Desktop monitoring would help the bank watch for policy violations and prevent employees from distributing private data or intellectual property.

Like most in the banking industry, Washington Trust spent a significant amount of time and money to protect its network from external threats. The bank had strong perimeter-based security solutions in place–including firewalls, proxy servers and traditional rules-based systems. For a long time, the bank had addressed the insider threat using password administration best practices, network monitoring and intrusion detection. It had yet to adequately address, however, the potential security threats from individuals inside the organization with systems access authority.

"Although we have confidence in our employees," says Brockett, "we do not want our bank to lead the next newspaper headline about stolen customer data. We needed a better solution to help enforce our computer and systems
usage policies.

"With reliable and proven network-based security solutions in place, we wanted to take a closer look at the desktop to enforce policies at the individual employee level," he explains. "The policies of most concern addressed those that prohibit the transport of customer information, such as Social Security numbers, account numbers, credit card numbers, user names, PINs and passwords."

Around the time Brockett was exploring these issues, he was approached by NextSentry, a company that offered an artificial intelligence product already in use by the government to monitor Internet relay chat (IRC) rooms for suspicious behaviors such as potential threats to national security, child exploitation and drug trafficking. While the traditional security activities and resources had been focused on strengthening the perimeter, NextSentry was proposing a significant strategic shift toward securing the desktop.

NextSentry’s approach would augment the bank’s existing perimeter solutions by intelligently monitoring the desktops of all employees. Desktop monitoring also would help the bank watch for policy violations and prevent employees from accidentally or maliciously distributing private data or intellectual property to the outside world.

This was the bank’s first attempt at policy enforcement and monitoring end-user activity on the desktop to protect it from a broad array of internal fraud-distribution methods, including e-mail, instant messaging, file transfer, Web posting and printing, as well as removable storage media such as USB devices or CDs.

Although this application is only one component of a much larger IT risk-management program, the bank considers the ActiveSentry solution to be one of the three major policy-enforcement components of its overall security program. These include: employee training and education, which ensures understanding of what the policies are and what the company expects; network access controls, which is policy enforcement for network devices; and ActiveSentry, which is policy enforcement for individual users.

The ActiveSentry solution was rolled out to a range of operational groups at the bank, and included everyone from branch tellers to loan services employees to commercial loan personnel. Desktop locations within the operational population were randomly chosen. Rollout to desktops was done remotely, using a remote-install component included in ActiveSentry, plus an internal software-updating tool that was already in use at the bank.

Because the ActiveSentry technology was new at the time, there were a few kinks to work out. Although the product did not require dramatic changes to the bank’s network, NextSentry had to make some configuration changes in the software to enable it to integrate with the bank’s existing systems. Examples include getting it to operate effectively with Washington Trust’s terminal emulation software and e-mail, and adjusting the bank’s browser configuration.

Initially, the bank limited the number of monitoring filters to deploy. This enabled Washington Trust to get the tool up and running faster, plus it allowed for a risk-based approach in selecting what activities to monitor on desktops.

"Spending the time up front to figure out what to monitor was worth it," explains Brockett, "and I suggest others deploying similar solutions do the same, including limiting what you monitor on your first rollout, and phasing in more filtering as you go.

"You’ll want to start with four or five critical high-risk monitoring filters that are important for your specific organization," he suggests. "That said, the copying and pasting of critical information from trusted applications to non-trusted applications would be an area to start with, as is tracking keyed or pasted information being put into Web site forms or payment systems.

"Also, using the tool to limit or remove an individual’s ability to place critical information on removable storage media is important," Brockett says. "Once you determine your initial monitoring filters, you should move forward with complete desktop implementation. You can then add filters as specific threats arise and as you have time."

"We do not want the user community to know exactly what it is that we are monitoring or how it works," he explains. "Too much information in that regard can compromise some critical elements of your monitoring program. We do, however, make it very clear in our policies that the bank has the right to monitor all of its computing devices and user activity."

Educating bank employees has become a significant way to enforce policies and security practices. Washington Trust has a computer/systems usage policy, an Internet usage policy and an e-mail usage policy. To enforce these policies, the bank has operational risk coordinators that represent each major department in the organization.

Despite these precautions, a 60-day test of the network using ActiveSentry made some troubling discoveries. Through the solution’s data capture, the bank discovered a fair amount of suspicious Internet activity. Specific situations identified as potentially risky included:

• instances where users had both proprietary bank applications and potentially risky Internet sites open simultaneously;
• individuals put their own sensitive data (e.g., account numbers, debit card numbers) at risk, indicating how easily private information could be disclosed; and
• secure Web chat, prohibited by bank policy, was being used by employees through Web sites containing chat capabilities.