Data Loss Prevention Dos and Don'ts

Data loss prevention tools provide powerful security capabilities - if used correctly

Data loss prevention (DLP) tools—also known as data leakage prevention or content monitoring and filtering (CMF) tools—are intended to prevent inadvertent or intentional exposure of sensitive enterprise information. According to consultancy Gartner, they do this by identifying content, tracking activity and potentially blocking sensitive data from being moved. When Jack in accounting tries to e-mail customer records to his home PC—or perhaps copy the data to a USB drive—DLP software can warn Jack and/or stop the action.

Gartner, which says this market tripled from $50 million in 2006 to $150 million in 2007, offers the following functions as basic requirements for data loss prevention software:

Also read The 2011 Executive Guide to DLP, a 4pp PDF that clearly spells out the foundations of data loss prevention [CSO Insider registration required]

Perform content-aware, deep packet inspection on network traffic, including e-mail and other protocols.

Track complete sessions—not individual packets—for analysis.

Use statistical and linguistic analysis techniques beyond simple keyword matching for detection (for example, advanced regular expressions, document fingerprinting or machine learning).

Detect, block or control the usage of (for example, saving, printing or forwarding) specific content based on established rules or policies.

Monitor network traffic for, at a minimum, e-mail traffic and other channels/protocols (HTTP, IM, FTP) and analyze across multiple channels, in a single product and using a single management interface.

Block, at a minimum, policy violations over e-mail.

The tools can be classified in three groups: Network-based tools, which sit at the edge of the network, monitor data flowing through the network and in some cases filter or block data movement; host-based tools, which require an agent to be installed on individual PCs and servers, monitor static data on these systems and, in some cases, block or control actions that users can take; and systems that combine both of these capabilities. Ultimately, Gartner says, tools will not only monitor but also block any channel on the network and hosts from which data can be stolen, including the network interface, within the operating system and between applications. This requires much deeper integration with servers and desktops. For instance, agents running on local hosts could stop someone from downloading sensitive data through a USB drive, printing it and walking out the door. While vendors have significant plans in this area, product offerings are unlikely to become available in 2007, Gartner says.

Gartner says its clients find host-based data loss prevention systems more difficult to manage and less sophisticated in detections. "If someone came onto the network with a laptop [that didn't have an agent installed on it], they could gain access to files, and you'd never have insight into that activity," says Rich Mogull, research VP at Gartner. He sees host-based capabilities as critical but believes a combination of both approaches is ideal. "You should have one management console for data discovery, data in motion, data in use and data on the endpoint system," he says.

Evaluating and Implementing Data Loss Prevention

Here are critical dos and don'ts for evaluating and using DLP tools, based on input from CSOs and analysts:

DO think about network requirements. Nearly every DLP product claims to support Gigabit Ethernet speeds without packet loss or significant latency, according to Gartner; however, the company says, few products can actually function at gigabit speeds in a production environment. Here's what Gartner says companies need in terms of relevant sustained bandwidth.

Large: 200M bps to 500M bps

Medium: 50M bps to 200M bps

Small: Less than 50M bps

When Scott Mackelprang, vice president of security and compliance at Digital Insight, implemented a tool from Tablus, he worked intimately with network administrators. "Tablus sends out agents across the network, so they were afraid we'd clobber it," he says. "I'd advise people to involve the network people up front so they can dissolve those concerns up front." He says Tablus controls the movement of agents in a way that protects the network. DO figure out what you're trying to protect. Jon Oltsik, senior analyst at Enterprise Strategy Group, says, "It's important to start with some sort of requirement, some question you want answered." For instance, are you looking for access control violations, accidental data exposure issues or to reinforce policies? Are you mainly concerned with protecting private data, such as personally identifiable data, in order to comply with government regulations, or do you need to protect intellectual property that, if exposed, could damage your competitive advantage?

DO pilot DLP tools in your own environment before deciding which ones will work best for you, Oltsik says. "Everyone talks about how their detection is better than others, but there's no way to tell which one works better without running a few products side by side it in your environment, on your data, with a couple of your rules." See which ones come up with the most alerts and which have the most false positives and negatives. "If you don't, you're really taking a risk, no matter how good the canned presentation is," Oltsik says.

