Time To Take Action Against Data Loss

They're out there, ready to snatch your company's most important data: organized cybercriminals, thieves looking to grab a wayward laptop, intruders using Web applications capable of extracting entire databases, malicious insiders hunting for ways to smuggle out valuable information. That's a lot of bad people, all eyeing your data.

Of course, you're complying with all the requirements designed to keep data safe--PCI, HIPAA, consumer privacy laws, whatever regulations affect your company. That makes sense since the IT Policy Compliance Group estimates that when the cost of data losses and spending on compliance are added up, companies at least break even, and at best stand to save up to 10 times as much as they spend on compliance (see "Why Compliance Pays").

Compliance and the risk reduction it entails is useful, but it doesn't do the whole job. You can't just blindly check off audit and compliance measures because they're included in a standard or law. For maximum savings and risk reduction, you have to actively protect your data with the appropriate measures for the threats specific to your environment.

There's no lack of tools available for mounting this defense. When we said we were doing a story on data security, more than 100 companies offered products. That makes sense, however, since just about everything in security ultimately is about data security. Certainly that's the case with traditional security measures like access control, encryption, and network monitoring. But it's the most recent crop of products focused on the threat of data leakage that we're zeroing in on. (See chart below for a full list of products considered.)

MY WHAT WENT WHERE?Data loss prevention goes by a lot of names: extrusion prevention, content filtering, information leak prevention, and data leak prevention among them. The basic tasks of identifying sensitive data, monitoring where it goes, auditing who has access to it, and restricting that access can happen anywhere on your network, including endpoints, databases, mobile devices, network gateways, and file stores. There's a unique set of products that will attempt to do these tasks at each of these locations. But with all the choices, where to begin?

As with most fulfilling journeys, this one begins with self-awareness. You have to determine your requirements and priorities. What policies and classifications does your data need? Does your environment handle health data, financial data, trade secrets, or other sensitive data? Most organizations deal with multiple types of sensitive data. Enumerating the classes of data and then deciding what type of controls should be in place to protect each is the crucial first step before any technical controls can be implemented.

What's Hot

Context awareness:This approach can decrease the number of false-positive alerts and enable faster incident resolution.
Audit logs:
Don't be afraid to use a DLP approach in audit mode only. Automatic blocking sounds right, but there are a lot of downsides, as intrusion-prevention systems have shown.

What's Not

Insider threat mitigation:The threat is very real, but tech solutions aren't.
Solution of the week:
Get your policies and data classification projects in order before worrying about the next greatest DLP tool.

One step in the process of identifying and classifying data is ensuring there are no surprises. While the Veterans Affairs employee whose laptop and external media containing millions of veterans' records were stolen last year was originally accused of taking it home without authorization, it was later revealed that he had approval. A sound policy prohibiting taking unencrypted sensitive data off-site, communicated and understood by all employees, might have prevented that situation from occurring.

When analyzing the various security technologies, it's important to remember that measures to protect data from one type of threat are often different from, and even countervailing to, those that protect it from a different type of threat. Consider the very possible scenario in which an encrypted drive's recovery keys are lost. This type of threat requires very different forms of protection (key escrow, backups) from the mechanisms required to protect the same drive from being exposed when used outside the corporate network (location-based management or time-outs on sessions to put the data back in an encrypted state).

Keep this in mind particularly when comparing DLP products that monitor activity on the network to identify and block the transfer of data with ones that run locally on endpoints. Network-based solutions are potentially more susceptible to an insider threat. An insider can slip data out via the network, using encryption or steganography (where data is embedded within another data format, such as text hidden within an image or sound file). Or he can plug in a USB key, copy files, and walk out with them, making it practically impossible for a network-based DLP product to detect the misdeeds. Endpoint DLP products have a better chance of stopping such activity. Still, an even somewhat paranoid but unskilled insider can use a cell phone or digital camera to photograph documents on the screen. No form of DLP can protect against that.

When DLP vendors are being honest, they'll readily admit they can't stop the serious and skilled insider from getting data out. Their real value is in finding employees who are accidentally leaking data, those who don't know it's against policy or who are taking dangerous shortcuts to get their jobs done. Of course, a malicious insider who's careless or uninformed would be detected as well.

While it seems counterintuitive, a monitoring-only approach without blocking capabilities--when applied correctly--can be more effective than a preventive solution. That's because often a blocking-capable solution is seen as the end of the process. After all, if a DLP solution is blocking leakage of the data, it's doing its job, right? It is, but that's not where the story should end. That's the beginning of the investigative process to find out what was being sent and to whom, as well as who was sending it. Was the data sent for legitimate business reasons but by someone who didn't follow correct procedures? Or was it someone sending out data in violation of company policies because they didn't know any better? Or was it someone with malicious intentions? Blocking may keep the data safe, but it won't answer those questions. With a monitoring-only solution, you have no illusions that your work is being done for you.

