Security Manager's Journal: A deal that's too good to be true

My company is always looking for ways to save money. One maneuver -- outsourcing the development of a module of one of our software products -- almost cost us big time.

Trouble Ticket

At issue: An offshore vendor might be stealing the company's source code.

Action plan: Quickly find a way to monitor the network, and then deploy an effective means of blocking USB ports.

We had chosen a provider in Southeast Asia, based not just on its extremely low cost but also on the quality of work we'd seen it deliver in the past, which was far superior to that of other low-cost, offshore locations. Recently, we decided to decrease the number of engineers working on the project, and the vendor ended up laying off one of the removed engineers. That laid-off engineer let us know that the vendor was using our source code to create a competing product. He either wouldn't or couldn't tell us many details, but he did say that our source code was being copied to USB drives to avoid detection and then being shared within the vendor company.

We had to act quickly to verify the accusation and stop the theft before all of our source code could be taken.

Our company policy is that vendors working in an R&D capacity must use hardware that we provide. That's a good first step, but my preference, naturally, would have been to use that hardware to implement precautions that would protect our intellectual property. Unfortunately, we don't do anything special with those laptops.

We also didn't have any monitoring equipment at this small office. Now that we badly needed to monitor its traffic, we decided to quietly reroute it to Singapore, a main hub for us where we had recently deployed data loss prevention (DLP) technology. Next, we surreptitiously deployed endpoint DLP agents to the PCs in the office of the suspect vendor. Now we had full visibility, both at the network layer and at the endpoint.

Block Those Drives

Within hours, we got a hit.

Two software engineers on the project were copying huge amounts of source code from their desktops (which shouldn't have been storing source code) to external USB drives.

We wanted to block that data and keep it off the USB drives. We looked at doing this via the BIOS, but that proved to be difficult. A technician would have to go to the site and configure the BIOS on all of the PCs in the vendor's office. Not only would that take a lot of time, but using BIOS to turn off the USB ports would also block legitimate items, such as USB mice, keyboards and cameras, and all of those would be needed.

Next we considered employing the DLP endpoint agent to block USB drives, but we already knew about a bug that prevents the agent from differentiating between a USB drive and a second hard drive installed in the laptop. Our DLP vendor is working on a fix for that problem, but we don't have it yet.

We also investigated the use of Microsoft Group Policy Objects, and that may work for the long term, but that fix wouldn't be quick enough to meet our present needs. The quick-and-dirty option that we settled on to block the use of external storage devices was to change a policy configuration in our endpoint antivirus software. No one had to travel to the site, and we weren't disabling devices such as mice, keyboards and cameras. Critically important, we have a policy set up that makes it impossible for users to disable antivirus protection.

Now that we feel more secure about what is happening at the office of the offshore vendor, we will work with our legal and human resources departments to investigate the source code leakage in more detail. That vendor might not work for us much longer. I will also be advocating that we restrict the use of USB drives on all corporate devices used to process sensitive information.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about DLPMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mathias Thurman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts