This is the second write up about something covered extensively at RSA last week. DLP is one of those security terms you hear about, especially now, with all the exposed information being reported. Who has DLP? What is DLP? Why does it matter?
DLP, or Data Loss Prevention, is a buzzword. (Protection is also used as well in place of prevention.) C-Level managers (CTO, CSO, CIO, CEO, etc.) know this term well, and because of that, IT administrators all over the world have researched it at least once. Price wise, it’s cost effective in some cases and in other cases can cover an entire fiscal budget depending on the IT shops size.
DLP does three things, it tries to protect from mistakes, guarding from unintentional data leaks made by people from inside the company. DLP also watches out from the intentional leaks made by people who want to take information for personal gain. Lastly, DLP covers data loss against external attack, someone cracking a database for example. Overall, DLP is an enforcer; it enforces policy within the company and attempts to ensure compliance.
It is important to note that most DLP vendors offer pre-configured policy maps, locating, and defining sensitive information for you. However, for granular policy it is up to the system administrator to create these and to monitor them.
DLP comes in two formats. Network DLP can watch out for employee mistakes and policy violations. (Latterly covering IM, Web, FTP, P2P, and basic TCP) This type of DLP will also include protection for storage-centric shops like file shares and databases. (Think Microsoft SharePoint, Lotus Notes, Exchange, etc.)
DLP for Endpoints is where you see the often hyped iPod spy, or the employee who will move sensitive information to an iPod to take home and work on it later. Laptops and USB drives are also included with Endpoint DLP. (CD burning is also covered here by many vendors.)
Often DLP is combined in an appliance, so you will get Network and Endpoint protection in the same package. When I was at RSA, DLP was being demonstrated on the floor. Symantec had a huge floor presence, and Vontu was giving talks about the need for DLP. Vontu is a recent acquisition by Symantec; they bought the DLP startup some time ago, and added it to their security base. From what was overheard at RSA, they were doing quite well.
Nearly every DLP product will offer great logging and GUI reporting for the administrator. Vontu is a great example of this, I seen some of the dashboards at the show, and they do offer tons of information. While, I did not get a briefing from Vontu, I hung around the booth long enough to notice something else.
Most of the people watching the demonstrations were mid-level administrators, and some C-Levels. I spoke to them (off the record) afterwards. Most of them had the same fear; they did not want to end up on the eleven-o-clock news.
I think DLP is a decent growing technology, but I also think that there is room to grow. I’m not alone in this. Other executives and experts think so too.
“DLP is a tool,” said Craig Shumard, CISO for CIGNA Corp, “It's one of a number of things you can use to help control the insider threat. But it's not the whole solution.” Craig was talking to Dark Reading at the time, and he along with several others agreed. DLP is one layer of security. One part of an overall security plan. Rich Mogull, founder of Securosis, told Dark Reading, “DLP is not going to stop all your leaks. That's not what it's about.”
Amir Lev, CTO at Commtouch, explained it to me best, “The DLP solutions can be relevant only against [protection from insiders]. The other two [intentional data leaks, and malicious attack] are impractical for the private sector,” he said. “Even government security agencies are not immunized against such threats and the private sector will have even more difficulty protecting against such threats, and definitely not against intentional leaks by insiders. As for malicious attacks and external data thefts, it is much more relevant to protect at the perimeter from outside penetrations. Once a site has been infected, preventing a data leakage is next to impossible.”
So is DLP not worth the effort? Quite the opposite, DLP is a great layer of protection. I noticed most of the people at RSA were looking at DLP as a silver bullet, something to prevent their company from becoming the next TJX or Hannaford.
So what are the options for DLP? Who offers it? Researching DLP will depend largely on your company. Both size and scope will factor in whom you ultimately select as your vendor. McAfee, Symantec, and Cisco have all recently bought DLP companies adding them to their security lineup. There are other companies too. RSA, WebSense, Code Green, CommVault, StoredIQ, each offer a DLP product, and are just some of the eighty or so companies who I came across during research.
The price point is tricky, how much do you want to pay? Some solutions I seen ranged from $12,000 to $75,000 in cost. Most vendors want you to contact them before you see a price. Cost should never play a huge role in picking out security, but it does factor in more often than not. So most companies pick what they can afford.
Using this buying method should be coupled with a layering approach to your security. Layering is important. No one security product or appliance will cover all the bases. Some products will come seriously close, but to date nothing can do it all.
There are alternatives. If you look at what DLP protects, you notice a pattern. In one way or another, a human (internal employee or external threat) ultimately causes the data loss. It’s been covered that protecting from outsiders is next to impossible, but internal loss is preventable. Mistakes are the leading cause of data exposure, and correcting this can lower the risk of exposure tremendously.
Making your employees aware of the potential threat data loss poses goes a long way to helping them avoid costly mistakes. To do this, you could invest in training. Many compliance measures (SOX, HIPAA, etc.) require companies to have an annual audit of some sort. When these audits show information risks, policy is set mandating that no sensitive information can be disclosed. (Policies that threaten termination are quite common.) DLP – used as a policy enforcer – helps with these mandates.
People are often aware that data policies exist, but they rarely know why. Since no one takes the time to explain why these data policies are in place, most employees ignore them. Another possible reason for data loss, as explained by Larry Detar of the EC-Council is, “The longer they work with the data, and the information around them, the more it becomes just their job. It becomes more about work than what the actual data is.”
Larry made that comment when explaining that most employees know the policies concerning protecting corporate information, but the more they see it, use it, and deal with it, the more it becomes simple work. People are natural workaholics, so taking a sales report, or earnings statement home to work on, is nothing new.
The EC-Council offers awareness training. The course is called Security 5; they aim the training at the end-user, or Mary in Marketing. They explain what most policies mean, and why they are in place. Covering topics such as how sensitive information is leaked out of a company and how to prevent it. (Apple’s iPods are used here as well as portable hard drives.) Think of it as Layman’s Hacking. Larry said that once people are aware of the security risks and understand the policies then, “Maybe, just maybe, they won’t try to get around them.”
The EC-Council is not the only training company, many other companies offer similar classes. EC-Council is just better known, they offer the Ethical Hacking training if you are not familiar.
Best practice is to layer company security. So if not used as an alternate, then training can be combined with DLP technology to offer two layers to an overall security approach.