Why / When / How To Implement DLP?

This Data Loss Prevention question was posed on the Security Basics mailing list.  I thought that I would share in case others that have not subscribed to this good list can find it and do so, and those with similar questions can see what I and others have said about it.

—–Original Message—–

Hi,

 I would like to have your opinion about when/which organizations need a DLP solution? How the need depends on organizations work  area, country,region or culture ? How to implement the solution and handle the data classification and coorperate with data owners, business  departments.

Regards

http://www.securityfocus.com/archive/105/518147/30/0/threaded

—–My Response—–

Continue reading

Advertisements

Considering DLP? Planning Is KEY!

Ericka Chickowski at DarkReading has posted an article about some of the myths and misconceptions around data loss prevention that have held back a lot of implementations that could have made productive use of the deep content inspection capabilities that DLP offers.  It seems that most people that look to DLP haven’t clearly defined the problems that they are looking to solve, learned enough about the tools to know that data classificaton doesn’t have to be a monumental effort, or think that it will be so simple that you can purchase a small module, tick a few checkboxes, and you’re done.  In reality, a solid DLP implementation is neither simple, nor overly complex.  It just requires understanding your needs, appropriate budgeting, and good upfront implementation planning.  Fail to plan, like in most other efforts, is planning to fail

“One of my pet peeves is a lot of people I meet say DLP is too hard, you can never do it, you’ve got to classify all of your data by hand before you can deploy DLP, or some garbage like that,” says panelist Rich Mogull, founder of analyst firm Securosis. “That’s not true; when you deploy properly you can get good results. The people I know who use DLP solutions don’t have those complaints. When you get out to the people who have actually used it, none of them will tell you it’s perfect — and, believe me, it never works as well as [the vendors] tell you it’s going to work — but they tend to give you an idea of how well it really does work.”

A few tips and considerations from me below:

Continue reading

Protecting Against Data Leaks

Wikileaks seems to have become a rather quiet issue.  Very little in the press lately, and not much discussion for such a high profile and potentially damaging experience.  In follow-up to “Could it Happen To You“, here are some thoughts on detecting data leakage, and protecting your sensitive data and intellectual property.

You will never completely eliminate the possibility that someone will leak documents to WikiLeaks or any other outside organization, and every organization, even those that operate legitimately and completely above board have SOMETHING to hide.  From the competition, from enemeies, everyyone has intellectual property and those special trade secrets.  The opportunities and methods for extricating information in its various forms are just too diverse.  In order for any organization to function, individuals need to be able to access, copy, manipulate and print information.  There will always be a chance that an individual will intentionally or accidentally make that information available to an unauthorized audience or individual.  It could be as easy as adding the wrong email address on a CC list.  Auto-complete is notorious for making this example more common.

Eliminate Common Means   In incident response, an attacker typically needs 4 things in order to launch a successful attack. 

  1. The opportunity to attack.  This is provided to insiders by having access to data, and poor internal controls.
  2. The ability to attack.  This is provided by the tools and knowledge available to anyone.
  3. The motive to attack.  This could be monetary, moralistic, vengeful, accidental, etc.
  4. The means to complete the attack.  This is the physical or logical device used to move the data.

Continue reading

DLP – Success & Failure

Data Leak Prevention adoption is growing at an estimated 10% a year.  Slower than anticipated by DLP vendors but still fast compared to many other security technologies.  The primary driver for adoption of this technology remains compliance, as is true with most security project funding.  Make sure that when you deploy it, you deploy it with the correct ruleset, a clear definition of what it is meant to accomplish, and consideration for “soft-mode” as an awareness tool.

Quite a few companies that have recently deployed DLP have pulled back on their deployments because of user and management backlash.  This indicates to me that there may have been a lack of planning, and the deployment did not adequately define success factors.  DLP was commonly deployed by these firms as an enforcement tool and not as an awareness tool at all.  When DLP is implemented as an enforcement tool, the controls are black and white, and generally very strict, running the risk of disrupting normal business processes.

The problem DLP is deployed to resolve is the leakage of data to unauthorized recipients.  Most data leaks are not caused by attackers bent on getting access to your corporate data.  The most common source of data leakage, accidental leaks, can be stopped.  To do so one must understand why these leaks occur, then how, and be prepared to accept that some of the responsibility for addressing them lies with IT itself.

Accidental leaks are not simply the result of negligent, stupid, or irresponsible users.  In many cases, leaks occur when authorized users of data choose an insecure means to store or transmit the data in the process of fulfilling a legitimate business process.  They’re doing their jobs the best way that they know how, with the tools that they have available.  Think about the Manager who needs to send her quarterly numbers to an external accounting firm.  She doesn’t have e-mail encryption capabilities or secure FTP at her disposal, and probably doesn’t understand the need for them during this seemingly innocent and quite common communication event.  She sends the confidential information as an attachment by e-mail, like always.  The communication is sent in the clear, across numerous unknown networks, subject to capture, manipulation and abuse.

