Ericka Chickowski at DarkReading has posted an article about some of the myths and misconceptions around data loss prevention that have held back a lot of implementations that could have made productive use of the deep content inspection capabilities that DLP offers. It seems that most people that look to DLP haven’t clearly defined the problems that they are looking to solve, learned enough about the tools to know that data classificaton doesn’t have to be a monumental effort, or think that it will be so simple that you can purchase a small module, tick a few checkboxes, and you’re done. In reality, a solid DLP implementation is neither simple, nor overly complex. It just requires understanding your needs, appropriate budgeting, and good upfront implementation planning. Fail to plan, like in most other efforts, is planning to fail
“One of my pet peeves is a lot of people I meet say DLP is too hard, you can never do it, you’ve got to classify all of your data by hand before you can deploy DLP, or some garbage like that,” says panelist Rich Mogull, founder of analyst firm Securosis. “That’s not true; when you deploy properly you can get good results. The people I know who use DLP solutions don’t have those complaints. When you get out to the people who have actually used it, none of them will tell you it’s perfect — and, believe me, it never works as well as [the vendors] tell you it’s going to work — but they tend to give you an idea of how well it really does work.”
A few tips and considerations from me below:
- Define the problem you are seeking to solve. Break it down by platform and technology to aid in implementation planning. (IE: Email, FTP, HTTP, etc.)
- Purchase as much functionality as you are need, but also look for a solution that can expand capabilities AND capacity.
- Consider budgeting for expansion modules in the near future. Your solution simply must grow with you, and as the threat environment changes.
- Expect False Positives, where items are mis-identified, and seek out ways to carefully tweak the solution.
- Expect to use, and budget for, expert advice and configuration time. Like an IDS, this is not going to be a successful as a hands-off solution.
- Document clearly what your solution is intended to do, the systems it will integrate with, and how it will be monitored.
- Look for a solution that allows you to monitor passively for a period of time. This will greatly increase your ability to analyze and tweak your solution.
- Use the monitoring period to benchmark your environment. Get a better understanding of what actually goes on in your current environment.
- Invest in training for your staff. The initial outlay will be returned very quickly as expertise is developed and the learning curve is shortened.
- Manage the solution outputs, alerts and reports with well trained staff and solid processes and procedures.
- Let your users know that there is additional monitoring taking place before flipping the switch. This can aid in curbing bad behavior as well as being fair to your employees. Explain that it is intended to help capture errors in judgement, mistakes and policy mis-steps. Avoid making the users think it is ‘Big Brother’.
- Treat each alert as an error. Give your constituents the benefit of the doubt.
- Develop event and incident handling processes and procedures to deal with one-offs, blatant policy breaches, and repeat offences.
- Use your benchmark data to measure success, improvements, and areas of weakness.
- If your implementation was successful, plan for capacity and capability expansion. If not, examine the configuration or consider another platform.
If you have already implemented a DLP solution, I’d be very interested in learning from your experiences.
- What worked for you?
- What problems did you encounter?
- How were they overcome?
- What additional features or improvements would you like to see in a DLP solution?
- What changes did you find in your users and their behaviors?
- Where will you take the solution from here?
If you are considering a DLP solution, what questions might you like to have answers about?