Information security has many faces and comes with a lot of bells and whistles. We have the SIEMs, the IDS’ and IPS’ and of course the DLPs.
As some of you may know, DLP (Data Loss Prevention) is an information traffic control mechanism in the information system of an enterprise. The main objective of DLP systems is to prevent the transmission of confidential information outside of the information system. Such transfers or often called leakages can be both intentional and unintentional.
Practice shows that most of the leaks that are known (about 3/4) occur not by malicious intent, but because of errors, carelessness, or negligence from employees. The rest of the leaks are associated with malicious actors and users of the information systems. It is understandable that insiders usually try to overcome DLP systems. The outcome of this effort depends on many factors and it is impossible to guarantee success, but the risks can be greatly minimized. DLP is necessary because there is a lot of data, unauthorized diversion of which could cause significant damage to the organization.
To assess in advance the size of the damage is not always directly measurable or fully foreseeable. However, in most cases, in order to realize the danger posed by leaks, it is sufficient to provide it even for the basic consequences.
For example, the release of top-secret information or copies of the original documents in the press or other “inconvenient” bodies, the cost of PR and a subsequent decision needed to fix problems caused by leakage, reduced trust and outflow from partners and customers, problems with competitors, leakage schemes, technology, know-how and more.
HOW TO SCOPE A DLP INTEGRATION?
This is a complex task, that has numerous things that have to be taken into consideration. In addition to the DLP system – a technical complex for information protection from leaks, its scope goes beyond just monitoring and blocking of the users’ actions with protected information. The modern DLP system is also a tool that allows you to control the exchange of information, the use of information in the electronic files of the company, and other “useful” areas, such as:
- Control over the sharing not only of confidential but also other information of interest (libel, spam, excessive amounts of data, etc.), control over the level of business ethics, etc.;
- Tracking the loyalty of employees, their political attitudes, beliefs, gathering compromising information, tracking any single interest or suspicious object;
- Identification of brain drain in the early stages, the actions of timely identification, aimed at finding a job/career change – the exchange of electronic messages containing employee information (resume), with external employers, visiting sites about finding a job. Thus, you can more efficiently monitor employee satisfaction, employer and labor conditions in a shorter time in order to take corrective action;
- Monitoring the misuse of corporate resources, employee time – regular monitoring of storage and use in non-working order files (audio, video, photo, etc.) and the use of communication channels (e-mail, Internet, instant messaging) for the misuse of information exchange
HOW IS IT DONE?
Integrating a DLP, as some of you may already know, is a complicated matter. The main tasks of DLP are monitoring and prevention of number of data transmission occurrences, such as transmission of protected information by email (SMTP, including SSL), transmission of unencrypted data on the Internet (FTP, HTTP, web-mail, chat), transmission of encryption protected information on the Internet (HTTPS, SFTP, SCP (SSH), etc.), transmission of protected information using instant messengers (ICQ, Jabber, Skype, WebEx Connect, QIP, etc.), entry of protected information to removable media (USB drives, CD / DVD, flash-media, etc.) and mobile devices (smartphones, iPhone, iPad), printing documents that contain protected information (monitoring and / or blocking printing on local, network and virtual printers) and copying of such data, control over user access to documents containing protected information (logging), archiving of all transmitted information, monitoring user search activities, controlled data transfers between servers and workstations, monitoring of all storage on network shares (shared folders, work-flow systems, databases, e-mail archives, etc.)
DLP IS NOT JUST FOR THE BIG FISH
It is believed that the introduction of DLP system is justified only in the case when the organization has reached a very high level of maturity workflows. In particular, it has developed and implemented policies for handling confidential information, has developed a list of its constituent data matrix, defined role-based access to different kinds of information, etc.
Of course, the presence of all these mechanisms makes the use of the DLP system more efficient, but the full implementation of the policy for handling confidential information involves substantial elaboration.
However, for starters, it will be very useful and a more simple approach to highlight the most critical areas.
In this case, we are not trying to build an overall picture of handling all types of sensitive data, instead, we allocate multiple repositories of documents intended solely for use within the organization. The system (with some regularity) scans all documents held within this repository and then fixes any attempts to move the protected information outside the organization.
THE 2 WAYS TO SOLVE THE PROBLEM
As with almost anything, there are multiple ways to tackle an issue. With DLPs, we have two basic approaches.
THE RIGHT WAY…
Through an integrated approach. There are companies that specialize in these technical solutions for years. Costs about $200-500 in the workplace for implementation, and in the order of $20-50 per year per license.
This approach, of course, solves the problem more efficiently, enables the integration, or future integration, with other systems such as SIEM, RMS, etc., integration with ERP and guarantees compliance with international standards of information security.
THE WRONG WAY…
Trying to use free or low-priced products from multiple vendors that do not solve the problem comprehensively, but only close certain channels of communication.
As a result, we obtain a limited solution that works in principle over some channels and even sometimes solves the problem. However, the data is not structured and is not consolidated, efficiency is very seriously affected and there may be serious problems with scalability. Companies using this approach are eventually forced into an integrated approach.
DLPs are sometimes required in certain certification engagements. You may find yourself looking for DLP when becoming compliant with the GDPR or under ISO27001.