Percept good at keeping things in
Leaks can be as bad as viruses

by Tony Kindelspire, Daily Times-Call Business Columnist
July 30, 2006

BOULDER — Corporate IT departments are forced to pay attention to what the outside world brings into their networks. Spam, viruses, worms, malware and other harmful intruders have proliferated to where it’s a never-ending battle to keep the bad stuff out.

But what about keeping the good stuff in? A Boulder company has found itself playing an important role in combating this other kind of security threat.

Percept Technology Labs is a 10-year-old testing company that has come out with the IT industry’s first written criteria regarding information leak prevention software and technologies. Whether the leaks are unintentional or malicious, it’s an issue of utmost concern — just ask the Department of Veterans Affairs.

In Indianapolis earlier this month, a backup tape containing 16,538 veterans’ legal cases was discovered missing. That follows the theft of a computer and disks from a VA employee in Washington who put the personal data of 26.5 million veterans at risk. Yet another breach was discovered at the VA’s Minneapolis headquarters.

“We’ve seen it increase from nothing a couple of years ago ... to one or two a month,” said Brian Cleveland, Percept’s president and CEO.

In fact, Percept discovered that since last year, more than 110 information leaks have been reported that affect about 54 million Americans. According to research conducted by the Ponemon Institute, each breach costs companies between $5 million and $14 million.

Recently, Percept was hired by Palo Alto, Calif.-based PortAuthority Technologies to examine its product — the PortAuthority MX — and compare it to other information leak prevention software on the market. Cleveland said it was likely Percept’s work for Microsoft, for which it had been testing a new kind of mouse, that led PortAuthority to hire his company.

“We’re getting more and more business like this, where a company will ask us to do comparative analyses of their product and some of their competitors’ products,” Cleveland said. “They want that independent verification.”

To see how PortAuthority MX and its PreciseID technology stacked up, Percept did some research and picked two appropriate competitors: IronMail S-10, made by CypherTrust, and Mail Security Gateway 8220, made by Symantec.

For a true comparison, Percept bought the three companies’ products right off the shelf. “We don’t allow them to cherry pick,” Cleveland said.

Sharon Besser, director of product for PortAuthority, said the 6-year-old company put its first information leak prevention product on the market in 2002. PortAuthority MX is in its fifth generation, and Besser said the growth of his company clearly reflects what’s being discussed at firms such as financial institutions, health-care providers and credit card companies.

“There are many solutions that prevent the bad guys from invading your network, and I think the companies are doing a pretty good job of keeping the bad guys out,” Besser said. “The focus needs to change from dealing with threats to dealing with data. We’ve seen a shift in the market in the past 12 months. Suddenly people understand the problem.”

There are many ways sensitive data can be extracted from a company — sometimes it’s simply accidental, but sometimes it’s intentional.

“A good example (of a malicious leak) would be taking a financial statement and dropping it into an image file, or a jpeg file,” said Cleveland.

Software such as PortAuthority MX must be able to recognize when this has occurred. Percept’s testing was comprehensive, encompassing nine different areas where breaches might occur, including:

False positives — Is the software blocking legitimate e-mails?

Record management — Is customer data being sent to a printer, or as an e-mail attachment, when it shouldn’t be?

Data flooding — Is sensitive information being buried somewhere inside a much larger file to hide it?

Hidden data — Someone seeking to sneak data out of a network may attempt to hide text by covering it with a picture, for example.

As it turns out, the software made by PortAuthority proved the best of the three Percept tested. But Cleveland said his company played no favorites, adding that Percept’s reputation as an independent lab is the lifeblood of the business.

Besser said the testing was a breakthrough in the growing information leak prevention industry.

“It’s the first test by an independent lab, but it’s also the first test using open criteria,” said Besser. “The industry had no criteria to measure effectiveness.”

He said the PortAuthority Web site now offers the testing criteria for download free of charge, and so far there have been more than 1,0000 downloads.

“We don’t sell the test but we sell the leak prevention solution,” said Bessler.

Cleveland said his 13-person company does about 80 percent of its testing on hardware and about 20 percent on software. Locally, its clients include Cornice, Seagate, Sun Microsystems and Spectra Logic, but overall about half the company’s customers are out of state.

Tony Kindelspire can be reached at 303-684-5291, or by e-mail at tkindelspire@times-call.com.

# # #