Wednesday, December 07, 2011

Understand Data Loss Prevention System for Deployment

First of all please make a note that DLP is about risk reduction, not threat elimination. It's important to know what kinds of policies can be defined and what enforcement options are available before beginning a deployment. Later, the proper workflow needs to be in place to handle policy violations. While human resources and legal teams are rarely involved in a virus infection, they may be intimately involved when an employee tries to send a customer list to a competitor. Setting up a good baseline early; know what data needs protection, the capabilities of the tools in place to protect it, and the workflow for handling incidents will actually easy the DLP implementation in any organization. The below mentioned Small write-up will help Security Council members to understand what DLP is what are industry best practices adopted by different organization for DLP Implementation.
Basically now data protection efforts of organization are shifting toward the internal users (Vendor/Employee) as compare to external threats like earlier. As 80% of breaches are reported by internal users accidental or intentional only 20% are by external forces. Hence now companies are interested to do the right investment decision and like to protect any potential breached due to their own employees. There are many avenues in which confidential data or proprietary secrets can leave an organization via the Internet:

• Email
• Webmail
• HTTP (message boards, blogs and other websites)
• Instant Messaging
• Peer-to-peer sites and sessions
• FTP

Current firewall and other network security solutions do not include data loss prevention capabilities to secure data in motion. Missing are such important controls as content scanning, blocking of communications containing sensitive data and encryption. While companies have attempted to address the data loss problem through corporate policies and employee education, without appropriate controls in place, employees can (either through ignorance or malicious disregard) still leak confidential company information.


If categorize all the avenues available to employees today to electronically expose sensitive data, the scope of the data loss problem is an order of magnitude greater than threat protection from outsiders. Consider the extent of the effort required to cover all the loss vectors an organization has the potential to encounter:

• Data in motion – Any data that is moving through the network to the outside via Internet.
(Solution provided by: Web-sense, Symantec and CA)
• Data at rest – Data that resides in files systems, databases and other storage methods.
(Solution provided by: Iron port, CA, Vontu)
• Data at the endpoint – Data at the endpoints of the network (e.g. data on USB devices, External drives, MP3 players, laptops, and other highly-mobile devices) (Solution provided  by: Digital Guardian: SOPHOS)

There are two different types of Content Aware DLP solutions available:

1. Single Channel solutions – Focuses on the data loss channel we want to address such as email or Web.
2. Enterprise DLP solutions – Involves lengthy implementations and big budgets. It can also be very disruptive to the organization but delivers much more coverage.

DLP is shipped with hundreds of pre-defined policies. Port authority by WebSense boasts over 140 pre-defined templates for major regulatory statutes. These policies have rules for anywhere from identification of social security numbers to US regulatory laws. The very popular ones are HIPAA, Sarbanes Oxley, GLBA, etc. In addition, vendors are even willing to create a custom policy based on customer requirements. This is based on the business model of a particular customer. Default policies can be fine tuned to suit our needs and gets even more accurate when data matching is applied against context. For Ex. If a payroll employee is observed viewing someone else’s remuneration package, this event is a normal behavior and can be ignored. However, if this event were to occur from another department, the DLP should raise a flag and hence it should be escalated. One key to point to note in writing a signature is the tradeoff between false positives and false negatives. Some vendors call them wide and narrow rules. If the matching occurs at broader scope, it can result in a high number of false positives. On the other hand, we run into the risk of not catching a true positive, if we were to keep the rules too narrow. This is a business decision an organization should make based on the sensitivity level of the content vs. resources allocated for remediation. After all, customers do not want to end up in a similar situation as they are with IDS.

While making a DLP Investment I would advise following points should be considered.

1. Ensure Effective, Comprehensive Coverage :
Means overall, a DLP solution must be able to effectively and comprehensively detect attempted policy violations. This includes:
• Multi-protocol monitoring and prevention
• Content-level analysis of all major file and attachment types
• Selective blocking and/or quarantining of messages
• Automatic enforcement of corporate encryption policies.

2. Make the Solution Unobtrusive:
The next important aspect for a DLP solution is that it’s non-intrusive. Overcoming the challenges of maintaining effective communications (while ensuring management and control of customer and sensitive information) requires both well thought out policies, and processes for monitoring communications content.

3. Should have a Work Flow, Administration and Reporting capabilities:
To help keep total cost of ownership low, the selected product should be simple and fast to implement effectively within the organization’s infrastructure – leveraging plug-and-play capabilities to minimize integration requirements. Robust reporting capabilities allow policy officers to readily access information to:
• Analyze and improve the organization’s DLP capabilities
• Automatically deliver decision-making information in a timely manner
• Easily generate instant reports for executives.

4. Combination of Network/End Point and Heterogeneous.