DLP and protection of engineering data from plagiarism
This time we would like to talk about a somewhat extraordinary way to protect electronic engineering data from unauthorized commercial use by third parties, or shortly - plagiarism.
A small preamble: the leakage and plagiarism of development is indeed a very topical issue for engineering organizations.
For many customers, an important criterion is that the company has completed projects that have been agreed by all authorities and are in operation. The entire long and complex project cycle has already passed these solutions, and the corresponding electronic engineering documentation is in regular use. The value of such assets practically does not decrease with time, because the agreed engineering solutions can be adapted for new projects. Such data, we will further call engineering data of paramount importance.
The design bureaus widely use digital prototype technology and information modeling, which "lead to one denominator" engineering data. The integration of engineering sections using specialized software CAD / CAE / CAM / BIM-environments allows various narrow specialists to work together on projects and quickly build joint solutions.
')
But, of course, all these advantages bring with them one big minus - the human factor. First of all, engineering companies are at risk of leakage of project information, because their own employees know better than anyone else about the value of certain developments.
Regulated data exchange in “medium” and “heavy” design environments has a high degree of security, but the project life cycle does not allow to avoid the transfer of information beyond the perimeter. Outsourcing, data exchange with contractors, participation in tenders, coordination in various instances - all these processes are as unavoidable as they are unsafe.
Data is transmitted by standard methods (by mail, network resources, via removable media), which creates sufficient conditions for accidental or intentional leakage. Of course, the DLP systems (from Data Leakage Prevention - data leakage prevention) have long been successfully controlled by these channels, but the problem is that almost no one actually does the prevention.
Strictly speaking, leakage prevention is possible in two cases:
Now let me turn to history itself: a company engaged in the design and construction of high-rise buildings and complexes began to receive from partners information that design documentation appeared in various tenders, completely copying its designs. It was obvious that someone from the staff "merges" projects to competitors, and they subsequently give them up for their own at competitions.
Technically, the introductory were as follows: the company's engineers work in the integrated information space of CAD solutions and use the means of automated engineering project management: coordination, borrowing, staging. In addition to the electronic archive there is an archive with paper copies. The organization has a DLP solution that controls SMTP (S) -, IMAP / POP3- and HTTP (S) traffic, as well as running applications, removable media and peripheral devices.
According to DLP reports, engineering documentation went through several conditionally suspicious routes - to mailboxes on public mail services. However, these addresses were completely faceless and could belong to anyone. The company also wanted to find out who specifically poured the documentation, and most importantly - to catch competitors in the act.
We were faced with a rather difficult task: it was necessary to identify an unscrupulous competitor, to prove the fact of plagiarism, and the client company must be protected from possible risks in a collision with such plagiarism in the tender.
Especially for this, a simple, but as it turned out, an effective course was invented. We created a technology called data reconstruction, which allows you to modify or delete the transmitted information (or part of it) before sending it to the recipient.
To use the technology in the company it was necessary to hold a number of events. At the first stage, we determined which data are most at risk of plagiarism at the moment. These were projects that are at the stage of competitive procedures, engineering data of paramount importance.
The second step was the compilation of a list of employees with access to engineering developments that competitors could copy and use for their own purposes. These employees formed a circle of persons “under suspicion”, i.e. a group to which the system automatically applies more stringent security policies.
At the third stage, a circle of susceptible recipients was formed. And, finally, the most likely critical channels through which the protected information could be transmitted were identified.
As a result, a chain of high-risk areas is formed:
Persons under suspicion → Engineering data of paramount importance → Critical communication channels → Recipients
At the intersection of these areas and is a combination of those cases where the risk of leakage and subsequent plagiarism increases many times. In these cases, the DLP system reconstructed the data.
The DLP system automatically fixes cases at the intersection of these areas and replaces the source data with a modified version.
In principle, the technology can be implemented in several ways:
Disclaimer: do not try this at home! The introduction of technology should be carried out with the involvement of professional engineers and require coordination with management.
The first procedure - essentially a “pseudo-electronic signature” can be used to prove that the data used by competitors are plagiarized by your company's development.
