Why / When / How To Implement DLP?

This Data Loss Prevention question was posed on the Security Basics mailing list.  I thought that I would share in case others that have not subscribed to this good list can find it and do so, and those with similar questions can see what I and others have said about it.

—–Original Message—–


 I would like to have your opinion about when/which organizations need a DLP solution? How the need depends on organizations work  area, country,region or culture ? How to implement the solution and handle the data classification and coorperate with data owners, business  departments.



—–My Response—–

Continue reading

Considering DLP? Planning Is KEY!

Ericka Chickowski at DarkReading has posted an article about some of the myths and misconceptions around data loss prevention that have held back a lot of implementations that could have made productive use of the deep content inspection capabilities that DLP offers.  It seems that most people that look to DLP haven’t clearly defined the problems that they are looking to solve, learned enough about the tools to know that data classificaton doesn’t have to be a monumental effort, or think that it will be so simple that you can purchase a small module, tick a few checkboxes, and you’re done.  In reality, a solid DLP implementation is neither simple, nor overly complex.  It just requires understanding your needs, appropriate budgeting, and good upfront implementation planning.  Fail to plan, like in most other efforts, is planning to fail

“One of my pet peeves is a lot of people I meet say DLP is too hard, you can never do it, you’ve got to classify all of your data by hand before you can deploy DLP, or some garbage like that,” says panelist Rich Mogull, founder of analyst firm Securosis. “That’s not true; when you deploy properly you can get good results. The people I know who use DLP solutions don’t have those complaints. When you get out to the people who have actually used it, none of them will tell you it’s perfect — and, believe me, it never works as well as [the vendors] tell you it’s going to work — but they tend to give you an idea of how well it really does work.”

A few tips and considerations from me below:

Continue reading

Protecting Against Data Leaks

Wikileaks seems to have become a rather quiet issue.  Very little in the press lately, and not much discussion for such a high profile and potentially damaging experience.  In follow-up to “Could it Happen To You“, here are some thoughts on detecting data leakage, and protecting your sensitive data and intellectual property.

You will never completely eliminate the possibility that someone will leak documents to WikiLeaks or any other outside organization, and every organization, even those that operate legitimately and completely above board have SOMETHING to hide.  From the competition, from enemeies, everyyone has intellectual property and those special trade secrets.  The opportunities and methods for extricating information in its various forms are just too diverse.  In order for any organization to function, individuals need to be able to access, copy, manipulate and print information.  There will always be a chance that an individual will intentionally or accidentally make that information available to an unauthorized audience or individual.  It could be as easy as adding the wrong email address on a CC list.  Auto-complete is notorious for making this example more common.

Eliminate Common Means   In incident response, an attacker typically needs 4 things in order to launch a successful attack. 

  1. The opportunity to attack.  This is provided to insiders by having access to data, and poor internal controls.
  2. The ability to attack.  This is provided by the tools and knowledge available to anyone.
  3. The motive to attack.  This could be monetary, moralistic, vengeful, accidental, etc.
  4. The means to complete the attack.  This is the physical or logical device used to move the data.

Continue reading

WikiLeaks – Could It Happen To You?

For enterprise IT managers and security professionals, the on-going WikiLeaks disclosures underscore the information security gaps that exist even when common security controls are in use by large organizations.  It is not necessarily the controls themselves that are flawed, but more often the supporting processes and procedures that were quickly pulled together under pressure, and seldom if ever revisited or audited at a granular level for optimal performance and completeness.

This entire ordeal also serves to highlight the importance of adopting a “trust, but verify” approach to hiring practices and access control.  This means that you need to be just a little bit more paranoid regarding your practices, without distrusting your employees.  Remember that everyone that you hire is human, and that people will make mistakes if mistakes are possible.  They are (hopefully) hired due to their capabilities and experience, but what really separates them from the other candidates that showed up for an interview?  Were you able to validate their claims of reliability and trustworthiness?  Trust that they will exercise good judgement, work towards corporate betterment, but verify that each access to sensitive data or corporate intellectual property is properly justified.   Remove the temptation to go astray, and by all means, let them know that you verify.  Your intentions are to DISCOURAGE criminal or damaging behavior, not ENTRAP those who may err or fall prey to social engineering.

