Is DLP A Fit For Your Organization?
Take a moment to consider the most valuable assets your company has. Think about what you have that sets you apart from your competitors. Is it the cutting edge product you sell? Is it the high quality employees you employ? Is it the secret recipe for your delicious salsa? Is it your loyal client base? Go ahead and give it 30 seconds or so. I'll wait.
As you created that list of your most valuable assets, you've also created a rough list of those assets that are most worth defending. These are the things that, if you lost, would be severely damaging, if not fatal, to your organization.
If somewhere on that list of valuable assets you included your customer base, trade secrets, employees, or your products, then Data Loss Prevention (DLP) might be for you. Each of these assets can be compromised if the wrong data gets out of your company. If a list of your customers gets into the hand of a competitor it could mean a significant hit to your bottom line. Your secret recipe getting into the wrong hands could lead to copy-cat products, or it may end up on a blog and we'll have everyone making your product at home. Personnel data loss could lead to employees losing trust, or a loss of morale ("John down the hall is getting paid HOW MUCH?!"). If your source code gets into the wrong hands, or the specifications for that widget you build is leaked, your product isn't going to be worth the price tag you've attached to it.
Data Loss Prevention (DLP) solutions are centered around the idea of identifying what data needs protecting, how that data should be allowed to move, and then ensuring those rules are followed. DLP technologies have the ability to work with data sitting at rest on your servers, in use on a system in your organization, or in motion as the data are sent out via the web, removable media, or printer.
The most important step to a successful DLP program is determining what data your company needs to protect. For large organizations this is a big job and can seem overwhelming. Fortunately, quality DLP products have tools to assist you in this discovery phase. You can identify particular servers or folder locations that are considered sensitive, and the DLP solution will learn those files and protect them. Or you can give the DLP system a set of rules and the system will crawl your network and find where all the sensitive information is saved.
Once you have determined what constitutes sensitive information in your company, it's time to start watching how that sensitive information is moving around. DLP solutions come with a monitoring feature that will watch for sensitive data as it's bounced around your network and, most tellingly, as it exists your network. This type of monitoring is going to uncover all kinds of ugly truths. If you're not using a DLP solution to prevent it, your payroll/HR department is probably emailing out payroll and employee information. Your developers are probably emailing around source code. Your accountants are probably emailing out financials. Odds are they are not doing this maliciously. They have simply found the path of least resistance, and since nobody has complained before, why wouldn't they?
The unfortunate truth; the only people who really know how much they need DLP are the people who already have it. The monitoring provided by DLP not only tells us what data is leaving our network, but also what data continues to reside on the network.
Thanks to our monitoring, we now know that more sensitive information leaves our organization than we thought possible. On the bright side, we know who is doing the sending, what kind of data is being sent, and where the data is going. With that knowledge we can create high quality standards that address how data should be shared and transmitted in our environment. Instead of one-size-fits-all standards created for companies across multiple industries, we have the ability to create standards that directly address the kind of sensitive information we deal with, the kind of applications we support, and the business realities we face.
DLP standards should specifically detail what data may be transmitted out of the company, by whom, by what means and to what destinations. Standards do not need to be specify technology used. They lay out the rules the business wants to enforce, which can be done through any number of technical means.
We now have (1) determined what constitutes sensitive information in our organization, (2) better knowledge of where data is on our network, (3) better metrics on how that data is being sent (the who, how, and where), and (4) we have crafted high quality standards that directly address our company's reality. All of this value is delivered without DLP ever having blocked a thing.
Next we want to convert those DLP standards into rules on the DLP device itself. I won't get into detail on this process, as it will vary depending on the DLP solution you choose. But getting the rules properly entered and appropriately configured it essential. You may want to get the assistance of the vendor or a consultant either for the configuration, or to check over your work after you're done.
An important step, before we turn on all these rules and start blocking, set all the blocking rules in a monitor or alert mode. One of the worst things we can do for the health of a DLP project is start blocking user activity before the system is properly tuned. If the first thing leadership hears about our new DLP solution is how it stopped a major deals from closing, we're going to have a very tough time ever getting real leadership buy-in for the technology.
That's why, before we go live, we will spend a significant amount of time in monitor mode seeing what the rules WOULD do if they were actually turned on. By watching what would have happened we can look for false patterns and figure out how to allow those exceptions through the system without turning off the DLP protections overall.
A filter preventing the posting of social security numbers to the web is probably a good idea if we are an organization who holds customer or patient sensitive information. But if our payroll system requires that HR enter employee's SSN's as a part of the on-boarding or benefits enrollment processes, that DLP rule could cause business interruption. We can identify this issue and allow an exception for posting SSN's to that site. By finding this type of issue during a monitoring phase we avoid a work disruption and bad press that goes along with it.
When we have completed the monitoring phase, it's time to flip the switch and start blocking inappropriate information. This stage contains a new set of benefits to the organization. Most obviously, we are improving security by preventing sensitive data from exiting the organization inappropriately. But we also receive assurance and compliance.
Assurance means that not only are we secure, but we can provide evidence to back it up. DLP provides assurance because we can look into the data that's been transmitted and confirm that the things that are getting through are what we allow. We can generate reports that we can hand to IT, HR, Legal, or Audit that show all of the types of data we are blocking from exiting the network.
Compliance is a primary driver in many organizations, and will often provide the funding for DLP projects. Several of the security standards require on-going monitoring of traffic that travels across our networks. DLP can provide that insight, and meet many compliance requirements.
While DLP systems are a relatively new addition to the overall IT landscape, there are mature, well-proven solutions available now. DLP can move a company from assuming they know where their data is, and that it's being used appropriately, to a place where they know exactly where their sensitive is, who is using it, and where they are sending it. Any company who has valuable data should look long and hard into whether a DLP solution might be right for them.
Cross-posted from Enterprise InfoSec Blog from Robb Reck.