DLP Decisions Should Be Based on Requirements

Saturday, September 18, 2010

Rahul Neel Mani


Mahendra Negi, COO & CFO, Trend Micro has been acknowledged as one of the top Internet analysts in Japan. In a freewheeling discussion, he touches upon various issues that concern the information security industry.

Q:Do you think that information security should be centralised or that parts of it should be managed centrally?

A: This is a topic where we struggle to reach a consensus. The discussion is especially important to us as we are more sensitive to this issue, because as a security vendor, we cannot afford to have a security breach.

As we transition towards the knowledge industry, I think decentralisation is almost inevitable. The line between employee and contractors, outsourcing and vendors will eventually blur and there will be more of telecommuting global organisations. This trend is being driven by business requirements, and you can't say no to that.

That's when we need to figure out what are the security risks involved and how are we going to address them.

Q:There is a lot of buzz around deploying DLP. What is your experience on this?

A: I think there are two kinds of users. One user thinks of compliance. They feel if they do not have a DLP solution then the compliance auditors will point it out. The other user thinks about his enterprise risk and data loss; for example, a small outsourcing company like a chip design company which gets the requirements from a major customer.

If it’s only a 50 employee company, it will be disastrous if an employee leaks critical information to a competitor. The company may even have to shut down. However, since it is a 50 employee firm, the management doesn't bother despite the issue being very critical to them.

At the other extreme, from my perspective, 75 percent compliance is good. I tell our auditors: it’s not a painting competition where I have to stand first; I'm fine if I pass, for that I'm willing to cut some corners. So in my mind I do this calculation: frequency of occurrence of an event and the impact of that event.

Look, if that event occurs every 50 years but has large impact as compared to an event that happens every day but has no impact, are you going to do something about that?

However, for certain events, I will have to self-insure. For example, if I have to store data for 10 years and I store it only for eight since nobody asked for it. And then one day somebody asks for it, I am done! I may even lose hundreds or thousands of dollars in compliance in addition to other hassles. And such events happen once in five years.

It should be a decision based on requirements.

Q:You're based out of Japan, but travel to India quite often. So what are the trends that you see in India vis-a-vis Japan, in terms of security, awareness and types of threats.

A: Japan is a small country but with a higher level of security awareness. We wouldn't have the same frequency of security events as India, but use of IT in India is more innovative because there are many constraints in India.

Indian businesses have to work around such constraints and so in some ways that is a challenge they face but that is also what the hackers will exploit. I think the big difference is that evolution in India is much faster.

Q:Security is a process: absolute security is a myth and will always be. We now see more sophisticated SQL and blended attacks. The cycle of hackers exploiting loopholes and solution providers creating solutions to counter then - will this keep going on or is there any other solution?

A: We have to follow the hackers, because for us to cover all possibilities is too expensive. Assume you have to break into a house with 20 windows: if we make it completely bulletproof and you walk in through the door, isn't all that protection a waste? We would have to figure out that you have entered and react fast upon it.  

One interesting development is the new detection rate coming from third party vendors. We considered detection as the only metric, but the other metric is time to retaliate. 99 percent detection is nothing if you take 6 months to protect. So time-to-protect, from the first time the threat was analysed, is critical to ensure a comprehensive solution.

Q:What are the different kinds of attacks we may observe three years down the line?

A: Three years down the line when we recruit employees mid career, especially if they are from big organisations, would we ask about the strategy document? One of the major realities of this business is you can't have strategy documents of all kinds; hence, an investment that make an organisation agile is a good investment. Vectors might change, technology might change, so we have to evolve, otherwise we might be out of business.

Hackers are always one step ahead because they are the ones who will exploit usability. In my view, an unconnected computer is safest. Dial up is better than broadband, which is better than wireless but people are driven by usability.

That's why there's the need for cloud. The CFO wouldn't care what name we give it; he is driven by the cost whereas some people are driven by its usability. So if usability is driving cloud adoption, then security needs to catch up because hackers will exploit usability.

So what we need are "invisible bodyguards". If you wanted to go to Chandni Chowk (in Delhi) for a stroll but due to the high crime rate in Delhi, the invisible bodyguard warns you not to and you heed his warning, then you are safe.

However, if you're fanked by bodyguards, it'll take the fun away. Hence, if we made security very hard to use, then people won't use the Internet. We want to make it as unobtrusive as possible, giving freedom to users.

Q:Where do you see the shift from the host-based platforms heading to?

A: If you shift from the host, you have to go to the cloud, there's nothing in between, and from our experience we have been arguing for a number of years on this. Our concept was that enterprises need to block the threat from coming in rather than detect it.

Ten years ago we identified that most threats came from email, and today 90 percent malware comes from the Web. Ultimately, it may be that the host may become irrelevant, because if everything moves to the cloud at some point of time, the device is just an access tool.

Q:What is your opinion on white listing?

A: White listing and black listing are solutions but neither of them is a silver bullet. White listing is a major task, even vendors such as Microsoft don't digitally sign. You can't rely on this completely. What if the white list got compromised? What if someone did not digitally sign their file; there are so many updates being delivered everyday. So white listing is a good option but not a silver bullet. Same is the case with black listing.

Our objective is to provide security that fits. If you are a much disciplined organisation then this can work, but for a decentralised organisation it’s tough. If your white listing and black listing did not work, you need to have a hybrid model. As the volume of files to be scanned is large, you also can't depend on some regular blocking update.

Q:Enterprises are focusing on virtualisation. One of the things enterprises do is that they create images to replicate things fast. Could this practice compromise the security of the organisation?

A: We have specific solutions to address this. The other issue is that the Virtual Machine is on the move, because we're not just talking about anti malware. The customer wants to protect his content, but he doesn't care about what name you give it, because it's all the same from his point of view.

In a virtual machine, when the servers move, the policy addressing the physical server isn't relevant because what you want to address has already moved, and you can't keep changing firewall policies. The beauty of virtualisation is that it is based on the peaks and troughs of resource allocation. So we need to address such issues and how security moves with the virtual machine.

The other issue is that if there are 200 machines in the server, are you going to scan 200 times? This will put such a strain on the resource of the enterprise that the whole purpose of virtualisation will go for a toss. So we have to address all these issues, which is how we are doing with VMware.

As a CFO, I had the same challenges: some virtualisation is slam dunk for me, and some worries me, as there is sensitive customer data. I worry about security; if your sales presentation gets corrupt then you are in a problem. So I worry about security.

The vendor must explain how these concerns are being addressed; this is what we are doing with VMware. When VMware goes to customers, we have all the solutions to the problems mentioned.

As virtualisation gets prevalent, new issues will come up. But these would be a combination of the ones we are already addressing: the resource utilisation issue, the management of virtual images as they move around, the updating, and so on. In
our current product line, we have special security tools for virtual environments.

In the enterprise desktop scanner, the new version is virtualisation aware.

The problem today is that if your end point environment is partially virtualised, what do you do with your security solution? No one wants to deal with it. The IT manager wants to manage everything with one tool. If you use the existing tool, you'll immediately run into resource problems in the virtual environment because each virtual machine will be treated as an end point.

Even though it will theoretically work, in practice it'll destroy the virtualisation effort. So our new products are virtualisation aware. As soon as they detect that your machine is partially virtual, the virtual machine will be covered by the other tool that removes the resource problem.

Cross-posted from CTO Forum

Possibly Related Articles:
Data Loss Prevention
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.