Data Loss Prevention: How to Stop Inside Jobs
Think outsiders represent the greatest threat to an organization’s systems? Think again. Statistics from the 2011 CyberSecurity Watch Survey validate the presence of insider threats. Sure, business and government tech execs who participated in the study acknowledge that outsiders are responsible for most incidents, but ultimately breaches by insiders proved the most costly — financially, operationally and reputationwise.
The survey was a joint effort of the U.S. Secret Service and the Software Engineering Institute’s CERT program at Carnegie Mellon University and conducted by CSO magazine with sponsorship by Deloitte. As if the survey's findings weren’t enough, the Ponemon Institute spelled out the costs associated with security incidents in a separate report. It put the dollar figure at approximately $214 per record breached in a large enterprise, for an average total cost to an organization of $7.2 million per incident.
Fortunately, a new generation of data loss prevention (DLP) technologies and best practices are helping enterprises target insider security breaches that intentionally or accidentally threaten intellectual property, customer lists, employee personal information and other crucial data.
These DLP solutions round out an organization’s arsenal of hacker prevention technologies, such as traditional firewalls and unified threat management (UTM) systems. And in addition to inside-out protection, DLP technologies provide an important ancillary benefit: Their controls and monitoring tools help enterprises demonstrate compliance with the complex government regulations placed on individual market segments.
Different DLP Options
The key for IT managers lies in identifying the appropriate DLP solution for their particular needs; however, they also need to implement the technology so it provides protection without disrupting day-to-day operations.
DLP solutions typically come in three varieties: endpoint, network and channel.
Endpoint solutions: This DLP flavor protects data at rest — stored in a database or housed on a file server, for example. IT managers can set this DLP option to send an alert or set up a roadblock if a staff member tries to download sensitive data to a DVD, USB thumb drive or other portable storage device.
This approach reduces the risk that someone will walk out of the building with valuable information hidden in a pocket or briefcase. The data-at-rest capabilities in modern DLP tools can also scan local and network hard drives in search of sensitive data that’s been inadvertently or surreptitiously moved to an unauthorized location, which could expose it to unauthorized viewers.
Network solutions: These DLP products examine data files as they pass over the network. Depending on the settings chosen by IT managers, these tools report on and block transactions that violate an organization’s data management policies. For example, if the policies do not allow personal identification numbers to be sent across the LAN, a network DLP solution will spot the prohibited traffic and take the appropriate action.
Channel solutions: These DLP solutions monitor activities in particular areas rather than looking at all traffic across a network. Thus, a channel-specific application integrated with an antispam gateway would identify data leakages via e-mail attachments, for instance, but not potential breaches from malicious File Transfer Protocol (FTP) sites or web browsing.
Some solutions employ both endpoint protection and network-based components, the benefit being that IT managers can centrally enforce security policies through two integrated solutions. This simplifies the task of deploying DLP capabilities across the enterprise. But there’s a trade-off: A hybrid approach may compromise the full power of the individual solutions.
Organizations that are particularly concerned about data loss should separate their network-based DLP solutions from their endpoint protection DLP tools. This will allow the best protection in both areas.
Makers of DLP products also point to a distinction between content-aware and content-neutral technologies. Content-aware detection integrates the scanning of outbound traffic with content discovery, such as identifying stored credit card numbers, personal information or sensitive data in unauthorized parts of the network.
To be effective, content-aware DLP tools must scrutinize all types of traffic leaving the network, including e-mail, web traffic, file transfers and instant messaging. By contrast, content-neutral products apply controls without regard to the information itself; for example, blocking all downloads to thumb drives. In practice, both content-aware and content-neutral loss protection occur in endpoint protection and network-based products.
Evolving DLP Capabilities
Although DLP solutions have existed for several years, they have evolved to become more effective in both their traditional roles and in new ones, particularly when it comes to addressing insider threats. For instance, many of today’s technologies are now mobile-aware.
“DLP is being impacted by the consumerization of IT and the trend for more people bringing their own mobile devices to work,” says Andrew Forgie, director of strategic solutions for Websense, a maker of DLP, unified web security and e-mail protection products.
The mobility of users within enterprises has pushed security companies to expand their DLP offerings to remain competitive, adds Rick Holland, senior analyst with Forrester Research. In his report, Content Security: 2012 Budget and Planning Guide, Holland points out that Websense now offers a mobile DLP solution that extends the company’s unified TRITON architecture to include the Apple iPad and iPhone, as well as Android devices.
Similarly, Symantec recently introduced Symantec Data Loss Prevention for Tablet. It monitors and protects sensitive data sent from iPad mail clients, browsers and applications, such as Facebook, Twitter and Dropbox.
Second, security product manufacturers have succeeded in tackling the implementation and data-profiling complexities that traditionally have challenged DLP rollouts. “DLP is great in concept,” notes Dave Amsler, president and CIO of Foreground Security, a security consulting, training and services firm. “But unless you’ve actually classified and tagged your data, it does little good.” He adds that although many solutions include tools for tagging data automatically, IT managers often must intervene to make adjustments for accuracy.
Applying third-party services can help address some of these challenges. The RSA DLP RiskAdvisor Service leverages the RSA DLP suite for automated discovery of unprotected sensitive information and provides a snapshot of potential exposure points.
This type of tool can help enterprises quickly identify sensitive data on target file-shares and desktop infrastructure components. The RiskAdvisor service includes a high-level mapping of business functions associated with the sensitive data to help determine the exposure risk of the information.
Ease of Use
DLP vendors also now offer a number of other innovations to help make their solutions easier to launch and manage. One way is to integrate DLP within other types of traditional security solutions, such as antivirus software and server-based e-mail scanning applications. For example, users of Trend Micro’s OfficeScan endpoint security suite can add a DLP plug-in for multichannel data monitoring and scanning for Payment Card Industry (PCI) compliance.
In a further nod to simplification, Trend Micro and other vendors also provide templates with default settings to help enterprises quickly comply with PCI, Health Insurance Portability and Accountability Act (HIPAA), Sarbanes–Oxley and other reporting regulations.
“Enterprises know what compliance regulations they’re up against — they just select the right template, and it configures the DLP solution so it knows what to look for to meet data management rules,” says Steve Duncan, Trend Micro’s senior product marketing manager for data protection. “Thanks to these types of templates, IT managers don’t have to become experts in the details of each regulation.”
Similarly, SonicWALL, a vendor of network security and data protection solutions, includes approval boxes that collect data that’s been red-flagged for possible policy violations. “This means that if the word ‘confidential’ is in a file and somebody tried to e-mail the content out of the company, the file would get routed to an upload box,” says Swarup Selvaraman, product line manager for e-mail security and antispam at SonicWALL.
“The upload box could be assigned to an engineering manager, someone in human resources or the chief financial officer, based on what kind of data it is,” he says. “The appropriate manager can then step in to allow or block the transmission.”
Managers can key in project codes or other identifiers to make sure critical information never leaves their organization. To help, SonicWALL provides subject-specific dictionaries, including ones tailored for HIPAA or financial regulatory compliance. “You can write a policy that routes a message to an approval box if the subject, body or an attachment contains any words from this dictionary,” Selvaraman explains.