Friday, October 24, 2003

What is Extrusion Detection?

Yesterday reading a brief article by Robert Moskowitz, I noticed the term "extrusion detection":

"There's no sure way to track spying data that leaves your network. Perhaps the next big security tool will be outward-bound--extrusion-detection systems."

Searching the Web, I found Mozkowitz mentioned the term four years ago, in this 29 Nov 99 article:

"What you need is a reversed IDT (intrusion-detection tool), and perhaps an EDT (extrusion-detection tool) that will perform automatic searches for your own metatags..."

However, Frank Knobbe has him beat, according to this 5 Nov 99 post, discussing SEC investigations of insider trading:

"...his sounds more like an Extrusion Detection than Intrusion... There are packages available that scan inbound and outbound emails for certain key words/key phrases, and dump these emails in a bucket where analysts (humans) can read, evaluate, and approve or deny them. I guess this raises the question if email scanners should be considered Intrusion Detection tools..."

Although much more recent, Ronald DuFresne wrote a short paper which mentions "EDS" but doesn't say a whole lot. Fidelis sells "Extrusion Prevention Systems" "for organizations with valuable digital assets that are concerned about the theft of proprietary information... Fidelis DataSafe EPS is an extrusion prevention system that detects and prevents the unauthorized network transfer of designated sensitive or valuable information."

Bamm and I used extrusion detection techniques during Code Red. It was easier to watch outbound traffic from our infected boxes than it was to monitor inbound intrusion attempts.