Most data leak prevention (DLP) tools will have a variety of alerting options, including email alerts, specific events generated within a central management console and choices of whether to alert end users of potential violations. Some can also send administrators a text message over SMS, or generate a more traditional Syslog event to send to a log management or security event and information management system. In addition to alerting...
functions, some DLP tools can act as a simplistic incident workflow system or integrate into a more robust ticketing system for change management or monitoring.
Preventive actions differ widely in feature sets and capabilities. For network DLP, it's important to determine where preventive actions should take place, what kinds of traffic and data are being monitored, and how granular administrators can be when tuning the prevention rule sets. Most DLP tools can monitor and block mail and Web protocols (e.g., SMTP, HTTP, etc.), and some can easily integrate into wireless networks, as well.
More on data loss prevention products
Best DLP products
Deploying DLP technology requires hands-on approach
Data loss prevention feature improves compliance
For example, some organizations will set up a DLP sensor near a perimeter Web gateway or proxy, and the focus will be on HTTP-based traffic. Most organizations also want to ensure that sensitive data is not leaving the network via email, so mail servers and relays are good choices for monitoring. Ensure that any data loss prevention products allow for simple setup and monitoring for these critical traffic types and that sensors can block traffic or integrate with relays and proxies to block traffic carrying sensitive data that violates security policies.
The most common means to do this for Web traffic is with the Internet Content Adaptation Protocol, so make sure any products under evaluation support this. For host-based DLP, prevention usually includes blocking access to data by specific users or applications. For the host side, however, a DLP agent will need to parse and evaluate many more specific document and file types and applications, including image writers, print drivers and programs such as those for rendering Adobe PDF files. One important feature to evaluate is how a DLP agent will perform when mobile users' laptops (and potentially handheld mobile devices such as smartphones) are not connected to the protected network.
Many products include a quarantine option as well, which allows any violating file or data accessed to be held for release until an administrator investigates. Some DLP tools can also include network traffic and other logs as supporting evidence, acting as more of a full-featured forensics platform than simply monitoring, blocking and alerting. Because these features vary widely from one product to another, be sure to evaluate your needs in light of current and planned response and forensics practices within your organization when considering them.
Read more on the selection of DLP products in our guide.
About the author
Dave Shackleford is founder and principal consultant with Voodoo Security; a SANS analyst, instructor and course author; as well as a GIAC technical director. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering. He is a VMware vExpert, has extensive experience designing and configuring secure virtualized infrastructures, and is the lead author of SANS Virtualization Security Fundamentals course. He has previously worked as chief security officer for Configuresoft; chief technology officer for the Center for Internet Security; and security architect, analyst and manager for several Fortune 500 companies. Additionally, Dave is the co-author of Hands-On Information Security from Course Technology.