About a year and a half ago, Mark Jackson, the information security officer at San Rafael, Calif.-based Westamerica...
Bank, began researching data loss prevention products for the regional community bank. His search began after a Department of Financial Institutions auditor recommended the technology as a way for Westamerica Bank to manage insider threats.
The system needs to be malleable enough to adjust its ID of data to the business.
director, managed services group, Verdasys Inc.
In September 2011, Jackson began a phased roll out of Websense, Inc.'s Triton Enterprise, a three-in-one security product for email, Web and data that provides data loss prevention (DLP) coverage on the network and the endpoint. Jackson oversees the security of Westamerica Bank's production and the Internet at the office headquarters. DLP technology helps Jackson monitor certain risky employee behavior.
The product needs someone to focus on it, Jackson said, although he believes the time required is not about maintenance, but learning about threats and the full capabilities of the product.
"I don't even use it to its fullest abilities," Jackson said, adding that he wished he had someone to help him monitor the technology and use its full array of features. When Jackson first installed the system, he went through the pre-defined policies, tweaking them and adding new ones to fit Westamerica Bank's needs. He is always keeping an eye on the system, updating policies and adding new machines to the network.
Jackson isn't alone. Experts said companies that deploy DLP technology need to take a hands-on approach with the software, deploying the technologies methodologically and ensuring policies are practical. Sound knowledge of the environment is needed as well as the company's risk tolerance and the threats that are unique to the organization. CISOs need to be proactive with DLP from the beginning, said John Kindervag, a principal analyst for security and risk professionals at Cambridge, Mass.-based Forrester Research Inc.
"A machine doesn't have intuition," Kindervag said. "You have to tell the device what to look for."
DLP is a technology of many names, versions and opinions. As more vendors jump into the DLP game, companies considering the technology must assess what model and company is right for their environment. DLP, also known as data leak prevention, data loss prevention, extrusion prevention, content filtering or information loss prevention, is a group of information security tools put in place to stop users from sending sensitive or critical information outside of the corporate network.
The technology has been around for nearly a decade. Although in many ways it is still an adolescent technology, it has matured, becoming more efficient and helpful, but customer attitudes toward the technology still need to evolve, Kindervag said. In Rethinking DLP: Introducing The Forrester DLP Maturity Grid, Kindervag said security professionals need to think of DLP as an ongoing process and not just a product. The report was issued by Forrester in January 2012 and updated in September 2012.
Analysts said early DLP products were intended to be a cure-all solution to make companies compliant with industry rules but ended up revealing poor business practices. Rick Holland, a senior analyst for security and risk professionals at Forrester, said early adopters quickly discovered sensitive information was located in more places on the company network than expected. IT personnel did not know who was responsible for what data, which eroded the efficiency of the DLP solution. The chaos, Holland said, was a result of companies trying to do too much with DLP too fast.
Kindervag said companies run into issues with DLP when they do not define the necessary process and policies before their deployment.
Kindervag promotes the five stages of DLP maturity: data discovery, data classification, data consolidation, DLP policy design and DLP policy enforcement. These five categories can help customers identify a more effective DLP process. By using the Forrester maturity grid, CISOs can evaluate how well their company is using the DLP tool, or how well developed a vendor's DLP plan is.
Kindervag also recommended that security professionals inventory and classify sensitive information before deploying a DLP solution. Then they can begin catering a DLP tool to their company's needs by defining what information must be protected and what business user actions must be blocked.
Many DLP packages come with pre-defined policies that try to catch obvious sensitive information such as Social Security numbers, credit card numbers and driver's license numbers. Pre-defined policies also help customers comply with HIPAA, HITECH and other federal and state government mandates.
Kindervag said that using these pre-defined policies can help find information that is easier to identify, but it also leads to many false positives. He said the best practice for vendors creating these policies is to somehow integrate data classification in and evaluate what information would be toxic to a particular industry.
"Each organization has their information that is important to them," Kindervag said.
Vendors agreed that pre-defined policies, or out-of-the box features, can be very limited. Mike Parrella, director of the managed services group at Verdasys Inc. in Waltham, Mass., said these policies help companies realize the magnitude of the data loss problem, but they only catch the low-hanging fruit.
"I think I see change in how companies do [use DLP policies] now," Parrella said. "They tried to do out-of-the-box and it failed."
In turn, vendors must provide customers with the flexibility their individual needs will require.
"The system needs to be malleable enough to adjust its ID of data to the business," Parrella said.
Darrin Mourer, a systems engineer at Verdasys, said that many pre-defined policies are rudimentary and meant to serve as examples for the user. Mourer is writing a book about DLP, which he hopes will be published in the first half of 2013. He said his mission with the book is to lay out a common understanding of DLP -- what it is, how it came about, why it is needed, how to put it in place and how to put processes in place to support it -- so CISOs and DLP providers can better advocate for it.
Mourer also said that companies tracking Social Security numbers, credit card numbers or medical ID numbers using DLP often lead to many false positives because the number patterns the DLP system will look for occur in many other places such as online catalogs, website codes and internal product numbers.
According to Mourer, the vendor response to false positives was to build policies around a company's specific data. The question quickly becomes one about how a vendor gets access to all the information needed to create policies and how to monitor the network to ensure they are being enforced. Companies must be able to have in-house experts to oversee this process, Mourer said, or companies should work with a vendor that will manage the whole DLP service for them.
"It's not a tool that can operate independently; it requires care," Mourer said.
Setting up, customizing DLP policies
Jackson set up DLP for Westamerica Bank by using pre-defined policies and adjusting them to the company's needs. San Diego-based Websense offers more than 1,700 pre-defined policies in its DLP service. When Westamerica Bank began using Triton for DLP, Jackson went through these policies and decided which ones the company would use.
The DLP set up wizard begins by asking users questions such as the location and industry of the organization. These answers help the wizard auto-populate regulatory policies. Administrators can then tweak these regulatory policies and begin developing their own security policies. The framework includes thresholds for data access, data movement and data use. Policies can be applied to large and small amounts of information, specific workgroups, departments, locations or individuals.
On the production side, which handles customer information, Jackson uses DLP to monitor employee printing. Jackson has the system set up so if someone prints a significant amount over the course of a few days, he will be notified so he can speak to the employee and ensure no confidential or client information is being printed out.
Jackson also has policies set up in Triton that prevent employees from taking information out of the company environment via a Universal Serial Bus (USB). If an employee puts a document on a USB, once they remove it from the machine the information becomes encrypted, and it will only be able to be opened on another Websense-secured machine. The system alerts Jackson when the use occurs, as it does with excessive printing.
On the Internet side, Jackson's use of DLP is different, since machines connected to the Internet do not have client information on them. To make sure it stays that way, the DLP product is set up to periodically sweep the network for any client information. To test this feature, Jackson put client information on the computer of the bank's vice president. The DLP technology successfully found the information and alerted Jackson of it, so he is confident that it will find any future cases.
Websense's DLP solution allows users to choose who they want to alert. If desired, the person committing the infraction can be notified.
"We don't want to alert people. We don't want to scare them and make them think they're doing something wrong," Jackson said. Instead, he prefers to receive all system alerts. If he deems a particular violation overt or concerning, he will speak directly to the employee involved.
Jackson's only issue with the system is that only one administrator can be logged in to Websense at once. If there could be more than one person logged in, he said it would help with monitoring the system. Jackson said Websense is working on addressing that restriction.
As he researched DLP technology, Jackson evaluated three vendors based on two important criteria: First, Jackson looked for a vendor that would be willing to work with the older equipment at some Westamerica Bank locations. Westamerica has over 90 offices and 2 trust offices in Northern and Central California.
"We needed someone who was going to adapt to our environment," Jackson said. His second requirement was a company that was known in the business, was doing the work now, and would develop it further in the future. Price was also a consideration, but became less of a factor because Websense fulfilled the first two requirements.
Jackson acknowledged that it's hard to measure the returns on implementing a DLP policy, however, he said that not having to worry about employees printing out customer information or taking files out of the company increases productivity.
"We don't always get a return on it. We won't get a financial return, but we do get a productivity return," Jackson said.
DLP as an embedded feature
Forrester's Kindervag and Holland said the future of DLP lies in it being built into other technologies.
For Kindervag, this means that "DLP is not a product space anymore, but a feature that can be embedded into a product."
Some companies have begun integrating DLP into other products. A notable example is the impending Microsoft Exchange Server 2013, which will allow administrators to set policies for messages that filter email as it flows through the server. In many ways, it will work similar to an add-on DLP service: it comes with templates that help organizations with compliance and allows administrators to build their own policies.
"Your company can lose data through multiple transport channels -- email, Web traffic and instant messaging (IM) -- so you must proactively protect each channel. … Forrester believes it is very difficult for a single product to protect all channels, and therefore DLP will quickly evolve (if it hasn't already) from a product to a function embedded into multiple (and perhaps all) security products," Kindervag said.
DLP vendors are quick to point out ways in which the built-in DLP could fail. Parrella, at Verdasys, said installing security and forgetting it would be a mistake.
"There needs to be a consideration of where risk visibility is found and where risk mitigation should be done," Parrella said. Risks can be found on the endpoint, the network, servers and other technologies.
"You must monitor where the risk shows itself," Parrella said. He added that the introduction of DLP to Microsoft Outlook seems like a good idea, but it lacks several security capabilities: It does not encrypt data, protect email attachments, include a forensic log for chain of custody or integrate with anything.
Dig Deeper on Secure software development