What controls should be in place?  That depends on the type and classification of the information that is at risk.  When it comes to client financial and personal information, it is clear that monitoring, notification and escalation controls are a requirement.  Take a lesson from PCI, even if you don’t adopt it formally.  The PCI DSS is simply basic computer security.  A quick review of the 12 main PCI requirements shows nothing revolutionary, and they offer a solid starting point for virtually any security compliance engagement. 

Continue reading

DLP – Success & Failure

Data Leak Prevention adoption is growing at an estimated 10% a year.  Slower than anticipated by DLP vendors but still fast compared to many other security technologies.  The primary driver for adoption of this technology remains compliance, as is true with most security project funding.  Make sure that when you deploy it, you deploy it with the correct ruleset, a clear definition of what it is meant to accomplish, and consideration for “soft-mode” as an awareness tool.

Quite a few companies that have recently deployed DLP have pulled back on their deployments because of user and management backlash.  This indicates to me that there may have been a lack of planning, and the deployment did not adequately define success factors.  DLP was commonly deployed by these firms as an enforcement tool and not as an awareness tool at all.  When DLP is implemented as an enforcement tool, the controls are black and white, and generally very strict, running the risk of disrupting normal business processes.

The problem DLP is deployed to resolve is the leakage of data to unauthorized recipients.  Most data leaks are not caused by attackers bent on getting access to your corporate data.  The most common source of data leakage, accidental leaks, can be stopped.  To do so one must understand why these leaks occur, then how, and be prepared to accept that some of the responsibility for addressing them lies with IT itself.

Accidental leaks are not simply the result of negligent, stupid, or irresponsible users.  In many cases, leaks occur when authorized users of data choose an insecure means to store or transmit the data in the process of fulfilling a legitimate business process.  They’re doing their jobs the best way that they know how, with the tools that they have available.  Think about the Manager who needs to send her quarterly numbers to an external accounting firm.  She doesn’t have e-mail encryption capabilities or secure FTP at her disposal, and probably doesn’t understand the need for them during this seemingly innocent and quite common communication event.  She sends the confidential information as an attachment by e-mail, like always.  The communication is sent in the clear, across numerous unknown networks, subject to capture, manipulation and abuse.

DLP deployed with a hard rule enforcement policy may serve to exacerbate the problem.  The e-mail is detected and stopped, as designed, due to its sensitive contents.  The Manager wants to do a good job, and doesn’t understand why the accounting firm is not receiving the time-sensitive email that she so dilligently sent.  Perhaps she percieves that IT, who doesn’t understand or care about her dillema, has just put up another hurdle for her to get the required job done, so she tries Hotmail.   IT filters Hotmail, because it is a security and DLP risk.  She tries Instant Messanger, Facebook, RapidShare or whatever other distribution method she can think of.  Whose fault is it if the business doesn’t provide a better way of doing what needs to get done in the course of a business day?

If DLP is deployed as an awareness tool, it can actually identify and help fix these broken processes.  Instead of blocking the original email, educate the user about why certain communication methods are dangerous when sending sensitive information.  Let the user know the dangers and impacts associated with these insecure communications.  Tell them about secure IT services that are provided for this specific purpose, or engage them to identify a specific need, to set in motion the needs analysis and requirements gathering needed for the provisioning or improvement of secure practices and services.  IT will become aware of dangerous practices within the organization for which they have not yet provided better alternatives. 

DLP deployed in “soft-mode” focuses on training and awareness for both IT and the user community.  It allows the identification and development of exceptions and logs the results of various communications so that improvements can be made in their handling.  It is incremental, non-judgmental and business friendly.  Over time, some DLP controls can and should be tightened and restricted, increasing enforcement, but soft-mode should remain a viable option for many types of standard communications.

DLP is about preventing data loss, not blocking the business from moving forward.  Take the opportunity to build an extended or permanent soft-mode period into your DLP project plans.  It can educate your users, getting them thinking about security, while at the same time educating your IT staff about how your business actually functions, getting them thinking about how to provision better, easier to use, and more secure services to the users that they serve.