Data Loss Prevention: A Layered Aproach is Best.

DLP, or Data Loss Prevention is the practise (some say art) of identifying and remediating the loss or leakage of "sensitive data" from the Corporate network.  Sensitive data can be anything that is not classified as "Public Information", from Corporate Financials, to customer Personally Identifiable Information.

Data loss can be through theft, accident, negligence, or ignorance.  There are a ton of articles available on Data Theft. Whether it be disgruntled employees, external hackers, or botnet installation, data is stolen becasue it has value. Period.

According to a 2012 Verison Business report on Data Theft, we see the following:

          WHO IS BEHIND DATA BREACHES?

• 98%      stemmed from external agents (+6%)
• 4%        implicated internal employees (-13%)
• <1%     committed by business partners (<>)
• 58%     of all data theft tied to activist groups

HOW DO BREACHES OCCUR?

• 81%     utilized some form of hacking (+31%)
• 69%     incorporated malware (+20%)
• 10%     involved physical attacks (-19%)
• 7%      employed social tactics (-4%)
• 5%      resulted from privilege misuse (-12%)

 
A good starting point for any Data Loss discussion, is to Assume that you have already been breached, and plan your management and containment strategy.


Lets dispel a bit of fantasy here...

No Data Loss Prevention system on the planet can or will stop all data leakage.  

If that's what they're selling you, turn and run.  The only way to stop all data leakage is to NEVER STORE ANYTHING, and Certainly DO NOT TRANSMIT ANYTHING.   You know...

The only secure computer is one that's unplugged, locked in a safe, and buried 20 feet under the ground in a secret location... and I'm not even too sure about that one.—Dennis Hughes, FBI

All existing DLP solutions use one of two methods to identify sensitive data.  The "Precise" method relies on some type of tagging of the data in question.  Now this can be as easy as "Anything coming from this database",  or "This column in this table", "this field in this record type", "this folder on this share", or "this LUN on the SAN".  

The "Precise" method of DLP will stop data from inappropriately leaving it's known source.  And more sophisticated systems *may* actually have signatures (hash files) of all the data on those known stores to match against data in flight, to ensure a copy of the data doesn't leave.  Neither would stop a legitimate request for the data being screen captured and sent off separately or the data being repackaged in a different format and sent out.

The "Imprecise" method relies on signatures, meta-data, regular expressions, statistical analysis, or heuristics to watch the network egress points and make educated decisions on whether to allow traffic to pass, challenge the sender, or just block the traffic.

Data exists in three states "At Rest", "In Use", and "In Motion":

To implement an appropriate level of Data Loss Protection, you must tackle all aspects of data at rest, in use, and in motion. 

Data At Rest:
Typically data at rest (static data stored or archived on a file share, in a database table, or in an email system, for example) is protected from innapropriate access by Operating System level access controls. This type of control relies on group or role memberships.  You may be given the ability to read a file, read and update, or no access at all.  Most files within a folder share the same permissions, so the permissions folders themselves dictate the level of access per role. 

Additional to this, depending on the type of sensitive data in question, you may want to actually encrypt the data or the container it's stored in. In the case of Corporate Removeable Media, Laptops, or Mobile devices these MUST be encrypted as part of the standard build process.  Laptop theft or loss of a USB Memory stick without such encryption could cause your company considerable reputational, financial or legal damage.

Data in Use:
Data in use, shares much of the same features of data at rest, except that it most commonly refers to dynamic data that is changing frequently, and potentially residing on end point systems as well as in the data center systems.

Data in use can be protected through the use of End Point DLP solutions as well as those controls in place for Data At Rest.

Data in Motion:
Once data has been accessed by a user, and is "sent" somewhere via email, file transfer, uploaded to a website (Cloud Storage) it is considered to be "in motion".

At this point we need to heavility lean on "Perimeter  Data Loss Prevention".  Your perimeter is typically considered the edge of your network, protected by a firewall which connects your network to the Internet. Here, you will typically see data leaving via email, Instant Messaging, ftp, and web transfer.  A perimeter solution must account for these plus any other method that data may leak outside of your network.   There are many strong point solutions out there that tackle one or more of these Perimeter Data Loss vectors by such reputable security providers as Symantec, WebSense, Cisco, Fortinet, McAfee, Sophos, etc...          

So, to sum up quickly:  To reduce your risk of data loss, you must tackle the problem in a layered approach, through Policy and Awareness, at the endpoint devices,  the data center, and on the perimeter. 

  Endpoint Protection: 

• Updated Security Policies and Compliance programs
• Strong Awareness programs
• Laptop Encryption
• Removeable Media Encryption
• EndPoint Data Loss Protection
• AntiMalware

Data Center Protection:

• Network Access control
• AntiMalware
• File Integrity Monitoring
• Data Access Controls
• Storage Encryption
• Data Classification
• Data lifecycle
• Logging / Monitoring / Corelating / Reporting 

 Perimeter Protection:

• Web Filtering (URL Category filtering, blacklisting,  AntiMalware, as well as Content  filtering)
• Mail filtering  (blacklisting, SPAM filtering, AntiMalware)
• Intrusion Prevention
• Network Traffic monitoring / logging / trending
• Botnet Detection and Prevention

Finally... Create a Breach Incident Plan.  
Have the necessary tools, policies, training, contacts, and escalation in place, and test it regularly. Make sure that you have engaged Legal, Compliance, Brand, and your Corporate Communications teams and that they all know and can follow the plan. 

 

Obligatory links:

http://csrc.nist.gov/groups/SNS/rbac/documents/data-loss.pdf
http://www.symantec.com/data-leak-prevention

https://securosis.com/assets/library/reports/BestPracticesforEndpointDLP.pdf

http://www.rsa.com/products/DLP/ds/11668_RSA_DLP_Cisco_Integration.pdf

http://www.mcafee.com/ca/products/dlp-endpoint.aspx

http://www.fortinet.com/solutions/data_loss_prevention.html
http://www.mydlp.com/
http://www.ey.com/Publication/vwLUAssets/Keeping_your_sensitive_data_out_of_the_public_domain/$FILE/Data_loss_prevention_Keeping_your_sensitive_data_out_of_the_public_domain.pdf