I read Dan Raywood’s SC article this week called “Criticisms made of lax attitudes to data loss prevention tools” and I totally agree with Michael Gabriel’s thoughts on companies, and in some respects the InfoSec communities attitude to DLP technology.
The reason for my interest in this article is because I am in the process of deploying a DLP solution across EMEA and so far I have been very impressed with how things are going, and the benefit it can bring to the organisation. Before doing this project I did think DLP technology would be valuable to organisation, and because I am a geek I love any excuse to mess about with new technology, however I did have concerns about how effective it can be.
I still hold true to some of my original thoughts, and I don’t think DLP is right for everything. I think it is very dependant on the industry you are operating in, and the maturity and security posture of your organisation.
In the article Andrew Waite mentioned that the basics are essential, and unless you have this right you shouldn’t look at DLP. I agree that security basics are essential, and for many reason companies still struggle with this (lets not even talk about patching), however I think DLP could actually help you build an improved case for securing budget for a security back to basics programme.
So when does DLP make sense, and what do you need to be aware of if your going to implement it?
DLP makes sense if you know what you want to protect. This might sound obvious or stupid, however many companies don’t really know what their critical business assets are. Some DLP system can help you identify where this data lives if you don’t know via network and endpoint discovery. Obviously its not a miracle system so you need to give it a clue. You can provide a sample of data and let it use its signatures to find similar, or you can use keywords and phrases etc.
So if you know what your data looks like, and even better if you know where it is, you can point your DLP solution at it, and it will form extracts of the data within the files, and monitor specific network files and folders and then perform verification lookups in real time when data passes through its systems. This is where your policies and rules are important, and as also noted in the SC Article don’t expect it to be effective if you create once and never look at them again, the business changes, so do our processes, policies and rules. We can then leverage (or build cases to invest) in other technologies to prevent the data from leaving the organisation in the first place. So monitor and alert on all network traffic, prevent your critical information being lost externally on removal media, corporate email, webmail, social networking sites, forums, blogs and instant messaging. In my mind the primary reason for DLP is to help your protect and prevent the loss of what matters most to your organisation, its intellectual property, its key business assets. However, DLP can also help you with your Data Protection Act obligations, as well as the wonderful PCI:DSS requirements, as you can define signatures / criteria for your DLP system to match against, some vendors even have these available as default policies.
So if by now your thinking it makes sense to you, and your company has a reasonable grasp on its assets, and hopefully data flows, and you have convinced someone to release the purse strings, your install DLP and your done…. right?
Of course things are not that simple (although it is a little simpler if your in the US as we know there is no privacy 🙂 ). I am in the UK, but need to know about EU regulatory requirement, and as soon as your talking about monitoring and blocking you need to do alot of preparatory work. So hopefully you have some policies in place, and have worked with your legal and HR teams when you implemented email and web filtering technology, well now is a good time to renew those friendships.
So what should you be thinking before you go switching on your new shinny DLP technology. Below I have created a list, some of them may not be applicable to you and the country you are in, but it should at least provide a checkpoint and food for thought, before going away monitoring everyone, until to be shutdown by HR and Legal when you go to give someone the boot from gross miss-conduct when violating company policy.
DLP points for consideration:
- Resilience in your solution
- Capacity in your solution (Powerful Tin, Pipes with Capacity, Geographical coverage)
- Acceptable Usage Policies (Covering the level of monitoring and prevention DLP will provide)
- Communication (Even though your policies cover it, have you communicated this to staff, and updated policies. The goal is to stop loss by have it not happen)
- Employee Consent (In some countries such as Germany for example, employee consent is required when you doing this monitoring)
- Consent not given approach (When an employee does not give consent, how will you handle it? Prevent the use of business systems for personal use?)
- Data Protection Commissioner Approval (It is always worth having a DLP business process defined so you can share this with the DPC if questioned, however in some countries prior consent from the DPC is required)
- Workers Council Approval (In some countries workers councils have alot of grunt, it is essential to get their buy in and approval)
- Labour Inspection (In Italy for example the labour council need to give consent for each office location monitoring occurs, other countries may have something similar)
- Build and Test policies and rules (This is hopefully obvious. Build and test your DLP policies and rules, tweak as required, and use this as evidence to reassure the business on the uptake of your new solution)
- Ensure the data your policies are using for matching is accurate and up to date
- Ensure enough resource is available for daily review, monitoring and management
- Have a process defined for expediting and reviewing policy violations
DLP is a good tool with the right information, processes and people behind it. Like anything understanding your business, your objectives and proposed outcomes is essential in its success.