What Really is DLP?

This piece was written specifically to demystify the somewhat confusion regarding DATA LEAK PREVENTION, DLP. I’ll therefore crave your indulgence to thoroughly peruse it contents.

Most network security products(IPS/IDS) focus on keeping the bad guys — Trojans, viruses and hackers — outside of the network, but data loss prevention (DLP) keeps the good stuff — sensitive enterprise data — in. With more business data leaks tainting the reputations of companies it’s important not only to keep your information secure but to keep it from getting into the wrong hands.

Marketers use various terms when they refer to DLP. Some examples I’ve seen are information leak prevention (ILP), content monitoring and filtering (CMF) and extrusion prevention system.

What you might ask at this point is; Is there a difference among any of those terms? I would say DLP [data loss prevention] is the industry-wide term. Usually where some of the other [terms come in] might be a company trying to differentiate themselves.

Just sure you know, there’s no difference between data loss prevention and data leakage prevention.

Another salient questions that often comes to mind is ; how does DLP fit in terms of network security, and how does [DLP] mesh in with what already [exists]? Five years ago, everything in security used to be [based on] trying to keep the bad people out…. But now the problem that enterprises are really trying to grapple with is how to protect their confidential data — whether it’s customer data from PCI, like charge card data, or it’s health records or just intellectual property — and that’s a huge problem. It’s a big business problem because as it gets out, businesses have to disclose the breach, and they have to track it down, and then it just gets nasty “nasty” being my technical term.

So there’s a big demand to help businesses make sure that their data stays secure in the data center and that as it moves around their network, there are controls in place to make sure it doesn’t escape in an unauthorized manner. In a nutshell, that’s the whole deal with DLP – just to protect the crown jewels [corporate data], so to speak. The characteristics of DLP are almost like a backward firewall . . . DLP looks at data flowing out of your network and [asks] ‘Is this data something I care about? Is it confidential?

In some of the presentations that I’ve made in the past, I often come across questions like, How is DLP different from Network Access Control (NAC)? Is there a difference or similarity between NAC and DLP? My answer is Yes! All the other stuff, like network access control, is more geared toward keeping malicious code out of the network. It’s more oriented toward: “Is your antivirus installed? Do you have all the right patches in place?” It comes much more from an operational integrity issue than from a data leak issue.

The characteristics of DLP are almost like a backward firewall. Where a firewall looks at data coming into the network and says, “Do I want to allow this?” DLP looks at data flowing out of your network and says, “Is this data something I care about? Is it confidential?”

In the network, it actually looks at the data packets and data flow. Instead of … looking for attacks, it finds [traffic] that’s actually confidential data and then makes a decision on whether or not to allow that to go forward. It might also interest you to note that there are others ways information leak occurs from the network besides email. DLP, also track these leaks as well.

Avenues for information leaks– The three big ways are ;

1- Email – where you send something out, usually it’s to a business partner, but sometimes mistakes happen and it doesn’t go to that person.

2- Laptop, or a USB drive – so you’ve actually made a local copy of it, and [y]our laptop gets stolen or somebody’s got something on a memory stick, and that’s got a lot of data on it.

3- Through a piece of malicious code – as with the Hannaford incident — that sits there and just sends automatically. This is spyware; it steals data and sends it out over the Internet.

That’s pretty much it. The challenge with DLP is [figuring out] … how to look at everything in the network. Also, once the data gets to a laptop — which you usually have to do for an employee — or desktop, how do you make sure that it gets cleaned up from that endpoint so that it doesn’t sit on a local drive or sit on a removable drive?

Please note that some vendors describe DLP as being broken up into three essential parts: network endpoint security, endpoint protection, and the discovery. With this background information, you might be tempted to ask, what is the most important component of DLP?

I think data discovery is the most important. Because I find that if IT knows what is there, they can do a reasonably good job of either putting technology in place or of educating the user. Much of the time, IT doesn’t really know what or where all the sensitive data is, from a security standpoint. So just being able to say, “There’s confidential data in this database or around this file share or SharePoint,” is useful information for the security [team] to have, because then they can put controls in place so that only authorized people can access it. Then those authorized people are educated as to what their responsibilities are…

The reason I think discovery is the most important is that if security knows where the confidential data is, then they can put a little bit extra vigilance into making sure that the access control policies are in place. They can make sure that all the accounts are active, that people who do access it know their responsibilities and the rules, that there is a little bit of social education a little bit above and beyond what they would normally do: They might look and be a little bit tighter with their audits of machines if they know they have consumer data on them, for instance. They would audit them more often or change the policy or look for things that don’t belong there. As an operator in the financial services sector for instance, you might have 10,000 applications, with 10,000 databases, so it helps to narrow it down to the ones that should get special attention.

The last myth I would like to clear is , ok now that we have DLP , what else does the network admin have to do? Is it just to find that material and make a stronger algorithm for it? Sure Yes, find the security controls around it.

When I talk to security people on the enterprise, I think they’ve been pretty good if they know there’s a problem: They want to do the right thing. So if they know a company is at risk, they’ll take care of it. It’s just that if they don’t know, what can they do? So half the game is letting them know that there’s a resource like a database or a file or information that really needs some TLC ( Top Level Control) — some extra care.

Thank you for your time. As always, your comments, questions are well appreciated!