The second, together with the detection of plagiarism, makes it impossible to use engineering solutions. Therefore, here you need to have a certain confidence that the changes will not affect an important business process.
For example, a specialist who is not employed in a project sends personal information to a recipient who is not one of the contractors of the project. Sometimes the condition of such modifications should be their invisibility to the external user.
In other situations, you can notify the recipient about the unsuitability of data by automatically inserting special warnings into files.
In our case, the company chose the second option and used simple and visually imperceptible rotation of some objects (for example, several buildings in the neighborhood project) or removal of communications in the construction objects on the drawings.
Three months later, at one of the contests, the customer was face to face with a competitor, who submitted a package of documents and drawings that were visually indistinguishable from those submitted by the company itself. This is where our method played. First, the data submitted by a competitor was unsuitable for implementation, and the documentation was withdrawn from the competition. Secondly, the company was able to prove the fact of plagiarism, and competitors suffered serious damage; reputation in this area is an important asset.
The investigation showed that the modified data fell to the company to a competitor from a leading engineer who was not involved in the project of the competition, but had access to it. The employee was fired.
The data reconstruction method can be very effective in the early stages of the implementation of a DLP solution when it is still building security policies that are able to maintain a balance between convenience and security, impact on business processes and the protection of sensitive data. Depending on the scope of activities and design technologies, the method may have different implementations. It is particularly relevant for engineering industries: industrial and precision engineering, aircraft manufacturing, chemical production, electronics development, etc.
The method is quite simple and allows you to solve a number of problems, leveling the negative effects of a leak, even if it happens. However, we must remember that it is not the final point in the project. The result of the implementation should be a set of organizational and technical measures suitable for a specific customer.
I thank Solar-Alex for help in preparing the article.
A small preamble: the leakage and plagiarism of development is indeed a very topical issue for engineering organizations.
For many customers, an important criterion is that the company has completed projects that have been agreed by all authorities and are in operation. The entire long and complex project cycle has already passed these solutions, and the corresponding electronic engineering documentation is in regular use. The value of such assets practically does not decrease with time, because the agreed engineering solutions can be adapted for new projects. Such data, we will further call engineering data of paramount importance.
The design bureaus widely use digital prototype technology and information modeling, which "lead to one denominator" engineering data. The integration of engineering sections using specialized software CAD / CAE / CAM / BIM-environments allows various narrow specialists to work together on projects and quickly build joint solutions.
')
But, of course, all these advantages bring with them one big minus - the human factor. First of all, engineering companies are at risk of leakage of project information, because their own employees know better than anyone else about the value of certain developments.
Regulated data exchange in “medium” and “heavy” design environments has a high degree of security, but the project life cycle does not allow to avoid the transfer of information beyond the perimeter. Outsourcing, data exchange with contractors, participation in tenders, coordination in various instances - all these processes are as unavoidable as they are unsafe.
Data is transmitted by standard methods (by mail, network resources, via removable media), which creates sufficient conditions for accidental or intentional leakage. Of course, the DLP systems (from Data Leakage Prevention - data leakage prevention) have long been successfully controlled by these channels, but the problem is that almost no one actually does the prevention.
Strictly speaking, leakage prevention is possible in two cases:
- The company puts the DLP-system "in the gap", and every suspicious action is blocked until the test is safe. Provides a high level of security of valuable information, but slows down all the processes in the company so much that sometimes a business loses on this “side effect” more than it would lose from information leakage. For example, in the case of false positives, a letter that is directed outward will “hang” and wait until the security officer allows sending.
- The DLP system generates profiles of the standard behavior of employees, in order to be able to detect anomalies. This is a more complicated path, which, firstly, not all vendors can provide from a technological point of view; secondly, not every customer is willing to pay for deep analytics.
Now let me turn to history itself: a company engaged in the design and construction of high-rise buildings and complexes began to receive from partners information that design documentation appeared in various tenders, completely copying its designs. It was obvious that someone from the staff "merges" projects to competitors, and they subsequently give them up for their own at competitions.
