Tactical Advice

Data Loss Prevention: How to Stop Inside Jobs

New data loss prevention solutions target internal security threats to sensitive and valuable information.
Data Loss Prevention: How to Stop Inside Jobs from Happening

Think outsiders represent the greatest threat to an organization’s systems? Think again. Statistics from the 2011 CyberSecurity Watch Survey validate the presence of insider threats. Sure, business and government tech execs who participated in the study acknowledge that outsiders are responsible for most incidents, but ultimately breaches by insiders proved the most costly — financially, operationally and reputationwise.

The survey was a joint effort of the U.S. Secret Service and the Software Engineering Institute’s CERT program at Carnegie Mellon University and conducted by CSO magazine with sponsorship by Deloitte. As if the survey's findings weren’t enough, the Ponemon Institute spelled out the costs associated with security incidents in a separate report. It put the dollar figure at approximately $214 per record breached in a large enterprise, for an average total cost to an organization of $7.2 million per incident.

Fortunately, a new generation of data loss prevention (DLP) technologies and best practices are helping enterprises target insider security breaches that intentionally or accidentally threaten intellectual property, customer lists, employee personal information and other crucial data.

These DLP solutions round out an organization’s arsenal of hacker prevention technologies, such as traditional firewalls and unified threat management (UTM) systems. And in addition to inside-out protection, DLP technologies provide an important ancillary benefit: Their controls and monitoring tools help enterprises demonstrate compliance with the complex government regulations placed on individual market segments.

Different DLP Options

The key for IT managers lies in identifying the appropriate DLP solution for their particular needs; however, they also need to implement the technology so it provides protection without disrupting day-to-day operations.

DLP solutions typically come in three varieties: endpoint, network and channel.

Endpoint solutions: This DLP flavor protects data at rest — stored in a database or housed on a file server, for example. IT managers can set this DLP option to send an alert or set up a roadblock if a staff member tries to download sensitive data to a DVD, USB thumb drive or other portable storage device.

This approach reduces the risk that someone will walk out of the building with valuable information hidden in a pocket or briefcase. The data-at-rest capabilities in modern DLP tools can also scan local and network hard drives in search of sensitive data that’s been inadvertently or surreptitiously moved to an unauthorized location, which could expose it to unauthorized viewers.

Network solutions: These DLP products examine data files as they pass over the network. Depending on the settings chosen by IT managers, these tools report on and block transactions that violate an organization’s data management policies. For example, if the policies do not allow personal identification numbers to be sent across the LAN, a network DLP solution will spot the prohibited traffic and take the appropriate action.

Channel solutions: These DLP solutions monitor activities in particular areas rather than looking at all traffic across a network. Thus, a channel-specific application integrated with an antispam gateway would identify data leakages via e-mail attachments, for instance, but not potential breaches from malicious File Transfer Protocol (FTP) sites or web browsing.

Some solutions employ both endpoint protection and network-based components, the benefit being that IT managers can centrally enforce security policies through two integrated solutions. This simplifies the task of deploying DLP capabilities across the enterprise. But there’s a trade-off: A hybrid approach may compromise the full power of the individual solutions.

Organizations that are particularly concerned about data loss should separate their network-based DLP solutions from their endpoint protection DLP tools. This will allow the best protection in both areas.

Makers of DLP products also point to a distinction between content-aware and content-neutral technologies. Content-aware detection integrates the scanning of outbound traffic with content discovery, such as identifying stored credit card numbers, personal information or sensitive data in unauthorized parts of the network.

To be effective, content-aware DLP tools must scrutinize all types of traffic leaving the network, including e-mail, web traffic, file transfers and instant messaging. By contrast, content-neutral products apply controls without regard to the information itself; for example, blocking all downloads to thumb drives. In practice, both content-aware and content-neutral loss protection occur in endpoint protection and network-based products.

Evolving DLP Capabilities

Although DLP solutions have existed for several years, they have evolved to become more effective in both their traditional roles and in new ones, particularly when it comes to addressing insider threats. For instance, many of today’s technologies are now mobile-aware.

