous, (like $300,000 ridiculous) so
we bought 2500 clients and we are passing them around to each area to scan
sections at a time of our campus.  In the meantime we have advised the
entire campus use find_ssn to immediately locate and remove legacy SSN
data.  We're making better progress with the free product than the
commercial (mostly due to reduce staffing in this budget crisis). We have
DLP RSA locked in with maintenance for the next two years and then we plan
to review updates to products, including Safe Vantage.

I'll share the report with anyone interested. If anyone does a likewise
detailed analysis, I'd appreciate a copy as I lost my staff that did the
original work.

Another plug for VT Spider, we use it as a double check on incidents and
in every case it found all the data, even Word Perfect files, and SSNs
broken across columns in excel.  Worst false positives were in geology
(latitudes and longitudes).

Thanks,
Felecia Vlahos
San Diego State University
fvlahos () mail sdsu edu


On Fri, 18 Dec 2009 06:37:24 -0800, randy marchany <marchany () vt edu> wrote:

> We wrote one of the freeware tools (Find_SSN, Find_CCN) and use
> IdentityFinder as well. IdentityFinder has the ability to be run on
> remote machines and some of our dept admins like that feature. The
> other tools don't have that ability. IdentityFinder does NOT run on
> Unix systems and since most of our database servers run on Unix/linux
> system, IdentityFinder doesn't help us there. The Windows version is
> excellent but I'm disappointed in the Mac version. Someone else
> mentioned the Mac version is a work in progress and I would agree with
> that assessment. It's still a very good product. Our Find_SSN/CCN tool
> runs on all platforms (Mac, Windows, Linux/unix).
>
> As far as false positives go, our tool is the best at reducing the
> number of false positives. The biggest complaint you will get from
> your users is "do I have to look at ALL of those files to see if
> there's sensitive data?". The answer is a) yes b) move all of those
> files into a folder and encrypt it and look for it later. All of the
> tools including ours will generate false positives. The key is having
> a sensitive data policy or standard in place. This will help you with
> users who don't want to look through all of them.
>
> The other problem with these tools is that none of them play well with
> Outlook/exchange .pst files which is probably where most of the
> sensitive data would be found in email attachments. I believe
> IdentityFinder requires you to log into Exchange first and that's
> their hook into .pst type files. My info may be dated but I believe
> it's still correct.
>
> This is the biggest issue with upper mgt.
>
> I would suggest building a test folder with regular files, Microsoft
> office files (.xls, .doc, Project, Visio, etc.), PDF files, .pst
> files, binaries, small database table) and run all of the tools
> against that folder and see the results. The advantage of the
> commercial tools include the report format (auditors will like it) but
> the freeware tools will simply generate a list of hyperlinks that
> point to the files in question.
>
> Randy Marchany
> VA Tech IT Security Office


--
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/