DON'T buy a data loss prevention product to guard against malicious activity such as data theft. According to Gartner, the tools are actually better at helping companies identify bad security practices and accidental data leakage. As the technology evolves toward combination host- and network-based products, it will deal more directly with the problem of malicious attacks, Gartner says. But current systems will stop only the most basic of criminal activities.

For instance, network capabilities alone can't detect sensitive data that doesn't pass through one of the DLP network sensors, while host-based systems can't detect anything on a nonmanaged system, Gartner points out. "They'll stop the ill-informed, dumber bad guys, but not the ones who know the tools are in place," Mogull says.

DON'T get confused between USB blockers and DLP products that—through end point agents—enable you to prevent sensitive data from being copied onto USB devices. The original USB blockers lack content awareness, according to Gartner; that is, they block copying altogether, not just the copying of particular data. On the other hand, companies such as Centennial, Verdasys and Safend all offer products that make content-based decisions. For instance, they'll prohibit copying of files from certain servers, certain file types or files containing Social Security numbers.

DON'T rush into blocking. More products are emerging that can block users from performing certain actions on sensitive data, such as copying, printing or e-mailing. However, users like Randy Barr, chief security officer at WebEx Communications, would prefer to be notified when users do something that's against security policy rather than stop them outright. That's because, when he deployed a network-based tool from Reconnex two years ago, he found that 80 percent of the violations occurred because employees were unaware of regulatory rules or company policy.

For instance, some employees were e-mailing files with sensitive data over the Web to their home computers when they wanted to work from home. And in one case, a vacationing employee revealed his user ID and password to a coworker over an instant messaging session so that the coworker could get some needed information on his personal drive. "It helps us identify violations so we can go in and do some quick awareness training," Barr says.

Barr is also concerned that blocking would hinder some employees from performing essential job tasks. "I don't want to hinder them—I want to audit what they're doing," he says. "I wanted a tool that would provide awareness to employees and also log an alert to me."

Besides, he says, blocking may actually encourage someone intent on criminal activity to find other means to transport data. "If they're really malicious, they may find other ways to take the data, like storing it on an iPhone, an iPod or a USB," he says. He has looked into tools that block copying data to external drives, but for now, he'd rather be alerted and have the tool tell the user it's against policy.

"Understanding network activity is the first step to knowing what to do to improve your overall security program," he says. "Going in blind and installing prevention at the desktop won't give you the visibility you want."

DO inform your employees they're being monitored. Not only does this let employees know what you're capable of doing, but it also teaches them what they need to do to protect sensitive data. After deploying a tool from Vericept, Sharon Finney, information security administrator at DeKalb Medical Center in DeKalb County, Ga., says the healthcare organization disclosed to employees that it fully monitors every piece of data that crosses the network, internally and externally, even requiring employees to sign a form saying they understand this.

DO make sure the tool has built-in capabilities to detect what is most important to you. When Finney went looking for a DLP tool four years ago, the main motivation was compliance with HIPAA, as well as monitoring employee Web use. "We allow some limited personal use of the Web, so we assumed a certain amount of risk in terms of what people posted to external Web sites or attached in their e-mail," she says. That's why Finney chose a tool that could monitor Web use and had built-in HIPAA rules.

DO consider data at rest. The main reason that Mackelprang decided to deploy Tablus was not to see sensitive data flowing over the network or outside the enterprise but what was sitting on people's desktops. "Such a large percent of data that gets exposed is on stolen laptops, when people didn't even know the data was on there," he says. "It's bad processes, not ill intent."

DO find a tool with lots of flexibility in terms of data handling. At DeKalb, Finney plans to start using the blocking capabilities of the Verdasys tool, but she also wants to use its self-compliance feature. When the tool flags sensitive data, it gives users options on actions they can take, like encrypting the data. "Some people think blocking is disruptive, but we allow users the ability to do what they think needs to be done with the information."

Mackelprang is also happy with the fact that Tablus allows him to quarantine data, encrypt it, quarantine and encrypt it or just alert him of a breach. "If you're just starting out, you might want it to just alert you for a while until you educate users to change their process, and then later, after they're sensitized, if there's a clear violation, you can crack down," he says. "It allows the tool to grow with maturity."

Mary Brandel is a freelance writer. Send feedback to Editor Derek Slater at dslater@cxo.com.

Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies