Information=Money! Information can be anything –financial statements, health records of patients, source codes, intellectual property (IP), trade secrets, design specifications, price lists – anything from which an organization generates profits. Information is one of the business’s most important assets.
Business requires accessing information from anywhere, anytime and on any device. This desire for information to be ‘free’ leads to many security and management related challenges.
Organizations are moving from securing IT infrastructure to securing Information. While a great deal of attention has been given to protecting electronic assets from outside threats – from IPS to Firewalls to Vulnerability management – organizations are now turning their attention to an equally dangerous situation: the problem of data loss from inside.
Data Loss Problem
You may have got a complete arsenal of hardware and software, encryption and firewalls, IDS and IPS, to prevent any hacker, virus, malware or spyware from penetrating your defenses. From the outside you are invincible.
Inside is a different story!
Inside, A Blackberry can be as dangerous as an internal spy. Your email server may become a superhighway for sending classified data to the outside world. An HTTP link can be a pipeline to the competition.
The issue of data loss covers everything from confidential information about one customer being exposed, to thousands of source code files for a company’s product being sent to a competitor. Whether deliberate or Accidental, data loss occurs any time. Employees, consultants, or other insiders release sensitive data about customers, finances, intellectual property, or other confidential information (in violation of company policies and regulatory requirements).
According to a survey, Employee error is now the fourth largest security concern in the enterprise – behind malware, spyware and spam. With all the avenues available to employees today to electronically expose sensitive data, the scope of the data loss problem is an order of magnitude greater than threat protection from outsiders.
Sources of Data Leakage
There are many ways through which confidential data or proprietary secrets can leave an organization via the internet: –
- HTTP (message boards, blogs and other websites)
- Instant Messaging
- Peer-to-peer sites and sessions
Flash drives, USB Devices, mp3 players, cell phones, etc. are the most common electronic devices used to leak sensitive data.
Data Loss Statistics
The charts below are provided in ‘”as-is” format based on the current database maintained by Open Security Foundation and DataLossDB.org .
Data Loss Prevention
Data Loss Prevention (DLP) is a system/process for identifying, monitoring and protecting sensitive data on information in an organization according to policies. Policies can vary from organization to organization, but the focus is on preventing sensitive data from leaking out of the organization and identifying people or places that should not have access to certain data or information.
DLP is also referred to as :- Information Leak Prevention (ILP), Information Leak Detection and Prevention (ILDP), Data Leak Prevention, Content Monitoring and Filtering (CMF), Information Protection and Control (IPC), Extrusion Prevention System, etc.
Sensitive Data and DLP Solution
Data in Motion
This feature of the DLP solution applies to all data on wire. It is basically any data that is moving through the network to the outside via the internet.
Currently, there are various protocol supported and HTTP, FRP, IM, P2P, SMTP to name a few.
As shown below, all traffic leaving internal network via any of the common channels above will be mirrored to DLP for inspection.
See the following example of placement of this device:-
This provides visibility into a large number of violations, For example, if a sensitive file was transferred using FTP, there are several things that will bring to light. FTP is a protocol that uses cleat text. Transmitting sensitive files in clear text becomes a concern. This leads to the question if this file should even be leaving the company. Also we will need to verify if the parties involved are authorized to view and transmit data. Most of this applies not just to FTP, but to any communication mentioned above.
Data at Rest
This feature refers to any data that resides in file systems, databases and other storage methods. Primary use of this feature is for finding sensitive data in the places where it should not be i.e on corporate network, employee’s laptops, backup media, etc. Once it is found, data can be erased, moved to a secured location or protected with access privileges.
This uses the existing policy to look for any sensitive data. Discovery scanning can be used to fingerprint data to indentify unstructured data elsewhere.
Data at Endpoints
Data at Endpoints constitutes agents that run on end-servers, user laptops or desktops, keeping watch on all activities related to data. They typically monitor and prevent any data leaving via removable devices such as floppies, CDs, USB devices, external devices, mp3 players etc.
Due to its agent based approach, it really has not been a favorable solution among customers. However it does provide a great deal of protection against erasing data via removable devices.
Best Practices to Prevent Data Loss
Best Practice 1:-
Identify and Prioritize Your Most Vulnerable Risk Points
Unwanted internal and external disclosure of Non-Public Information (financial, business, HR, legal, and regulatory data), Personally Identifiable Information (social security numbers, credit card information, personal health data), and Intellectual Property (patents, trademarks, design plans) can occur at many different points throughout your network. This is why a comprehensive DLP solution ultimately has to protect all potential risk points in your organization.
While end-to-end protection of all vulnerable sites is the ultimate goal for a DLP solution, in reality, it makes far more tactical and financial sense to begin by protecting the data — as well as the mechanisms used to move this data — that represents the most danger to your enterprise. As the most frequently accessed and used electronic application in all companies, email is, without question, the most susceptible data loss risk point for most enterprises. With literally every employee in a typical organization sending and receiving more than 100 messages every day, it’s an obvious vessel for sensitive and confidential information to go where it shouldn’t. Adding to this security threat is the fact that email can originate from several different locations, many with gaping security holes, including desktops, mobile devices, public computers, Web-based corporate email, and disconnected laptops.
