My company is always looking for ways to save money. One maneuver -- outsourcing the development of a module of one of our software products -- almost cost us big time.
At issue: An offshore vendor might be stealing the company's source code.
Action plan: Quickly find a way to monitor the network, and then deploy an effective means of blocking USB ports.
We had chosen a provider in Southeast Asia, based not just on its extremely low cost but also on the quality of work we'd seen it deliver in the past, which was far superior to that of other low-cost, offshore locations. Recently, we decided to decrease the number of engineers working on the project, and the vendor ended up laying off one of the removed engineers. That laid-off engineer let us know that the vendor was using our source code to create a competing product. He either wouldn't or couldn't tell us many details, but he did say that our source code was being copied to USB drives to avoid detection and then being shared within the vendor company.
We had to act quickly to verify the accusation and stop the theft before all of our source code could be taken.
Our company policy is that vendors working in an R&D capacity must use hardware that we provide. That's a good first step, but my preference, naturally, would have been to use that hardware to implement precautions that would protect our intellectual property. Unfortunately, we don't do anything special with those laptops.
We also didn't have any monitoring equipment at this small office. Now that we badly needed to monitor its traffic, we decided to quietly reroute it to Singapore, a main hub for us where we had recently deployed data loss prevention (DLP) technology. Next, we surreptitiously deployed endpoint DLP agents to the PCs in the office of the suspect vendor. Now we had full visibility, both at the network layer and at the endpoint.
Block Those Drives
Within hours, we got a hit.
Two software engineers on the project were copying huge amounts of source code from their desktops (which shouldn't have been storing source code) to external USB drives.
We wanted to block that data and keep it off the USB drives. We looked at doing this via the BIOS, but that proved to be difficult. A technician would have to go to the site and configure the BIOS on all of the PCs in the vendor's office. Not only would that take a lot of time, but using BIOS to turn off the USB ports would also block legitimate items, such as USB mice, keyboards and cameras, and all of those would be needed.
Next we considered employing the DLP endpoint agent to block USB drives, but we already knew about a bug that prevents the agent from differentiating between a USB drive and a second hard drive installed in the laptop. Our DLP vendor is working on a fix for that problem, but we don't have it yet.
We also investigated the use of Microsoft Group Policy Objects, and that may work for the long term, but that fix wouldn't be quick enough to meet our present needs. The quick-and-dirty option that we settled on to block the use of external storage devices was to change a policy configuration in our endpoint antivirus software. No one had to travel to the site, and we weren't disabling devices such as mice, keyboards and cameras. Critically important, we have a policy set up that makes it impossible for users to disable antivirus protection.
Now that we feel more secure about what is happening at the office of the offshore vendor, we will work with our legal and human resources departments to investigate the source code leakage in more detail. That vendor might not work for us much longer. I will also be advocating that we restrict the use of USB drives on all corporate devices used to process sensitive information.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.