Technically, the introductory were as follows: the company's engineers work in the integrated information space of CAD solutions and use the means of automated engineering project management: coordination, borrowing, staging. In addition to the electronic archive there is an archive with paper copies. The organization has a DLP solution that controls SMTP (S) -, IMAP / POP3- and HTTP (S) traffic, as well as running applications, removable media and peripheral devices.
According to DLP reports, engineering documentation went through several conditionally suspicious routes - to mailboxes on public mail services. However, these addresses were completely faceless and could belong to anyone. The company also wanted to find out who specifically poured the documentation, and most importantly - to catch competitors in the act.
We were faced with a rather difficult task: it was necessary to identify an unscrupulous competitor, to prove the fact of plagiarism, and the client company must be protected from possible risks in a collision with such plagiarism in the tender.
Especially for this, a simple, but as it turned out, an effective course was invented. We created a technology called data reconstruction, which allows you to modify or delete the transmitted information (or part of it) before sending it to the recipient.
How it works
To use the technology in the company it was necessary to hold a number of events. At the first stage, we determined which data are most at risk of plagiarism at the moment. These were projects that are at the stage of competitive procedures, engineering data of paramount importance.
The second step was the compilation of a list of employees with access to engineering developments that competitors could copy and use for their own purposes. These employees formed a circle of persons “under suspicion”, i.e. a group to which the system automatically applies more stringent security policies.
At the third stage, a circle of susceptible recipients was formed. And, finally, the most likely critical channels through which the protected information could be transmitted were identified.
As a result, a chain of high-risk areas is formed:
Persons under suspicion → Engineering data of paramount importance → Critical communication channels → Recipients
At the intersection of these areas and is a combination of those cases where the risk of leakage and subsequent plagiarism increases many times. In these cases, the DLP system reconstructed the data.
The DLP system automatically fixes cases at the intersection of these areas and replaces the source data with a modified version.
In principle, the technology can be implemented in several ways:
- adding characteristic features (drawing objects, parts, renaming individual elements) without deforming the original data;
- partial data transformation (replacement, deletion);
- partial data transformation (replacement, deletion) plus the addition of warnings that the recipient is accepting invalid (modified) data.
Disclaimer: do not try this at home! The introduction of technology should be carried out with the involvement of professional engineers and require coordination with management.
The first procedure - essentially a “pseudo-electronic signature” can be used to prove that the data used by competitors are plagiarized by your company's development.
The second, together with the detection of plagiarism, makes it impossible to use engineering solutions. Therefore, here you need to have a certain confidence that the changes will not affect an important business process.
For example, a specialist who is not employed in a project sends personal information to a recipient who is not one of the contractors of the project. Sometimes the condition of such modifications should be their invisibility to the external user.
In other situations, you can notify the recipient about the unsuitability of data by automatically inserting special warnings into files.
Effect
In our case, the company chose the second option and used simple and visually imperceptible rotation of some objects (for example, several buildings in the neighborhood project) or removal of communications in the construction objects on the drawings.
Three months later, at one of the contests, the customer was face to face with a competitor, who submitted a package of documents and drawings that were visually indistinguishable from those submitted by the company itself. This is where our method played. First, the data submitted by a competitor was unsuitable for implementation, and the documentation was withdrawn from the competition. Secondly, the company was able to prove the fact of plagiarism, and competitors suffered serious damage; reputation in this area is an important asset.
The investigation showed that the modified data fell to the company to a competitor from a leading engineer who was not involved in the project of the competition, but had access to it. The employee was fired.
Conclusion
The data reconstruction method can be very effective in the early stages of the implementation of a DLP solution when it is still building security policies that are able to maintain a balance between convenience and security, impact on business processes and the protection of sensitive data. Depending on the scope of activities and design technologies, the method may have different implementations. It is particularly relevant for engineering industries: industrial and precision engineering, aircraft manufacturing, chemical production, electronics development, etc.
The method is quite simple and allows you to solve a number of problems, leveling the negative effects of a leak, even if it happens. However, we must remember that it is not the final point in the project. The result of the implementation should be a set of organizational and technical measures suitable for a specific customer.
I thank Solar-Alex for help in preparing the article.
Source: https://habr.com/ru/post/313012/
All Articles