Let’s face it, this is not your father’s Internet (or, for those of us who first went online in the late 90’s, even John Postel’s Internet.) As invaluable a tool as the Internet is, as empowering as having unlimited information instantly accessible is, and as enabling as virtually instant communication is, the Internet is full of bad things against which we must protect our employees. A solution that offers web filtering and/or web monitoring is a key part of a defense in depth approach to defending our users.
Before we talk about web monitoring software, we do need to cover three important components that you do not want to go without. Have these in place first.
Acceptable use policy
As part of a written information security policy, having an Acceptable Use Policy is critical. With it, your users will understand what is expected of them; what is appropriate, and what is not. Without it, you have no way to respond to infractions or other inappropriate activities, such as downloading copyrighted material or accessing adult content.
Make sure that users are informed that their access to the Internet is subject to monitoring. By informing them of this fact, you ensure that they are aware that the Acceptable Use Policy is being enforced, and that they understand what is a reasonable expectation of privacy. Consult with your human resources and legal departments to ensure that you comply with any existing corporate policies, and legal or contractual obligations.
An understanding of what you want to do
At first glance this may seem obvious, but I have seen many IT initiatives flounder at this point. You want to know what types of websites are considered appropriate, what types are not, and you need to make certain that you have a process in place for the business to request exceptions or changes to this. No matter what kind of solution you implement or policy(ies) you choose to enforce, you will run into sites that are either wrongly classified, or that are necessary to access even if they appropriately classified. The business needs a way to request access, and IT needs a way to evaluate, improve, and make appropriate exceptions.
Web monitoring versus web filtering
When implementing a security solution for web based threats, consider both your users, and the path their traffic takes between them and the Internet. If the users are all in central locations and access the Internet through choke points, a web based proxy or a solution that plugs inline (or leverages the firewall or Internet router) can protect users while they are on the corporate network. However, traveling users, or those who take their laptops home, may then find themselves accessing the Internet without the protections offered by your solution. In those cases, either deploying an agent based solution, or requiring users to always connect using a VPN, will enable you to protect them even when they are out of the office.
Web monitoring solutions do just what the name implies, they monitor web access. They can log access, alert when a policy violation is detected, or even interdict access, but most are otherwise passive in nature. Web filtering solutions also do as their name implies, they filter content accessed from the web, scanning downloaded files for malware or content that violates policy, examining html streams for malicious scripts or key words that violate policy. The two are not mutually exclusive. Many solutions, including, can do both, monitoring content and filtering attachments to maximise the protection provided to users.
It is important to implement policies that enforce the Acceptable Use Policy, and that in the case of violations, inform the users when actions they take violate policy. Keep in mind that most of those violations will be inadvertent, so do not react to a violation report as if someone has committed a crime. Whether they clicked a link in an email, or picked the wrong link from search results, the purpose of implementing a web monitoring or web filtering solution is to protect our users and corporate data, not to punish users for their actions. However, since you may encounter users who intentionally and chronically violate policy implement logging that clearly identifies the user, the violation, and engage human resources when these actions violate the written acceptable use policy.
Implementing a multi-layer protection is an important part of a defence in depth strategy, and reduces risks to your users and to corporate information assets. A recent survey of SMBs by GFI found that almost two out of three businesses lacking a web filtering solution experienced a security incident from malware downloaded from the Internet. This should make clear to any SMB lacking a web security solution that getting one in place should be a priority.