Not far behind email propagated enterprise risks are via removable storage devices — USB keys, iPods, CD/DVD burners, and disconnected laptops — that can hold hundreds of megabytes of data. Control-free Web activity also represents a Pandora’s Box of data loss opportunities, particularly due to popular social networking and file-sharing tools such as instant and third-party messaging, Webmail, internet forums, blogs, and wikis.
Additional enterprise vulnerabilities that need to be addressed include scanning file systems, repositories, document management systems, mail archives for sensitive and confidential data, as well as communication protocols such as FTP, general SMTP, and HTTP.
Best Practice 2:-
Ensure Effective, Comprehensive Coverage
A DLP solution must be able to effectively and comprehensively detect attempted policy violations. This includes:
- Multi-protocol monitoring and prevention
- Content-level analysis of all major file and attachment types
- Selective blocking and/or quarantining of messages
- Automatic enforcement of corporate encryption policies
Additionally, companies need to ensure that compliance and policy officers have the capability to create policies by user. Different people have different roles and responsibilities; having a DLP solution that recognizes this and helps enforce appropriate, user-level policies is very important.
If the chosen DLP solution cannot perform comprehensive and accurate content analysis, you won’t be able to find and resolve true violations among a mass of false positives. As a result, this ineffective detection system will prevent you from proactively blocking potential data loss violations with confidence, since so many of those flagged actions will be legitimate business activities.
Best Practice 3:-
Insist on Proven and Pre-Built Polices
An extensive set of effective policies — one that employs full and accurate analysis to provide the right response for any given event — is the foundation of any DLP solution. While it is critical to be able to quickly and easily create and deploy policies, it is just as important that the policies you employ effectively capture your company’s best practices and business rules.
Your DLP solution should draw on a complete set of customizable, prebuilt, and tested policies that can address an array of security and compliance issues or target a particular area of risk with pinpoint precision. Most must be 100% ready for immediate deployment across all critical risk points, including e-mail, Web, and Instant Messaging. Some may require customer specific configuration to ensure optimum operation in a particular environment. With either approach, the time and effort required to design, prioritize, develop, and deploy your DLP policies will be dramatically reduced.
Best Practice 4:-
Protect More than Just Confidential and Sensitive Data
In addition to preventing information, security breaches of Personally Indefinable Information (credit card information, health record), Intellectual Property (patents, trademarks, designs) and Non-Public Information (financial, business, HR, legal data), your DLP solution should also lessen all risks created by unsafe or noncompliant behavior conducted electronically. This broad range of activity can include unsuitable and offensive employee behavior, communication not in compliance with various regulatory and jurisdictional requirements, behavior that could compromise legal activity and strategy, uncontrolled financial transactions, and inappropriate handling of customer complaints.
An effective Data Loss Prevention solution can and should be used to resolve a wide range of information risk issues beyond guarding sensitive and confidential information. Most companies start by addressing DLP related concerns first, and then expand protection to other areas, such as information misuse.
Best Practice 5:-
Respond Appropriately to Each incident
Once an event has been determined to be a violation, your DLP solution should respond in real time with the appropriate action such as blocking, quarantining, warning, encrypting, or informing, and then provide suitable steps for immediate remediation. Each response should be gauged specifically to the type and severity of the violation — in particular, by considering who is involved.
Other appropriate responses include redirecting a message or a user to an informative webpage on company security policy, providing procedural support to complete the task at hand, classifying the relevant message or file, updating an incident dashboard, and silently capturing problematic activity. In addition, you should be able to move, copy, delete, or tag all files at rest.
To ensure that breaches are addressed wherever they occur, responses must originate at all potential risk points, including desktop, message server, network boundary, files repositories, and upon import and analysis of historical events.
Best Practice 6:-
Training and Awareness
It is important for an effective DLP solution to interact with the organizations employees so that they have a strong understanding why certain activities are inappropriate and could be harmful for the organization. Not all violations are conducted with harmful intent. An employee may want to work at home and e-mail sensitive data to their personal, less secure public accounts. Although the intent may be good, the action is not. Ongoing education will help reinforce correct behavior and provide the employee with guidance on how to correctly handle sensitive data.
When companies educate and highlight the dangers of data loss, violations are reduced dramatically. Over time, as the employees become more familiar with corporate policy, overall security awareness practices increase throughout the company.
DLP is a serious issue for companies, as the number for incidents and the cost to those experiencing them continues to increase. Implementing a compressive DLP program is essential for today’s working environment.. Whether it’s malicious attempt, or an inadvertent mistake, data loss can diminish a company’s brand, reduce shareholder value, and damage the company’s goodwill and reputation. In today’s business environment, the increase in the volume of data is such that this is a challenge to efficiently manage new existing data. Nevertheless, it is a problem that all organizations need to address