“DLP is being impacted by the consumerization of IT and the trend for more people bringing their own mobile devices to work,” says Andrew Forgie, director of strategic solutions for Websense, a maker of DLP, unified web security and e-mail protection products.

The mobility of users within enterprises has pushed security companies to expand their DLP offerings to remain competitive, adds Rick Holland, senior analyst with Forrester Research. In his report, Content Security: 2012 Budget and Planning Guide, Holland points out that Websense now offers a mobile DLP solution that extends the company’s unified TRITON architecture to include the Apple iPad and iPhone, as well as Android devices.

Similarly, Symantec recently introduced Symantec Data Loss Prevention for Tablet. It monitors and protects sensitive data sent from iPad mail clients, browsers and applications, such as Facebook, Twitter and Dropbox.

Second, security product manufacturers have succeeded in tackling the implementation and data-profiling complexities that traditionally have challenged DLP rollouts. “DLP is great in concept,” notes Dave Amsler, president and CIO of Foreground Security, a security consulting, training and services firm. “But unless you’ve actually classified and tagged your data, it does little good.” He adds that although many solutions include tools for tagging data automatically, IT managers often must intervene to make adjustments for accuracy.

Applying third-party services can help address some of these challenges. The RSA DLP RiskAdvisor Service leverages the RSA DLP suite for automated discovery of unprotected sensitive information and provides a snapshot of potential exposure points.

This type of tool can help enterprises quickly identify sensitive data on target file-shares and desktop infrastructure components. The RiskAdvisor service includes a high-level mapping of business functions associated with the sensitive data to help determine the exposure risk of the information.

Ease of Use

DLP vendors also now offer a number of other innovations to help make their solutions easier to launch and manage. One way is to integrate DLP within other types of traditional security solutions, such as antivirus software and server-based e-mail scanning applications. For example, users of Trend Micro’s OfficeScan endpoint security suite can add a DLP plug-in for multichannel data monitoring and scanning for Payment Card Industry (PCI) compliance.

In a further nod to simplification, Trend Micro and other vendors also provide templates with default settings to help enterprises quickly comply with PCI, Health Insurance Portability and Accountability Act (HIPAA), Sarbanes–Oxley and other reporting regulations.

“Enterprises know what compliance regulations they’re up against — they just select the right template, and it configures the DLP solution so it knows what to look for to meet data management rules,” says Steve Duncan, Trend Micro’s senior product marketing manager for data protection. “Thanks to these types of templates, IT managers don’t have to become experts in the details of each regulation.”

Similarly, SonicWALL, a vendor of network security and data protection solutions, includes approval boxes that collect data that’s been red-flagged for possible policy violations. “This means that if the word ‘confidential’ is in a file and somebody tried to e-mail the content out of the company, the file would get routed to an upload box,” says Swarup Selvaraman, product line manager for e-mail security and antispam at SonicWALL.

“The upload box could be assigned to an engineering manager, someone in human resources or the chief financial officer, based on what kind of data it is,” he says. “The appropriate manager can then step in to allow or block the transmission.”

Managers can key in project codes or other identifiers to make sure critical information never leaves their organization. To help, SonicWALL provides subject-specific dictionaries, including ones tailored for HIPAA or financial regulatory compliance. “You can write a policy that routes a message to an approval box if the subject, body or an attachment contains any words from this dictionary,” Selvaraman explains.

Sign up for our e-newsletter

About the Author

Alan Joch

Alan Joch

Alan Joch has been an independent business and technology writer for more than a decade. His expertise includes server and desktop virtualization, cloud computing, emerging mobile applications, cybersecurity and green IT. Follow him on Twitter @alanallegro


Heartbleed: What Should Your... |
One of the biggest security vulnerabilities has almost every user and every industry...
Why Businesses Need a Next-G... |
Devices investigate patterns that could indicate malicious activity.
Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....


The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Businesses Must Step Careful... |
Slow and steady wins the race as businesses migrate IT operations to service providers,...
Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...


Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Mobility: A Foundational Pie... |
Other technologies rely on mobile computing, which has the power to change lives, Lextech...
Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.

Hardware & Software

Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....
New Challenges in Software M... |
IT trends such as cloud, virtualization and BYOD pose serious hurdles for software...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.