In the aftermath of the Wikileaks fiasco, enterprises are wondering what the breach of so many sensitive documents means, and if such an event could ever happen to them. One of the technologies vendors and solution providers are feverishly pushing as the answer is Data Leak Prevention (DLP) technology.
According to IDC, while sensitive information leaks were seen as the second greatest threat to enterprise security, only 31.4 percent of organizations had adopted DLP. At the time of the study, which was December 2009, only 14.5 percent of organizations had plans to purchase DLP. It's probably a good hunch, considering what has become public on the Operation Aurora attacks and the more recent Wikileaks phenomenon, that many enterprises are giving DLP a much closer look today.
MORE ABOUT DLP
- Security analyst to DLP vendors: Watch your language
- Unmasking DLP: The data security survival guide
- 3 ways pen testing helps DLP (and 2 ways it doesn't)
- Solving the DLP puzzle: 5 technologies that will help
DLP is widely marketed as the way to stop confidential information from sliding out the door on notebooks, smartphones, iPods, portable storage, and many other devices. Or, as US Army intelligence analyst Private First Class Bradley Manning is alleged to have done: copy and walk away with reportedly 250,000 files designated (at the least) as classified -- on a writable CD labeled as Lady Gaga music -- from the Secret Internet Protocol Router Network (SIPRNet). SIPRNet is run by the US Department of Defense and the U.S. Department of State.
Would having DLP in place had prevented that leak? Analysts are doubtful. DLP technology is very good at protecting specific types of information, but not protecting all of the information generated and managed by an organization. "In this case, the content taken appears to have been a mass amount of information that Manning had legitimate access to," says Rich Mogull, founder and analyst at the research firm Securosis. "DLP is not good at stopping this sort of incident, where a broad amount of data is taken."
Experts also agreed that while DLP has its place in the enterprise, it would provide no definitive protection against similar attacks from trusted insiders. "There is no 100 percent solution to stop a motivated insider from stealing information," says Mike Rothman, president and analyst at Securosis.
Also read The 2011 Executive Guide to DLP, a 4pp PDF that clearly spells out the foundations of data loss prevention [CSO Insider registration required]
It's useful to pause and define what we mean by DLP. According to Mogull, DLP, at a minimum, identifies, monitors and protects data in motion, at rest and in use through deep content analysis. The tools identify the content, monitor its usage and builds defenses around it. "There's also an emerging class of DLP that I call DLP Lite. These are single channel solutions that only look at either the end point, or the network," he says.
For the most part, experts agree, whether considering full-blown DLP or DLP Lite, the technology excels at stopping specific kinds of data from leaking when it shouldn't -- credit card data, engineering plans and details, health care forms. "For enterprises, compared to a government situation like Manning's case, you can certainly do more to protect more data," says Mogull.
But, experts caution, DLP can't prevent many types of attacks on data from being successful. "There is a rumor that WikiLeaks has a trove of information on one of the major US banks. While we're not sure what type of information it is, or how it is stored, if that information is reams of e-mails with free flowing conversations, DLP is not necessarily going to pick up on and stop that kind of breach," Mogull explains.
That's why it remains important that enterprises, in their own efforts to protect data leaks, not place too large an emphasis on DLP technology, and that DLP be used as an additional layer of defense to supplement other important defenses such as access control, encryption, segmentation, security event monitoring, among others. Most importantly, enterprises need to understand what information it is they want to most protect, and how that information normally flows throughout their organization.
"They need to understand the context of the data they use and want to protect - the why and how it traverses their network - as part of the normal course of using that data," says Nick Selby managing director at security consultancy Trident Risk Management. "For DLP to work in the limited way it's intended, organizations must know what normal looks like before they have any hope at stopping abnormal activity."