DLP deployments: Understanding your options
This Security School is a free multimedia learning guide designed to help you understand and address the strategic and tactical implications of this topic.
Despite all of the security technologies -- compliance to government and industry regulations, and employee awareness training – it's impossible to save workers from themselves. As they access, use and share their data they often make mistakes that can cause serious data breaches. They'll email confidential files to their systems at home; they’ll inadvertently save unencrypted, regulated data on the network somewhere; and they’ll make tons of other mistakes every day that place confidential data at risk, or use it in ways that violates security policy.
DLP is just a tool; it just tells you where your areas of risk are.
regional information security officer, Providence Health & Services
Johnny Matamoros, information security manager at Freeman Decorating Co., based in Dallas Texas, knows these challenges. The IT team at Freeman Decorating took the right steps to better secure data. They separated their network into segments, including the portion that handled credit card data, and they provided ways for workers to encrypt email. But they didn’t have an effective way to spot potential data leaks as they happened, Matamoros explained.
"We did not have an effective solution, or process in place, to consistently monitor, identify, alert and report on when specific data types enter or leave the organization. In our case, the [pressing] data type was credit card information," Matamoros said.
To quickly identify such incidents, Matamoros deployed McAfee Data Loss Prevention (DLP). But that deployment, while a success, wasn't without its own set of hurdles and lessons learned. And while many organizations that have deployed DLP technology report a certain amount of success in limiting data loss, it's not always easy getting to that point.
To gain an understanding of the most common lessons learned from real-world DLP installations, we've interviewed a number of experts who are either deeply familiar with the DLP market, or security managers who've successfully implemented DLP. Here’s the advice they had to share:
Your own data governance maturity matters as much, if not more, than the technology. In fact, Rich Mogull, analyst and CEO at the Phoenix-based IT security market research firm Securosis, said the technology, which most often works as expected, isn't the number one inhibitor to successful DLP technology deployments: "If DLP implementations are going to work, you have to be mature as an organization about your data. Organizations have to have a good sense of where their data is and how to protect it. And starting from the beginning and identifying the data that is important to protect and where it resides is difficult, and it's a lot of work," Mogull said.
DLP technology deployments: Going too far, too fast
Another common theme among failed deployments is going too far, too fast with the data screened and controlled by DLP. "You’ll run into a significant false-positive issue if you do so," said Scott Crawford, research director at Enterprise Management Associates.
"There are potential issues when it comes to how much data you are collecting, and how much of that data is relevant? And what is your false-positive hit-rate looking like? You need to plan to allocate resources to tune your deployment," Crawford explained.
"Initially, go for the quick wins. Take a high-level view of your environment by turning on a group of rules, but don't worry about enforcing those policies. You just use it as a way of finding, at a high level, where as much stuff is as you can. Consider it a risk assessment to find your biggest problem areas," Mogull said.
Crawford agreed with aiming for digestible, quick wins. "That will include data with a high structure and high recognizability. These will provide the easiest hits with the fewest false-positives," Crawford added. That typically means starting with account data that conforms to specific format such as account numbers, Social Security numbers, credit card data and similarly structured information. Where it starts to get a little fuzzy is in unstructured data, like intellectual property, that requires its own attention, and that is where classification becomes more important," Crawford said.
Failure to plan for ongoing system response and tuning
As you start looking for data, you need to be prepared to be potentially deluged with the amount of data, varying types of data, sources of data transmissions, as well as the content of the data itself, Matamoros explained. "[Preparing for] the content of the data is not to be taken lightly, as you never know what you may capture. In addition, you really should be clear on the type of data you want to monitor and the action you want performed when the data is seen by the DLP," he added. "Even with proper data types identified, be prepared to spend some time tuning for false positives based on your individual organization," Matamoros said.
DLP is a technological "solution." A few years ago, Renton, Washington-based hospital and health care services provider Providence Health & Services set out to ensure confidential data such as patient, employee and partner-sensitive information wasn't being transmitted insecurely, said Charles Lee, regional information security officer at Providence. But it's not just the ability to detect confidential data potentially leaking on the network that turns out to be the real, long-term win, Lee explained. "DLP is just a tool; it just tells you where your areas of risks are," he said. "The real win, in my opinion, is the opportunity it creates to bring awareness and training to your users," he added.
According to Lee, as Providence has steadily improved its DLP implementation, every time a user triggers a DLP event, it's a training opportunity. "They get coached and trained on proper ways of handling information. There are also opportunities to improve bad, unsecured business processes that are discovered," he said. "DLP is not a deploy-and-forget technology, it can actually provide opportunities to improve employee and business security workflow," he said.
Not running proof-of-concept deployment
To get started on the right foot, Freeman Decorating's Matamoros suggested starting with a manageable proof-of-concept.
"It's very important to get buy-in from management and agreement of not only which capture filters to enable, but also what actions to take and who to contact, should you see any filters triggered. In addition, you should properly identify a network location that will provide the data you are interested in monitoring," he said. "Once you begin monitoring, be prepared for the results. This could be overwhelming, initially," he said.
About the author:
George V. Hulme writes about security and technology from his home in Minneapolis. You can also find him tweeting about those topics on Twitter at @georgevhulme.