DLP deployed with a hard rule enforcement policy may serve to exacerbate the problem.  The e-mail is detected and stopped, as designed, due to its sensitive contents.  The Manager wants to do a good job, and doesn’t understand why the accounting firm is not receiving the time-sensitive email that she so dilligently sent.  Perhaps she percieves that IT, who doesn’t understand or care about her dillema, has just put up another hurdle for her to get the required job done, so she tries Hotmail.   IT filters Hotmail, because it is a security and DLP risk.  She tries Instant Messanger, Facebook, RapidShare or whatever other distribution method she can think of.  Whose fault is it if the business doesn’t provide a better way of doing what needs to get done in the course of a business day?

If DLP is deployed as an awareness tool, it can actually identify and help fix these broken processes.  Instead of blocking the original email, educate the user about why certain communication methods are dangerous when sending sensitive information.  Let the user know the dangers and impacts associated with these insecure communications.  Tell them about secure IT services that are provided for this specific purpose, or engage them to identify a specific need, to set in motion the needs analysis and requirements gathering needed for the provisioning or improvement of secure practices and services.  IT will become aware of dangerous practices within the organization for which they have not yet provided better alternatives. 

DLP deployed in “soft-mode” focuses on training and awareness for both IT and the user community.  It allows the identification and development of exceptions and logs the results of various communications so that improvements can be made in their handling.  It is incremental, non-judgmental and business friendly.  Over time, some DLP controls can and should be tightened and restricted, increasing enforcement, but soft-mode should remain a viable option for many types of standard communications.

DLP is about preventing data loss, not blocking the business from moving forward.  Take the opportunity to build an extended or permanent soft-mode period into your DLP project plans.  It can educate your users, getting them thinking about security, while at the same time educating your IT staff about how your business actually functions, getting them thinking about how to provision better, easier to use, and more secure services to the users that they serve.

ISACA Mobile Devices DLP Study

ISACA, the International IT governance body, has released a study detailing the increasing potential for mobile devices to pose a significant threat to data leakage and loss.  Pointing to information leakage over wireless and poorly secured wired networks, the Securing Mobile Devices white paper is intended as a wake-up call for companies with unintentional configuration and capabilitiy backdoors that often lead to loss of confidential enterprise information and intellectual property. 

Popular anti-virus company AVG’s corporate blog has suggested that the reason we are still discussing the same old security issues over and over, is that obvious data threats are still not properly managed.  Mobile devices are likely to be the target of a malware attack more so now than at any time in the past, and as employees carry and use them beyond the protection of their company’s network, the risk of attack and compromise is multiplied exponentially.

According to the Ponemon Institute’s Global 2009 Annual Study on the Cost of a Data Breach, 32% of all data breaches analyzed involved lost or stolen laptops or other mobile data-bearing devices.  While the average organizational cost of a data breach was $3.4 million US, all countries reported higher data breach costs with mobile incidents.  Ironically, many of the risks associated with mobile devices exist because of their biggest benefit: portability.  ISACA recommends a governance framework such as COBIT or Risk IT to help IT managers ensure that process and policy changes are implemented and understood and that appropriate levels of security are applied to prevent data loss.

DLP – Protecting What Matters Most

Data Loss Prevention (DLP) products exist to help organizations monitor and protect sensitive data.  This data could be customer information, credit card numbers, employee’s personal information, project plans, intellectual property, trade secrets, whatever the crown jewels may be.  If this data were to be lost or stolen, it could create significant legal liability, financial loss, security risks, as well as reputational and regulatory hardships.  DLP keeps sensitive data from falling into the wrong hands.  NetworkWorld has a collection of excellent DLP articles for those that are concerned with the topic.  Find the related items at the end of this entry.

You can put in place all of the intermediary policies and risk mitigating conrols from perimeter to storage server that you can afford.  One thing with technical security controls is almost certain,  a determined attacker will find a way to violate your strongest safeguards.  Filter web traffic and they resort to encryption and obfuscation.  Isolate sensitive systems from the Internet and they plug in a USB drive.  Disable USB support and they reboot a with CD.  Disable CD/DVD booting in CMOS and block the USB ports with super glue and they use a cellphone camera to snap a picture of sensitive material on screen.  Create a policy barring cameras and enforce it, and the attacker will reach for a pencil.  DLP is just shy of a silver bullet from my perspective in Incident Response.  It is a security control that if implemented and managed correctly, protects the data from inappropriate exfiltration. 

Continue reading

Lessons Learned From Data Theft

Interesting article posted up at Processor. Carl Herberger of EvolveIP explains the layered approach to information security as bringing together several comprehensive policies and manual procedures to a variety of point security solutions, filtering systems, and monitoring strategies to protect IT resources and data.

As data loss prevention becomes increasingly important, it becomes more likely that a re-assessment and redeployment of security perimeter resources will occur. Implementation of DLP tools may boost the detection of data theft. Creating multiple layers can be useful not only in preventing theft but also in spotting it when it happens.

Processor