Data leak prevention (DLP) tools are extremely effective at reducing the risk of sensitive data ending up where it shouldn't, but like any tool, if not used properly, the results won't be positive. By avoiding a few common pitfalls, an organization can save time and money while better protecting itself.
Here are some key points to consider when implementing and using DLP tools:
- Set the right expectations -- One of the most common mistakes made in DLP deployments is
failing to understand what the technology is capable of, and how to properly integrate it into
business processes. DLP isn't magic, and different tools have different capabilities, especially
regarding content analysis. None of them can completely protect all data from every conceivable
DLP is about risk reduction, not threat elimination. It's important to know what kinds of policies can be defined and what enforcement options are available before beginning a deployment. Later, the proper workflow needs to be in place to handle policy violations. While human resources and legal teams are rarely involved in a virus infection, they may be intimately involved when an employee tries to send a customer list to a competitor. Set a good baseline early; know what data needs protection, the capabilities of the tools in place to protect it, and the workflow for handling incidents.
Want more on data protection?
Check out other lessons in our growing Data Protection Security School.
- Start with small, well-defined policies -- DLP tools aren't necessarily prone to many false positives, but build a bad policy and an organization will either be swamped with bad results or overlook major losses. Start a deployment with a single, simple policy of limited scope in monitoring mode. Take time to tune the policy until the expected results materialize, and then expand the deployment by adding policies and enforcement actions.
- Use the right analysis technique for the right content -- I once talked to an organization that complained about all its DLP false positives, but it turned out it had used a less effective content-analysis technique than its DLP tool offered. By switching to a new technique (database fingerprinting), the organization reduced false positives to an acceptable level. Most of the time, false positives are real positives, but they denote content that poses no risk in that business context (for example, an employee using his or her personal credit card number on a website vs. abusing a customer's credit card number). Using the right content-analysis technique or adding context to a policy can reduce false positives, enabling more effective use of DLP tools.
- Clean up registered data before loading it into a policy -- Some policies protect registered data, such as a database or repository of documents. Scanning bad content though won't provide effective results. For databases, make sure to undergo some data cleansing to remove bad content (often test data) that can create false positives. For instance, one of my clients had '0' listed as a SSN in its database, causing every 0 in an email to trigger an alert. For unstructured documents, exclude letterhead or corporate footers that are common. It doesn't take a lot of time, and it will materially improve the results.
- Start with good directory integration (and clean directories) -- DLP policies are closely tied to users, groups and rolls. It's important to make sure the DLP tool is properly integrated with the organization's directory structure, and use the function that exists in most DLP tools to tie users to their Dynamic Host Configuration Protocol (DHCP) addresses. Some organizations are sloppy with their directories, which may make tracking down an offending user (or applying policies to the right people) difficult. Review directories for bad data before integrating, and then test to make sure the integration works properly (you'd hate to fire an employee because IP addresses were transposed).
- Work tightly with business units, don't just start enforcement -- Lastly, there's no guarantee that the effects of a DLP policy on business units will be fully understood. Work with the management of that unit, then deploy policies -- first in monitoring, and then in notification mode (meaning an employee is told when he or she has violated a policy, even if the action isn't blocked). Collect feedback to tune the policy to balance business needs and risk management.
DLP tools are a powerful way to protect sensitive content. While effective and efficient, failure to avoid the pitfalls mentioned above can alienate the business and lead to poor DLP results.
About the author:
Rich Mogull has more than 17 years experience in information security, physical security, and risk management. Prior to founding independent information security consulting firm Securosis, Rich spent seven years at well-known research firm Gartner Inc., most recently as a vice president, where he advised thousands of clients, authored dozens of reports and was consistently rated as one of Gartner's top international speakers. He is one of the world's premier authorities on data security technologies and has covered issues ranging from vulnerabilities and threats, to risk management frameworks, to major application security.
This was first published in August 2008