ERE Information Security Auditors
Home | Site Map | Contact Us | Blog
This text is replaced by the Flash movie.
 Executive Strategies for Managing Risk
Audit Tactics for Managing Risk

Posts Tagged ‘DLP’

Data Loss Prevention: Less Flip this Week

Thursday, April 14th, 2011

Last week I discussed Data Loss Prevention as a solution in search of a problem. This week I’ll reduce the level of flip and review more detail deliverables of DLP solutions and some DLP vendors.
Data leakage prevention technology tackles both data at rest residing within a network and specifically on disk storage and of course when data is in motion during telecommunications sessions.

Vendors of these technologies vary in what elements of the problem they wish to tackle. Some try to solve all possible problems.

So let’s start with data at rest. Typically a vendor will create a crawler program to comb through files looking for data that matches filters. The client identifies which files are in scope and often have input to the filter configurations.
Filters can be set to look for specific data content such as SIN numbers and credit card numbers. They can be tuned to look for breaches in corporate policy, such as identifying profanities, client names within certain types of files, or image files (which may contain hidden malicious code or pornography).
Some tools are designed to identify data content threats within databases, such as sensitive data residing in areas that are in too low of a security classification.
While some technology is designed to simply alert on DLP vulnerabilities within data at rest, others are more pro-active and can block transfer of data deemed sensitive and can similarly lock offending files.

Data in Motion
Monitoring and blocking of sensitive data can take on all forms. Some products log sensitive data moving both in and out of an organization. Others identify, classify by security level and can pro-actively block by client determined policy including whether or not the data is sufficiently encrypted.
Some tools have a fairly narrow scope of telecom vectors they monitor while others can encompass email, instant messaging, file transfer protocols, exporting to external storage, movement to network endpoints such as Wi-Fi, Bluetooth, and firewire and so on. Similarly you can choose technology to monitor a wide variety of internal communication vectors such as to internal printers, screen captures, burning to USB and hard drive devices, moving data to removable storage devices.

The world of risk signatures for data on the move has grown from anti-virus and anti-spam to include cloud computing threat signatures.

To Connect or to Not Connect
This article would be incomplete without mentioning a class of inspection software that has been around for years which validates any workstation requesting connectivity to a corporate network.

It examines compliance with a corporate defined security standard. Example criteria include an appropriate version of anti-virus running, the status of patch updates, the identification any applications that violates policy, and identifying other communications channels that may be active while the device is connected to the corporate network.

Data Leak Prevention Vendors
Vendors are easily found using keywords such as “data leak prevention”, “data loss prevention” and “data loss prevention companies.” A search on “DLP” leads you into the world of projectors.
Below are a few of the mainstream vendors, some of whose products I’ve found to be most useful.
WebSense Data Loss Prevention

Sophos Data Loss Prevention

RSA Data Loss Prevention Suite

Safend Data Protection
Symantec Data Loss Prevention

 Barracuda web filter

MacAfee Network DLP Manager

Have a secure week. Ron Lepofsky CISSP, CISM, BA.SC (Mechanical eng) www.ere-security.ca

Tags: , , ,
Posted in Security Postings | 1 Comment »

Data Loss Prevention: Solution in Search of a Problem?

Wednesday, April 6th, 2011

Data loss prevention technology sounds like a no-brainer from the get-go. DLP technology tells us when confidential data is in danger of compromise or when users’ behaviour may lead to the threat of compromise.

Pro-active DLP products stops potentially threatening situations from developing and if they do occur it blocks, encrypts, and suggests reconfigurations on the fly. The more comprehensive enterprise versions of DLP are highly integrated with many of the above features and more all packed into one product.
So why am I questioning the validity of DLP? I question the return on investment of the total cost of ownership and management of the technology. There are several issues that in my opinion need to be examined:
1. What are the specific business problems that need to be addressed?
2. Are they being addressed by other overlapping technologies currently deployed?
3. Are compliance and IT security managers directed to manage specific control points other than DLP by auditors or by regulatory mandates? If “yes” then DLP challenges become secondary priorities, if indeed priorities at all.
4. Can a more cost effective solution such as consistent, uniformly enforcement of security policy be a candidate solution?

DLP Technologies are indeed Impressive but Not New
I remember in the mid 90’s an Israeli software package that did web browsing monitoring, outbound email filtering, alerting on pre-defined email content, and identifying and reporting on user traffic by service type.

So that tells us that DLP is really a new branding strategy for technology that has existed for quite a while. This mid 90’s technology did not need agents; it could monitor an enterprise; its reports were easily understood and pointed to clear calls to action. The user interface was… OK.

There have been products on the market that compile inventory lists of devices connected to a network, including peripherals on workstations. Some will even evaluate workstations that request connectivity to the corporate network and will block connectivity unless they pass a predetermined compliance list with regard to patch compliance, peripherals attached, and communications capabilities.

The difference with the new DLP technology is the degree integration of multiple capabilities within one product offering. For instance one product may be comprised of any number of:
• Anti –virus
• anti-spam
• web browsing monitoring
• Identification of threatening URLs
• Identify sensitive data and data files at rest.
• Blocking access to sensitive data and data files according to access privileges.
• Identification and/or blocking of restricted communication technology: Wi-Fi, infrared, blue-tooth
• Identification and/or blocking of restricted input / output technology; USB memory, DVD, firewire, external disks and tapes, printers,
• Identifying sensitive data in motion within email, IM, file transfers
I wholeheartedly agree that these are all laudable, excellent features.

Where’s the ROI?
The return on investment of deploying DLP depends upon a risk analysis as the basis for determining what needs to be protected and at what cost. DLP may not come out on the winning side of a risk analysis if a corporation’s auditors or compliance group determine that other priorities take precedence.

For instance, as part of SOX compliance, an organization may be forced to implement critical asset identification and strict access control over those critical assets. We know that specific files and types of data will be considered critical assets.

So the organization should implement as part of their access control strategy at least a rudimentary version of:
• A strictly managed user identification / authentication / privilege management / credential management policy with enforcing technology.
• File access restricted by a user privilege table or by a more elegant set of document classifications and user privilege levels.
• Creation and strict enforcement of an IT security policy, with uniform and regular enforcement which means meting out disciplinary sanctions that are clearly identified in the policy.

It is assumed they will also deploy the absolute basics in countermeasures and monitoring such as anti-spam, anti-virus, URL filtering including identification of potentially malicious URLs, event log monitoring for critical assets, and monitoring of the IT security infrastructure.

To determine if a DLP solution should be considered as an alternative in the SOX compliance situation above, the costs of all the above then need to be compared with the total lifecycle cost of ownership and management of a separate DLP solution.

I’ve run out of time and space, so next week I’ll discuss in more detail deliverables of DLP solutions and some DLP vendors.

Have a secure week. Ron Lepofsky CISSP, CISM, BA.SC (Mechanical eng) www.ere-security.ca

Tags: , ,
Posted in Security Postings | No Comments »
Home | Point in Time Audit | Doc Audit/Authorship | 7x24 Monitoring | Knowledge Transfer | ERE Differentiators | About Us | Site map | Contact Us | Blog
Copyrights © 2007-2008. All rights reserved.  Non-security resources 1|2|3|4|5|6|7|8|9

   AddThis Social Bookmark Button