You Can't Buy DLP

Monday, June 13, 2011

Boris Sverdlik



We have all seen vendor presentations that tell us their product is “King of DLP” and you will comply with HIPAA, SOX, PCI, GLB, etc. Well, they are lying to you for the most part.

Data Loss/Leakage prevention is not something you buy off the shelf. I'm amazed that most organizations still think that locking down USB prevents DLP, it doesn't.


In order to implement a data loss solution, you must take a holistic approach to identify the problem, the threat vectors and your vulnerabilities. You must understand where your sensitive data lives within your organization.

This can’t be done with a tool, regardless of how good they claim they are at it. Data Loss prevention is a program, and just like any other has prerequisites.

They say they can identify all your sensitive information, well how exactly are they going to do that when sensitive data should be encrypted? Let’s look at some of the things they can’t do:

  • Prevent hard copies from walking out the door
  • Prevent usage of common data hiding techniques
  • Prevent usage of mobile scanner software
  • Prevent backup medium from walking away
  • Ensure compliance to disposal policy

Get where I’m going with this??? Data Loss prevention is a program that requires a risk based approach in implementing. It’s not something that a vendor can magically fix.

The steps in implementing DLP are fairly simple to seasoned security professionals. Information classification is your first step to prevent loss. If you don’t know what data your organization considers sensitive, then you are in the wrong field.

Information classification is a fairly straightforward process without any grey areas. It should also be the basis for any of your security policies and procedures. Without information classification in place, your policies are just fluff.

Steps to implementing Information Classification:

  • Meet with the business lines to learn processes
  • Identify information according to sensitivity (If the information shows up in the Journal, will I have financial, strategic, regulatory or reputational loss)
  • Identify current control sets to protect information
  • Implement processes around those control sets

Next up is protecting sensitive information. How do I prevent information from going public you ask? Well, you can’t. People will always be your number one risk.

You need to apply controls that lower the risk, but there is no magic box that you plug in and your all set. Some of the things you can do require common sense.

  • If your business doesn’t require social media presence, turn it off. Content filtering done right can limit a good chunk of disclosure.
  • Implement mail filtering solutions that use terms which your business identifies as sensitive
  • Implement administrative controls such as “enforceable” end user agreements
  • Remove unfettered “keys to kingdom” from admins and support staff
  • Implement encryption where possible to sensitive data
  • Implement printer controls for shared printers
  • Implement clean desk policy
  • Implement physical controls in extremely sensitive areas
  • Stop using sensitive data in development
  • The list goes on and on

Instead of wasting your money on “scareware”, bring in security consultants who know what there doing. They can identify the real threats and help you develop your DLP Program.

Cross-posted from Jaded Security

Possibly Related Articles:
Information Security
Data Classification Data Loss Prevention Network Security DLP Attack Vector Risk Mitigation
Post Rating I Like this!
Stephan Fix Isn't DLP really just a 'buzz-phrase' to help with marketing? What is the real difference between Information Security and Data Loss Prevention? I'm sure one could argue that Information Security is a much broader topic, but the focus of the "IT Guy" charged with Infosec responsibilities is DLP. I agree with you completely - there is no magic pill. And, for anyone that purchased the DLP product that solved all of there problems, I have some land available in Florida ...
Johnny Wong You rightly mention DLP is a PROGRAM, not a solution. A program's outcomes/objectives can be met by one or many solutions.

I think Data Classification itself should be classified as a program; because this is something that should not be taken lightly.

And I think enterprises should start small, take baby steps. Identify a business unit that handle sensitive data, for example, HR. Start from there and determine the kind of data it handles, what classification, the "in use, in store, in transit" data states, understand the end-to-end flow of data, consider areas or choke points where data seems the most vulnerable... and so on.

It is good we have like-minded folks here :)
Boris Sverdlik Thanks for reading guys..
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.