A large consulting company with ofﬁces in Spain found that some of its sen-
sitive information was leaking out to competitors, and they were losing busi-
ness.They had an open policy for Internet use and didn’t want to punish
employees by imposing restricted access upon them because of a few possible
malicious insiders. Since one of their requirements was to reduce the negative
impact on employees, but still catch the insiders, they decided to implement
the following strategy.
They used their ESM to monitor activity by having it look for suspicious
events.Those users who created these suspicious events were added to a suspi-
cious user active list.The company integrated the ESM with a content moni-
toring solution that was capable of actually displaying a document uploaded
to the Internet, instant messaging content, and even e-mail content—but only
if the user was part of the suspicious user active list. By using this dual-phase
approach, they avoided wholesale content monitoring of their employees.And
since space required for content storage is signiﬁcantly higher than for event
storage, they also reduced storage space needs.
Initially they were watching for suspicious users based on which sites the
user visited, where e-mail came from or went, and similar variables primarily
associated with competitor sites.This proved to be of little use and, since mar-
keters tend to read competitor Web sites, basically put everybody in the mar-
keting department on the suspicious user active list. So they placed the
marketing group on a white list, and conﬁgured the ESM to not consider
these users suspicious. Still, watching Web sites proved to be of little use.
What the company discovered to be relevant was that unusually large
files were being uploaded to sites on the Internet.This was typically being
done around 8:00 AM on weekdays, a time when most of the employees—
who did not come in until around 10:00 AM—were not in the office.This
was outside the network’s baseline utilization. While it was somewhat
common for some employees to download large files such as ISO images of
operating systems and software tools, it was not usual for them to upload
large files to external sites.
At last, they traced these uploads to a single internal employee who was
on the suspicious list.The large ﬁles turned out to be custom applications that
the consulting ﬁrm was writing for a customer.The destination of the
uploaded ﬁles didn’t reveal any direct relationship to a competitor.
156 Chapter 11 • Suspicious Activity—A Consulting Company in Spain
424_Wtr_Clr_11.qxd 7/27/06 9:37 AM Page 156