Publications & Resources

September/October 2008
Focus: Technology

Data Loss Prevention – A New Package on an Old Idea

By Patrick Johnson

Data Loss Prevention (DLP) looks complicated, big and expensive and will take way too much time and effort for no obvious reason, right? Try to connect the patterns and create a method to gauge and shepherd valuable data that seems intangible but exists, has high risk and must be protected. Can you put it all together? Thoughts? Bueller...Bueller? Cue HAL 9000, Dave.

There has always been an effort to secure sensitive information since the advent of the digital age. Security requirements, prevention and regulatory mandates are not just suddenly appearing, but have actually gone through a process of evolution over the past decades in response to the data security issues facing modern business. Terms like hacking, GLBA, non-public information, breach response, fraud and identity theft have been kicking around for years. The scary part is that even with our armory of prevention, detection and response programs, we are still losing the war.

Financial fraud overtook virus attacks as the source of the greatest financial losses in 2007. [1]The average annual loss reported in this year’s Computer Crimes Survey shot up to $350,424 in 2007 from $168,000 in 2006. Insider abuse of network access and e-mail ranked higher than virus incidents as the most prevalent security problem. Since January 2005, the Privacy Rights Clearinghouse has identified more than 215 million records belonging to U.S. residents that have been compromised due to security breaches.

We have already invested tons of money, time and resources, right? We have seventeen flavors of information security, risk assessments and security protocols, yes? We have typed so many pages that we have blisters on the tips of our fingers, right? Unfortunately, despite our efforts, fraud and information theft continue to soar regardless of the existing compliance programs and regulatory examinations. Institutions are passing information security exams with excellent marks, but data loss statistics continue their vertical trajectory. The cause is rudimentary – what the industry as a whole is doing is not really working. There is a sizable gap between having a compliant program and one that actually works. We need to unify all of our efforts and standardize the program. Enter DLP.

DLP engenders a holistic approach to information security and data resiliency that incorporates executive commitment, advanced monitoring systems, automation, formalized policies and procedures specifically designed to prevent, detect and automatically respond to unauthorized access and loss of sensitive data. This is accomplished by a layered and pinpointed technical, physical and enforcement security approach that can identify, track and monitor (in real time) data through its lifecycle (at rest, in motion, in use and on display). The ability to report on transgressions in real time is what makes the difference between true prevention and after the fact detection (viability vs. compliance).

There are distinct considerations for ensuring a compliant and viable DLP program. Data discovery is by far the most critical. Finding out where the data resides, classifying it (public, non-public, sensitive), and tagging it appropriately is the foundation for the program. Next, endpoint protection is implemented to help mitigate the biggest security risk – the data that walks right out the front door. Endpoints such as printers, paper, laptops, cell phones and portable media are the biggest culprits for data loss at the endpoint. Mitigation controls include full disk encryption, file control, port disabling and user policy enforcement. Server security follows the endpoint up the chain and can be strengthened greatly through the advent of industry best practices, recurring testing and ensuring appropriate directories are tagged sensitive and restricted from unauthorized access.

Armed with the data discovery information and server best practices and mitigation, network preventive barriers can next be put into place including network logical access controls, real-time monitoring, filtering/blocking, automated violation alert and response to stop data loss. Port blocking, pattern recognition, encrypted file searching, contextual and content analysis, file restrictions and filtering are components of a resilient strategy. Intrusion Detection/Intrusion Prevention Systems (IDS/IPS) must be implemented for the gateway and regular external penetration and internal vulnerability risk assessments musts be performed to secure the perimeter from the outside in as well as from the inside out.

To complete the perfect beast, effective information qualification, quantification and reporting are the capstone as enforcement can only be supported if the information exists to identify violations. A vectored approach to reporting criteria includes:

  • Combined context and content analysis
  • Passive and active monitoring
  • Automated and interdiction response

Sounds harrowing, doesn’t it? Alas, fear not fair reader, for most of what DLP requires you are already familiar with, only it wasn’t called DLP and it wasn’t as broad reaching or well defined, much less integrated into the very fabric of the network proper. Just start with baby steps. You’ll be fine.

 

[1] CSI 12th Annual Computer Crime and Security Survey - 2007

Patrick Johnson is senior compliance officer for HEIT, Inc. (www.goheit.com) in Los Angeles. He can be reached at 970-212-7137 or patrick.johnson@goheit.com.

Unauthorized reproduction of all or part of this material without the express written consent of the author is strictly prohibited. All rights reserved.