Data Loss Prevention – What the DLP Companies Don’t Tell You

I’ve written on this subject before and have seen a great deal being written but mostly from DLP companies who give you their view into the topic.  Data Loss Prevention (DLP) tools are great solutions. They detect what’s flowing out of your virtual boundaries examining sex, drugs, rock & roll, intellectual property (IP), personally identifiable information (PII) and most anything you wish across any and all internet protocols. They can crawl your local area network searching unstructured data sources (Word, Excel, PowerPoint, Acrobat, text files, etc.) for credit card information, social security numbers, pornography, salary information and termination lists. DLP can be the greatest thing since sliced bread if and only if you have a plan in place long before you deploy any solution.

Most security engineers and even many CISOs get that glazed over look in their eyes when they hear of all the wonderful things that a DLP solution can do. Plug it in and the problems just go away. What you are not told during the sales pitch is the Pandora’s Box you not only are about to open but completely unhinge. What you really need to understand is how deep does the business want you to go?

If you go too deep meaning if you detect too many sensitive things too soon or at all, you may find yourself in an uncomfortable position since you have not prepared the chain of command and the business for what you will find. Personal experience tells me that you will not be seen as the savior you fashion yourself to be, but potentially an enemy of the state. The bodies you discover may eventually lead to your own undoing. Here are some tips on ensuring the proper depth and the structure you need to have in place prior to and during a DLP solution rollout:

1.             Determine the risk appetite of the company. Let them know that you are going to enable all filters for 1 week across all protocols and share this information only with senior members of Legal, Compliance, Privacy, HR, Internal Audit and the CIO.

a.       Have the vendors run the solution for 1 week prior to purchase (try before you buy).

b.      Compare results

c.       Examine false positives

d.      Brace them for what they may find. (I have found pornography, white supremacist activity, the buying and selling of AK47s, unsavory videos, credit cards flowing with impunity outside of the company along side of intellectual property, salary information, malware, adulterous activity, plots within plots within plans to subvert something or someone, social security numbers and corporate business plans, businesses being run off corporate servers; you get the idea.

2.             Establish policies ahead of the time to expand your coverage – (ensure you have air cover).

a.       These policies must be created with Legal, Compliance, Privacy, HR and the CIO.

b.      What are the corporate policies in place today supporting DLP?

                                                               i.      Is there an expectation of privacy for your users (employees, vendors, contractors) when using your assets?

                                                             ii.      Is HR prepared to sanction your users when data is discovered leaking?

1.       What data does HR and Legal care about – what is their risk appetite?

2.       Does your have the forensic resources to perform investigations in support of HR and Legal’s desired sanctions?

3.             Get your awareness plan updated and prepare to re-execute based upon your new and existing policies.

a.       Ensure you have procedures in place to execute the policies

b.      Determine what and how you will investigate based upon business requirements (risk appetite)

c.       What is the communication plan to your user community on the deployment and use of these tools and their understanding of corporate policy and associated sanctions?

4.             Ensure your data classification policies and procedures are up to date and plan to communicate these.

a.       Determine how you will consolidate the 20 copies you find of the same file containing intellectual property.

b.      Determine where you will store the reduce number of copies.

c.       Determine who owns the information.

d.      Determine access rules and rights.

e.      Determine any regulatory requirements over the discovered information including potential eDiscovery / Legal Hold issues.

f.        What data governance requirements and structure should you have in place to ensure success?

5.             Determine if the company wants to announce the use of such tools as deterrence or if they want to hide their usage (there are companies who believe that it is big brother to announce usage and not big brother by using them without announcement (go figure)).

6.             Make sure all participating organizations know their roles and responsibilities – they will most likely need to define this but HR will need to determine what level of sanctions they may wish to employ;

a.       Legal will need to determine what they want to investigate and what they do not (they will also need to determine if they are going to disclose a discovered breach);

b.      Compliance, Privacy, IT and Security will need to determine the impact to their controls (or lack thereof) creating a punch list of countermeasures and finding out why the ones they have deployed are not working – and what the impact is to your regulatory, statutory and standards-based compliance programs;

c.       Internal Audit will need to be informed since they may be asked how they have missed this over the years and they will then refocus their efforts. 

d.      Ensure you have solid investigations protocols, procedures including chain of custody and rules of evidence (and actually a team (whether insourced or outsourced) at the ready.

7.             Be prepared to present a well defined governance model for this whole process or enhance the one you already have. Ensure you know how you will pursue who you will pursue without violating any internal codes, statutes or regulations.

8.             Be prepared to potentially throttle back on the depth of your discoveries. Sometimes the real truth is not desired. Sometimes a ‘defined’ level of due diligence is required.

9.             Establish a protocol for how you will handle the information that is found; where it will be stored; if it will be destroyed; and who has the authority to do so.

10.         Get ready to field questions such as:

a.       Are you trying to get me fired?

                                                               i.      This question should only occur if you have not included all he appropriate parties in the process

b.      How could you allow this to happen? Doesn’t our existing infrastructure prevent this type of activity? Why don’t our employees adhere to our policies?

c.       How long has this been going on?

                                                               i.      Why are we just finding out about this now?

d.      Who has access to this information?

e.      Who have you told about this?

f.        Why did you deploy this and did I sign off on this?

g.       What is our liability?

h.      What are our competitors doing?

11.         What technologies do you have in place that could be used to solve some of the problems?

a.       What content filters are enabled first and across what protocols?

b.      What tools do you have that are not fully deployed with all features and functionality?

c.       Will data merely be discovered leaking or will it be prevented from leaking and who will make these decisions?

d.      If I have encryption in place, will my DLP solution be able to interrogate encrypted data to validate it as fitting corporate policy for transmission? Do I want to? If I have this capability, will it be for all encryption solutions?

e.      What solutions do you have in place today to allow for the secure sending of information to appropriate recipients?

f.        What new solutions will you need once DLP is put in place and data is prevented from flowing?

g.       What end-point solutions will you need in addition to DLP to prevent the flow of sensitive data from the boundaries of your organization?

h.      What use cases do you foresee for the sending of sensitive data outside the boundaries of your?

i.         How is it done now?

j.        Will this data fully integrate with a Security Information Event Management solution (assuming one is deployed)?

                                                               i.      How will false positives be determined?

                                                             ii.      How will this fit into existing incident response and handling procedures?

                                                            iii.      Who in the SOC/NOC can and/or should see this information?

k.       NOTE: Make sure your chosen DLP solution has pre-defined filters for all required categories

l.         Do you have a digital rights management (DRM) solution or content management solution deployed?

                                                               i.      Do you want it to integrate with a DLP solution?

                                                             ii.      Is crawling the LAN something you wish to do to discover the location of sensitive data? 

                                                            iii.      What do you do when you find multiple copies of the same data in multiple locations?

                                                           iv.      How do you determine data owners (if not in place already)?

                                                             v.      Do you consolidate the copies of data?

                                                           vi.      Do you move the data into a DRM or content management solution and if so when?

Summary

Successful implementation of DLP solutions it is not as simple as just implementing a tool. I recommend a phased approach and plan that moves you to the proper level of DLP as required. Experience tells us that to successfully deploy a DLP solution, you must have the business, HR and Legal fully aligned with the program and agrees to the need for it based upon the defined risk.

Jeff Bardin

Treadstone 71 – www.treadstone71.com –