GETTING STARTED
Long before contacting DLP vendors, set expectations and decide what content needs protection and how to protect it. Pull together a project team with representatives from major stakeholders including security, messaging, desktop management, networking, human resources and legal, and define protection goals, including content and enforcement actions. This is when you set expectations; educating project members on what's realistic with DLP can help avoid pitfalls that derail deployment.
These protection goals help determine required features. They'll establish needs for content analysis techniques, breadth of coverage (network/storage/endpoint), infrastructure integration, workflow, and enforcement requirements. You can decide if you need a full suite, dedicated DLP solution or just the DLP features of an existing product. Then, translate these requirements into an RFI or draft RFP and start contacting vendors.
Most organizations find that content analysis techniques, architecture, infrastructure integration and workflow are the top priorities in selecting a product.
CONTENT ANALYSIS
The most important characteristic of DLP solutions is content analysis. This allows the tools to dig into network traffic and files, unwrap layers (like a spreadsheet embedded in a PDF in a .zip file) and identify content based on policies. While every product uses different content analysis techniques, they tend to fall into a few categories that also use contextual information, such as sender/recipient, location and destination.
Content description techniques use regular expressions, keywords, lexicons and other patterns to identify content. They include rules/regular expressions for pattern matching, conceptual analysis involving pre-set combinations of words and rules to match a specific concept like insider trading, and pre-set categories such as personally identifiable information (PII), HIPAA and PCI.
Content registration techniques rely on content you provide the system that then becomes a policy. They include full or partial document matching using hashes of files to identify content; database fingerprinting by hashing live database content in combinations to identify matches; and statistical techniques that use a large repository of related content to identify consistencies and create policies.
All the leading products can combine different analysis techniques into a single policy to improve accuracy.
|
