Decoy Documents May Soon Defend Against Data Loss
A new defense against data loss prevention: Bogus files that alert organizations to unauthorized access.
What if your company's confidential documents could alert you to access by unauthorized users? One startup company is working on technology to accomplish this through decoy documents that set security alarm bells ringing when they are accessed by unsuspecting thieves.
Salvatore Stolfo, a computer science professor at Columbia University's Intrusion Detection Systems Lab has developed document decoy technology and is bringing it to market as a software product through a startup company called Allure Security Technologies. The company is the culmination of over five years of university research into ways to reduce the "insider threat" -- that is, data loss due to the actions of an organization's own employees.
The idea behind the decoy technology is simple: The software automatically generates decoy documents that contain false information, and plants them on computers throughout an organization. These documents are "beaconized" with the capability to report back to a control server, alerting administrators if anyone attempts to open or copy them. Real documents can also be beaconized so that they can be tracked and send out an alert if they find themselves outside certain IP address ranges. A management platform allows administrators to configure the system and set policies for when alarms are raised. For example, beaconized documents can be configured to call home if they are moved outside the corporate network perimeter, causing an alert email to be sent to security staff.
Traditional data loss prevention solutions are typically designed to block the unauthorized transmission or copying of documents that contain confidential information. In contrast, decoy documents are created so that they appear to contain sensitive or confidential data. When unauthorized users seeking that type of information come across the decoys and try to open them, they will trip the alarm. The method is intended to provide protection against malicious employees who are intentionally seeking unauthorized access to sensitive information, as well as non-malicious employees who may be tempted to ignore security rules by emailing or taking documents home for reasons of convenience.
The decoy system also provides protection against outside hackers who break in to the network to steal information, Stolfo says. "If an attacker breaks in and steals your data, in normal circumstances they win at a very low costs to themselves. We force the attacker to consider whether the data they are stealing is actually real or if it has been poisoned with misinformation, and if it is being tracked. We want to force attackers to work much harder, so they decide to go elsewhere," explains Stolfo.
To be effective, a data loss prevention program based around document decoys must have the following attributes, Stolfo says:
- Conspicuous: The documents need to be placed in folders that a malicious employee or hackers are likely to come across.
- Enticing: The content of the decoys must appear to be valuable -- e.g., patent applications, pricing information, etc.
- Non-interfering: The decoys must be easily identifiable to legitimate users, with some tagging mechanism so that the data they contain doesn't get used accidentally.
Allure's software is designed to generate form-based as well as free-form decoy documents. Stolfo says the decoys can incorporate corporate logos and other themes, and the software generates "believable names" and other data to populate forms. For free-form text documents, the software generates original source material by manipulating and obfuscating other texts.
Regarding the issue of how many decoys are needed to create an effective defense, Stolfo says that the answer depends on the organization, but adds that his software offers suggestions on how many decoys should be created and how to place them. In some circumstances, as few as twenty decoy documents could protect 100,000 genuine files, he says.
Stolfo claims that Allure's technology should be available as a security product later this year, aimed at small and medium sized businesses and larger enterprise customers. He says the company is also talking to several security software companies about licensing the decoy technology.
Paul Rubens is an award-winning technology journalist who has been covering IT security for over 20 years. He has written for leading international publications including The Economist, The Times, The Financial Times, The Guardian, the BBC, and Computing.