http://www.enterprisegrc.com

DLP – Ready or NotRobin Basham, CISSP, CISA, CRISC, CGEIT, M.Ed, M.IT

If you are required to comply with (US) HIPPA, State Social Security Laws, COPPA, State Security Breach Laws (California Civil Code § 1798.29, 1798.80 et seq.), GLBA or PCI-DSS, someone will ask you

How many unauthorized data exfiltration attempts have been detected recently by the organization's Data Loss Prevention (DLP) system? What percentage of the organization's business

systems are not utilizing host based Data Loss Prevention (DLP) software applications?

Whether it was a customer request or a conversation with an examiner, they expected a detailed answer broken out by business unit. If you manage compliance, you are accountable to these answers.

Isn’t DLP handled

by security?

No, they cover that

in the employee handbook

I thought lost data was only a

problem if it gets picked up by a

major news station.

Good News: When done right, Data Loss Prevention – DLP benefits

Protect critical business data and intellectual property Improve complianceReduce data breach riskEnhance training and awareness Improve business processesOptimize disk space and network bandwidthDetect rogue/malicious software

Source: Data Leak Prevention © 2010 ISACA.

The DLP Mission – Understand, Control and Protect Data

Data loss prevention (DLP) is a comprehensive approach (covering people, processes, and systems) of implementing policies and controls designed specifically to discover, monitor, and protect confidential data wherever it is stored, used, or in transit over the network and at the perimeter. (Source: NSA/CSS Securing Data and Handling Spillage Events) Data classification program is a program that categorizes data to convey

required safeguards for information confidentiality, integrity, and availability; establishes controls required based on value and level of sensitivity. (Source: Derived from SANS Institute InfoSec Reading Room)

Source Appendix C: Glossary of FFIEC Cybersecurity Assessment Tool

Data Loss Prevention

Data Loss Prevention (DLP) refers to applications and appliances aimed at identifying sensitive information in an IT system and preventing it from leaking out.

Data

in m

otio

n needs to be protected when in transit i.e. data on the wire. This includes channels like HTTP/S, FTP, IM, P2P, SMTP. Da

ta in

use resides on the end

user workstation and needs to be protected from being leaked through removable media devices like USB, DVD, CD’s etc. will fall under this category.

Data

at r

est resides on file

servers and DBs and needs to be monitored from being getting leaked will fall under this category.

Sensitive customer information – or generally data that is sensitive contains

A customer’s name, address, or telephone number, in conjunction with the customer’s social security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer’s account. Sensitive customer information also includes any combination of components of customer information that would allow someone to log onto or access the customer’s account, such as user name and password or password and account number. Source: Interagency Guidance on Response Programs for

Unauthorized Access to Customer Information and Customer Notice

http://www.enterprisegrc.com

Managing DLP as a GRC program and project

Current state, existing data centric projects within security and

enterprise

Identify & Define Sensitive Data – audit

requirements

Inventory, class & map systems data

High level risk assessment to refine year one DLP scope

Understand & Evaluate rules engines – set

realistic business goals

Write a data loss prevention RFP

Refine questions to ask vendors

Establish selection committee

DLP BakeoffEnlist stakeholders to

Test DLP products

Enterprise IT consensus in evolution

of DLP Strategy

Define Policies and policy process

Publish data flow diagrams

Validate Business Data Owners and Custodians

Establish Deployment Scenarios

Selection Implementation Enable DLP Operations Train end users

Continuous improvement over Information Asset

Management

Mission – Work with Business and Security to Prevent Data Loss through programs and technology known as DLP

Mission – Establish a culture of continuous improvement

Identify & Define Sensitive Data –

audit requirements

Inventory, class & map systems data

High level risk assessment to

refine year one DLP scope

Refine rules engines

Coordinate with incident response

team

Refine and communicate

policies

Update and maintain data flow

diagrams

Integrate DLP into end user training

DLP PolicyMonitoring &

preventionDiscovery & protection

Don’t do everything at onceQualitative risk

assessment Leverage existing BIA

and Data Retention Strategy, Information Security

Threat analysis, and Integrate with Goals

for enterprise IT

Endpoint – user access to sensitive data, at risk employees• Increasing granularity of data policies and controls• Start with most sensitive data in high frequency

locations like email, CRM, financial systems

Network – high volume, high risk protocols and exit points•Increasing monitored protocols and endpoints•Start with known vulnerable algorithms and protocols (SSL 3, TLS 1.0, DES, RC4

Storage –•Increasing allowable and monitored locations for data

•File servers•Exchange DB•SharePoint•Database Servers•Virtual Storage CIF•Web Servers

Program v. Product: Products prevent channels through which data can leak, HOWEVER DLP is only effective as part of the security architecture and the compliance cultureDLP suites are often integrated into endpoint security tools and network application gateways (examples) SymantecMcAfee Web-senseMicrosoft RSA

