Data loss detection and prevention

Yesterday I was speaking at a Butler Group masterclass on Information Risk and Data Loss Prevention. The discussions with delegates confirmed for me how seriously organisations now take this issue, as well as how difficult and complex it is to address it. There are no easy solutions. Technology offers very limited solutions, in most cases little more than a discovery mechanism for the security function.

That will change with time of course. Security technology will progressively become more effective and reliable at preventing leaks. The question is how long it will take before we will have the confidence to allow it to block suspicious transfers without human intervention.

The same arguments about intrusion detection and prevention apply to data loss prevention. The goal should be to stop breaches in real time, rather than just flag the event for later analysis. But we have to be confident that we can avoid the “false positives”. Otherwise we might end up closing down important business transfers.

In fact it’s rare to find organisations that have the confident to block rather than monitor intrusions. One reason for that is the need for better appreciation of the context of the transaction. This improves as we go higher up the protocol stack, which is why Secerno‘s data-level security technology can be trusted to block transactions.

Data loss prevention technologies offer the potential for recognising the context of transactions. Hopefully they will mature to a level that can deliver the confidence that security managers seek.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Mr. Lacey- Actually, security technology already has become much more effective and reliable at preventing leaks. Data Loss Prevention has come a long way since its inception. New advances in search algorithms have gotten the precision and recall up high enough, that blocking is now quite feasible. A very hefty percentage of our deployments do full in-line blocking and prevention. I think practitioners of security need to hear this news: a large number of the currently reported data breach events are actually preventable problems with current technology. Kevin Rowney Founder, Data Loss Prevention Division Symantec Inc.
So, Kevin What is Symantec's (vontu) false positive and false negative rate anyway? Exactly how many protocols can you block on? If the rates are not a virtual zero, then the dlp solution is a waste of money. My team did a vendor "bakeoff" and the vendor, GTB Technologies, won. Zero false positive and false negative rates on all protocols for a fraction of the price. Oh, and setup took less than a day. Paul CIO NYC
A whole lot of problems go away if you deny people access to data files and systems that they have no need to access in the first place. The data leakage problem is simply enabled by the lack of internal controls in the network.
Maybe we should all re-baseline our expectations and accept that *some* data leakage is now a fact of corporate life.
Your comment " Technology offers very limited solutions, in most cases little more than a discovery mechanism for the security function", has been nagging at me for a few days so I had post another comment. In fact, technology offers a very fine-grained access and audit control system that works at the data file level for all authorized users using whitelisting technology that keys on user, user-role and group data ownership for every single access attempt. This technique denies all unauthorized access attempts, to the point of neutralizing executables by malware. Whether it is an "easy solution", I put forward that this is "not your grandmother's MLS". It works on the basis of relative ordered trust pairings to deterimine relative trust within and between groups in order to automate the labelling function. In other words, it uses the language of the business as its basis for the security rules. This provides a "deterministic" (proactive) but intuitive framework to let you know mathematically exactly what is protected and what is not. Because of this, there are no false positives and it works in real time. As a bonus, it provides mult-level integrity as well, for users, code and devices, or any object recognized by the kernel, providing tamper-proof audit trails or unauthorized tampering with sensitive data or IP. I would suggest that the solution space is indeed not immature in this regard.
I'm not suprised that this is one of the more "commented upon" posts that you have made David. The market for DLP is huge, not only because its one of those "catch all" terms (a bit like NAC) but because its such an important part of Data Security, and therefore a focus not only for Enterprises but also for the vendors that supply the security tools to those Enterprises. Interestingly enough arent ALL security tools designed to stop data leaking from one point, where it SHOULD be to another point where is SHOULDN'T? ;-) Something that is clear however is that implementing a technology from Symantec, McAfee, Websense, GTB or whoever claims to have the fastest or most accurate engine is NOT going to solve your problem. Like everything we do as security professionals, Data Leakage Prevention is something achieved via an holistic approach incorporating multiple technologies. Rob Lewis makes an excellent point. Internal (and external) Access controls are the first place to start with any project. Those that shouldnt have access to data shouldn't be able to access it and those that DO have access should be monitored and controlled. Providing users with the right environment to access and exchange data is essential, ensuring they realise the importance of that data, whether via education (not my first choice) or electronic means is another part of the jigsaw. I sometimes feel very sorry for the users who have been promised the silver bullet only to find it has come without a gun to fire it! On a seperate note, although I know this is a blog of your thoughts on those points that are more current, It would be very welcome if occasionally, on posts such as these, you were to rejoin the debate. Many thanks... Mark Fullbrook Director UK&Ireland Cyber-ark