Springing leaks: Getting smart about data loss prevention

Companies are showing increased interest in data loss prevention (DLP) products, but they won't work well unless the business needs are understood and well defined.

Three things are certain in life: Death, taxes and sensitive information inadvertently or maliciously exiting your organisation. But while you can't completely plug information leakage without impacting business processes, you can bring it under control.

Companies are feeling unrelenting pressure to protect data. Breach disclosure laws force them to calculate the cost of notification and remediation, and deal with the incalculable cost to brand reputation. Almost every organisation falls under some sort of mandate—HIPAA, GLBA, PCI, etc--to protect private and personally identifiable information. Many worry about internal information, from source code and research to unpublished financial reports.

You have to understand what kind of sensitive data you have and do a risk evaluation of what happens if data is exposed or gets in the wrong hands.
Thomas Raschke,
senior analystForrester Research Inc.

"Breach notification law has forced the whole security issue into C-suite," said Tom Bowers, managing director, of Security Constructs.

The heat is on to find some way to get some sort of handle on this complex problem. While organisations look to network firewalls, IPS and even application firewalls to keep out intruders, the chief burden is to contain insiders--employees, consultants, vendors; authorised users who send out sensitive information, usually in disregard of ignorance of policy, regardless of other controls, such as encryption, network access controls, strong authentication and even DRM.

All of this is kindling considerable interest in data leak prevention (DLP--aka information leak prevention and extrusion prevention); as organisations are slowly getting smarter of the nature and scope of the problem and searching for the policies, processes and tools to help them solve it.

"We've seen a minor shift from regulatory concern around breach notification and identify theft to intellectual property protection," said Paul Proctor, vice president of research at Stamford, Conn.-based Gartner Inc. "There's a whole taxonomy. At top level, how a company describes their sensitive data."

"Most companies start down the regulatory path," Bowers said. "Then they realise they can protect their trade secrets, and, while they are doing it, they can enable the business, securing information and outsourcing."

Companies are also choosing service providers. Richard Fleischman and Associates, provides technology consulting and business continuity services, primarily for hedge funds. They offer DLP services using Provilla's LeakProof.

"We protect intellectual property in financial areas, mostly portfolio files--very confidential information," said Gregory Milis, Fleischman's director of technology. "This is a very competitive space. If there is leak or someone takes files with them, the damage is potentially very big."

Organisations have a fair number of DLP tools to choose from, most of them focused on information traveling out via the network, with a smaller number of host-based solutions. The market was almost entirely focused on the network at first, but that's shifting. We're seeing new endpoint-based DLP tools, and network-based vendors are adding endpoint capabilities through development, acquisition and partnerships.

McAfee's recent entry into this market signals that the 800-pound guerillas are taking an interest. Gartner estimates total revenues in this market were $50 million in 2006, and predicts it will reach $120 million to $150 million this year.

But key to selecting the right product is understanding what you want to accomplish.

"You've got to create your requirements before you pick a technology," Proctor said. "There's no regulation that's telling you to buy something like this."

DLP tools: What do you do with the information?

Quarantine. This is a step down from automatically blocking, but the problem is that the information is held in limbo while someone--usually someone with the business understanding to determine if there is a real violation--devotes valuable time assessing it.

Enforce through management. Notify the manager, HR, department head, etc. They're in the best position to determine what if any follow-up is required.

Alert the user. The overwhelming majority of incidents are inadvertent. If a user gets a pop-up that they are about to violate corporate policy or the law, this is likely the last time they will try it.

Modify business practices. Monitoring will reveal the data loss weak points, which security and business managers can remediate.

Investigate. DLP can be a terrific forensics tool to uncover wrongdoing and provide evidence.

Educate. Training users about acceptable security practices is generally good advice; the information gathered by DLP will reinforce and help you refine your training.

Thomas Raschke, a senior analyst at Cambridge, Mass.-based Forrester Research said organisations should start projects slowly. Conduct a demonstration and understand what it is you are trying to catch, he said.

"You have to understand what kind of sensitive data you have and do a risk evaluation of what happens if data is exposed or gets in the wrong hands, "Raschke said "That's a first step that many people are already struggling with."

Most organisations don't have a well-defined data classification scheme, nor are they aware of all the ways data can move inside and outside their organisations. Written policies don't hold up against real-world day-to-day business practices, and data classification, such as it is, can evaporate as soon as information is copied into a spreadsheet, typed into an email or shows up in an instant message.

"Data classification is a massive problem in implementing this capability," Proctor said. "No one--no one--is saying they know. Many have pointed out that the lack of that knowledge will limit how they can use this technology."

David Escalante, director of Information Security at Boston College, uses Fidelis Security Systems' Extrusion Prevention System (XPS) to monitor outbound traffic. Escalante said data classification can be very tricky.

"Best practices are well defined, but fitting your info in those can be challenging," Escalante said. "We have written policy for classifying data, things we consider generically confidential or sensitive. Even so, there are plenty of gray areas."

DeKalb Medical Center, in Decatur, Ga., created a four-tier data classification system in building what information security administrator Sharon Finney calls "the first planned all-digital hospital" in their new Hillandale hospital. But creating a classification system and making it work aren't one in the same, Finney said.

"You need to keep reinforcing from a clinical perspective. Teaching employees what data classification is, is one thing," said Finney, who uses Vericept's 360 Risk Management Platform. "Teaching them to apply it on the nursing floor every day when doctors are telling them what to do is a different issue."

Knowing what data to protect and how to define it is tough enough, but organisations also typically fail to identify or even imagine the myriad ways users let sensitive information escape into the world. This is where DLP tools can not only detect data leakage but identify lax businesses processes so organisations can tighten them up through a combination of data consolidation, stronger controls and reinforcement.

The idea is that using DLP to monitor network activity gives organisations insight into broken business processes that would otherwise be impossible. For example, you might find employees with authorised access to financial performance information able to forward it out of the organisation via email, or communication to partners going out unencrypted.

"We have more visibility into undocumented processes," said Randy Barr, CSO of WebEx, who is using Reconnex's iGuard. "If they have been doing it for awhile, we need to figure out a more secure way. We leverage it to revisit standards and guidelines and modify or make part of security awareness campaign."

This raises the eternal question of balancing security with business requirements. For the most part, organisations are using DLP tools to monitor activity, but not to automatically block traffic, lest they stop legitimate activity.

"About 15-20% of sensitive data can be effectively blocked or redirected," said Gartner's Proctor. "The remaining 80 percent should be monitored. Record and tell me about it."

It's analogous to the familiar issue with intrusion prevention systems--detection vs. prevention. Reliably detecting some activity, such as someone sending an email attachment with 10,000 credit card numbers, is relatively easy. Determining if an email is really talking about a pending merger is tougher.

"For highly regulated companies who really hold sacred intellectual property, prevention is near and dear to their hearts," said Steve Roop, vice president of products and marketing at DLP vendor Vontu. "If the horse gets out of the barn, the damage is done."

"We're not turning on automatic blocking," said Boston College's Escalante. "The number of false positives is too mind-bogglingly high."

Part of the knowing is in fine-tuning your DLP tool. While these products feature sophisticated algorithms for detecting suspect information, and often built-in templates for regulatory enforcement, you'll need to go to school on what it shows.

Neil Roiter is senior technology editor for Information Security magazine.

Read more on IT risk management