DLP is also implemented via enabling integrated components (example)Data Loss Prevention (DLP) in Microsoft

Office 365DLP can be accomplished through technical activities (example)Data fingerprinting

DLP Involves a lot of Security and Engineering

A security service is a collection of security mechanisms, files, and procedures that help protect the network via:AuthenticationAccess controlData confidentialityData integrityNon-repudiation Logging and monitoring

We engage in subjects including: Encipherment Digital signature Access Control Data Integrity Authentication Traffic Padding Routing Control Notarization …

Data Leakage Prevention: ILDP, ILP, CMF, IPC, EPS

Some other terms associated with data leakage prevention areinformation leak detection and prevention (ILDP),information leak prevention (ILP),content monitoring and filtering (CMF),information protection and control (IPC), andextrusion prevention system (EPS), as opposed to intrusion prevention system.

What can go wrong in DLP implementation

Figure 1—Operational Risks Related to DLP ImplementationRisk Impact Mitigation Strategy

Improperly tuned network DLP modules

• Disruption of business processes• Lost time and revenue• Damage to customer or

business partner relationships• Loss of business stakeholder

support

Proper tuning and testing of the DLP system should occur before enabling actual blocking of content. Enabling thesystem in monitor-only mode will allow for tuning and provide the opportunity to alert users to out-of-compliance processes and activities so they may make adjustments accordingly. Involving the appropriate business and ITstakeholders in the planning and monitoring stages will help ensure that disruptions to processes will be anticipated andmitigated. Finally, establish some means of accessibility in the event there is critical content being blocked during off-hours when the team managing the DLP solution is not available.

Improperly sized network DLP module

• Missed or dropped network packets allowing data to pass uninspected

Ensuring that the size of the DLP module is appropriate for the amount of network traffic is a critical design consideration. However, it is just as important to monitor the DLP network modules to ensure that network traffic does not increase over time to a point that renders the module ineffective.

Excessive reporting and false positives

• Wasted staff time• Missing valid threats• Tendency to ignore logs over time

Similar to an improperly configured intrusion detection system (IDS), DLP solutions may register significant amounts of false positives, which overwhelm staff and can obscure valid hits. Avoid excessive use of template patterns or “black box” solutions that allow for little customization. The greatest feature of a DLP solution is the ability to customize rules or templates to specific organizational data patterns. It is also important that the system be rolled out in phases, focusing on the highest risk areas first. Trying to monitor too many data patterns or enabling too many detection points early on can quickly overwhelm resources.

Conflicts with software or system performance

• System down time• Performance degradation• Breaking of DLP or other

controls or processes

DLP systems, particularly crawlers and end- point agents, can conflict with other system software and performance. Allowances must be made for ample planning and testing before deployment. Ideally, a permanent testing and staging environment should be available. Check with the vendor for known conflicts. Ensure that crawlers are properly configured and tuned, and that their operation is scheduled in such a way as to avoid peak system processing windows. When avoidable, end-point scans should not be scheduled for peak work hours or when systems are remotely connected. Also ensure that all patches and upgrades are tested within the test environmentprior to deployment to production.Source: Data Leak Prevention © 2010 ISACA.

What can go wrong in DLP implementation

Figure 1—Operational Risks Related to DLP ImplementationRisk Impact Mitigation Strategy

Changes in processes or IT infrastructure rendering DLP

controls ineffective

• Reduction of DLP effectiveness due to circumvention of DLP controls

The DLP system administrator or a representative should be involved in change control processes to ensure that changes made do not circumvent or otherwise degrade DLP capabilities. In addition, the enterprise should be well prepared for changes associated with DLP to reduce risk of intentional bypassing of the DLP system in the name of efficiency.

Improperly placed DLP network modules

• Missed or uninspected data streams

It is important to ensure proper placement of DLP network modules. Ensure that accurate network maps are available, and that the modules are placed at the outermost egress point for data flows the enterprise wishes to monitor.

Undetected failure of DLP modules

• Data not inspected due to partial or complete module failure

DLP modules can fail, but do not always report their state to the console. It is important to periodically test to ensure that modules and their associated filters are performing as expected.

Improperly configured or incomplete directory services

• Inability to trace violations to the appropriate end users

The directory service is the key connection between a network address and an actual user, and most enterprises will want to have this process in place as opposed to manual discovery of this information, which can be time consuming and is not always possible. Enterprises that lack or have incomplete directory services should consider addressing this gap prior to implementing a DLP solution.

Source: Data Leak Prevention © 2010 ISACA.

Wrapping up, the main Elements in DLP

The compliance team will spend a majority of their time focused on data classification processes including: Inventory of hardware and software assetsNetwork topologyBusiness process and data flow mapsMapping technology operations to corporate strategic objectives

Data Loss Prevention involves technical knowledge and rules based implementation. Team oversight provides tremendous value to audit, security, the enterprise and the business.