Just as a DLP solution can't completely automate the hard work of locating and classifying all your data, it also can't handle the hard part of the cleanup: developing secure processes that help people do their jobs and educating users. The ultimate goal shouldn't be to stop all sensitive data from moving around the network, it should be to ensure that when sensitive data does move that it does so securely.

(click image for larger view)

HIPPER ENCRYPTION
Encryption is the mainstay of data protection. While conventional approaches are many and varied, enterprise digital rights management, also known as enterprise rights management, is encryption's younger, hipper sibling, and is an attempt to address some of the usability concerns of pure encryption while maintaining data security. EDRM's goal is to enable the usual workflow of documents in a business, while keeping data secure. For example, Marketing writes up a new product announcement, Engineering reviews it and improves the technical accuracy (we can dream, can't we?), Marketing makes the changes sound pretty, and maybe it goes to Legal or Financial for a final look over before it's distributed. With conventional encryption, the document would have to be decrypted prior to each review and re-encrypted after each review. EDRM automates that process so that the encryption steps are handled transparently by agents or the document editing software on a client's machine. The document is loaded with a set of permissions that define the different access rights each individual has to it, and those permissions stay enforced even as the file itself is sent to many places in the environment.GROWING PAINS
As new communication channels become increasingly popular, DLP solutions must stay in sync. Consider blogs and wikis: In a recent survey, MarketIQ found that only 5% of 600 respondents reported being concerned with applying content security measures to blogs and wikis. This may be partially because blogs and wikis are less widely deployed than, say, e-mail, but that can't entirely account for the lack of interest. More likely it's because organizations don't realize how much sensitive content these new conduits contain and the technical solutions are less adept at protecting them. Code Green Networks' CI-750 Content Inspection Appliance demonstrates this point when scanning a wiki required writing custom code to integrate wiki content into the fingerprint database.

Future Watch

MICRO INTEGRATION
Data loss prevention vendors will continue to add multiple DLP approaches to their existing products like Reconnex did earlier this year when it expanded its network-based offering with an endpoint product. Fewer products will target just one area, like the network, discovery, endpoints, or databases, as capabilities are added across the board.

MACRO INTEGRATION
With pure DLP solutions being snapped up by the big boys in security and IT (Cisco Systems, McAfee, Symantec, and RSA all have made purchases in the last year), there will be fewer standalone products and more integration of DLP functionality into management, security monitoring, and other products. Look for McAfee and Symantec to do this with their all-in-one endpoint security software.

AUTOMATION CLAIMS
Just as with intrusion-detection systems, the pain of classifying, tuning, and managing will encourage vendors to claim that their products are "automatic" and require no tuning. While there are some limited types of data that this may apply to, in general, this will turn out to be even less true for DLP products than network monitoring software. After all, the data in a specific environment is much more likely to be unique than the protocols running on the network.

Another painful reality that can hit DLP deployments is the issue of false positives. While some technologies are less prone to them than others, most products come preloaded with the ability to recognize certain types of structured data like Social Security numbers and credit cards. Unfortunately, Social Security numbers are very commonly going to show up randomly. Any random nine-digit number will be a potentially valid SSN about three out of four times since, unlike credit cards, they don't contain a checksum. Additionally, the more aggressive the technology is about trying to identify fragments of protected content, the more likely it will trigger on nonprotected content.

In the intrusion-detection world, there are two different and separable purposes for monitoring the network. The first is for extremely accurate alerts that indicate a problem right now and will set off your pager in the middle of the night. The second is a more forensics-based approach that assumes there's a problem with one particular endpoint or individual and gathers as much information as possible. (For more information on what a complete forensic toolkit and attitude looks like, see "Forensics: New Options For The Enterprise".)

The first purpose requires a very low false-positive rate (in the case of active DLP products, this equates to wanting a low false-positive rate so that legitimate communications aren't mistakenly blocked), while the second requires a very low false-negative rate. To illustrate the value of the second, consider Gary Min, the DuPont employee who was recently sentenced for stealing trade secrets from his former employer (see "Former DuPont Scientist Sentenced For Trade Secret Theft" ). That's a perfect example of how forensic data and good audit logs work. Standard exit procedures in a company for someone with access to sensitive data should include an audit of what documents they've been accessing. In this particular case, Min's excessive access was so obvious that it prompted DuPont to contact the FBI.

When deploying DLP solutions, both alerting and forensic approaches matter, but each is geared toward a different problem. Whether you use one product or more than one, make sure you're able to solve each problem independently.