Most companies have reasonable  perimeter security – i.e. a firewall and IDS (intrusion detection system) or IPS (intrusion prevention system).   Although  security people often view an IPS as the next generation of IDS; it’s important to distinguish between the roles of detection and prevention. Detection helps you understand what kind of attacks are being mounted (or potentially COULD be mounted on the network, and prevention (an IPS) is an access control security countermeasure – a way of keeping the bad guys off your network.
However, in my experience,  the same companies with well-managed firewall/IPS don’t have the foggiest notion of what’s leaving their network or what’s happening inside the network.
There is nothing like collecting data and validating the effectiveness of your security countermeasures.
This is why we need network surveillance.

internal network surveillance is a capability for monitoring transactions inside the network between servers and clients) at 3 layers – network sessions, applications, and data contained inside client/server application transactions (Oracle, DB2, MSSQL, MySQL, HTTP, FTP RPC etc…). Internal Network surveillance has a series of additional benefts (as described in RIchard Bejtlich‘s excellent book – Extrusion Detection):

• Creating defensible networks with pervasive awareness  (most firms don’t even know what’s going on in their network – a client of ours was surprised to discover that almost 40 percent of their outgoing network traffic was Google mail – more than the corporate Microsoft Exchange traffic)
• Defending against malicious sites, browser exploits, Trojans and worms. In many cases, AUP (acceptable usage violations) such as employees browsing kiddy porn sites, file sharing sites with Web access like Rapid Share,  indicate hightened levels of vulnerability to Trojans and password theft.  Many people tend to use their corporate password on private sites
• Help implement effective L3 network access  control
• Respond to internal attacks – without relying upon preconceived notions of where the attacker is coming from
• Detect variances with user access polices i.e. users who have elevated privileges or use of generic usernames with group privileges

How should you collect data?
We do data collection in a Business Threat Modeling task with human intelligence (individual or group interviews with TOP Mapping ) and electronic intelligence gathering (network surveillance).  We like Fidelis XPS for network surveillance.   XPS is an extrusion prevention appliance that attaches to the network on a tap or a span port. XPS detects internal security violations at all 3 levels – network session, application and data content.
How do you take the data and validate the effectiveness of your security countermeasures?
The results of the data collected in the human interrogation and network surveillance are plugged directly into a Business Threat modeling calculative risk model (based on the popular PTA – Practical Threat analysis tool). A customer can quickly the impact of threats on the board:

1. What  are the data types (Word, PDF, Autocad…) and volume of extrusion on the network ?
2. Who is sending sensitive information out of the company?
3. What network protocols have the most extrusion events?
4. What US/EU privacy regulations are being violated?
5. What is the economic value of assets at risk ?
6. What is the implementation and operational cost of security countermeasures (people, process and technology) to detect data loss and internal security violations (such as a DBA abusing privileges to access entire contents of company employee directory and send to her private gmail account)