I’ve been recently digging deeper into network DLP (part of a PCI initiative in an organization). I’ve long narrowed my eyes about the concept of the DLP space, but I feel a lot better about it lately. Let me briefly explain…keeping in mind I am discussing network DLP and not endpoint DLP.
My original thinking about DLP has always been how it has so many limitations. It is fun to make a list of all the ways you can circumnavigate the functions DLP provides. This always made me sigh in exasperation about DLP (data loss prevention!) as a security tool to prevent data loss. It’s not that I wanted DLP to be infallible, but I thought it was silly that even simple things could defeat it, like HTTPS/SSL, or a password-zipped file.
But now I believe DLP is not supposed to strictly be a security tool. DLP should better be labeled as a Sensitive Business Process Identifier. What DLP really does is identify and alert on business processes sending XYZ data over channels they’re supposed to be using, or they should not be using. Instead of stopping a malicious individual from exfiltrating information, DLP really wants to act like bumpers in the gutters of a bowling lane: make sure valid business processes aren’t using poor channels to move data, and somewhat log/assure when it is used properly. My old thinking involved malicious activity; my new thinking involves business-valid activity. That’s a big difference!
Does this satisfy PCI checks? Technically, I guess so. But does it offer much assurance that data is not exfiltrating a network? No. Does DLP make a security geek feel good? Not when considered alone. When considered as an advanced item in a mature security posture, then perhaps it is merely ok.
A very valuable side benefit of DLP’s approach is to drive identifying where sensitive data resides and transits. This is almost worth the cost of DLP to many companies that have no idea where this stuff sits or moves.
First, mature DLP solutions in fact do have the ability to detect content in SSL-encrypted sessions. They integrate with proxies that can crack these open. We’ve done live detections/blocks on attempts of theft of confidential data via this channel.
Second, we hear this line frequently that you cite around malicious insiders. Many people with your background assume that, if they were a thief of data, they would have the care, discipline, and technical facility to evade DLP. Maybe that’s true of you, but is sure isn’t true of the vast majority of documented cases of data thieves.
Check out the cases of large-scale breach perpetrated by malicious insiders. There are many in the press this past year. Its pretty hard to find a large number of these cases that we couldn’t have nailed using DLP.
I know there’s lots of ways to evade DLP but the fact is the vast majority of malicious insiders are simply not using these methods of theft. Nearly all the thieves are doing obvious things that DLP nails.
Kevin Rowney
Founder, DLP Division (formerly Vontu)
Symantec
…DLP (data loss prevention!) as a security tool…
I’m glad you’ve seen the light, as network-based DLP tools are for due diligence, at best, and NOT security tools, per se.
Not when considered alone.
Exactly. These things, “security-related tools”, should never be considered in isolation. A network-based DLP tool does not replace, nor does it obviate the need for, a host-based solution.
Kevin, thanks for the comment, and I agree. That’s really what I’ve come to terms with. You make a good point, though, that even malicious attackers are still not being all that evasive and ninja-like; they’re still using methods that DLP will detect.
Also, thanks for the note about SSL sessions. I’ll have to specifically test that out, since our web proxy is a major one and we do have it set to interrupt SSL, if I recall correctly.
I imagine it is interesting, to put it lightly, to sell DLP to security professionals and always have to frame the expectations properly!
@lonervamp: “I imagine it is interesting, to put it lightly, to sell DLP to security professionals and always have to frame the expectations properly!”
Yes, it is interesting. I’ve been trying to spread the word on this matter for years now. Its essential to have a clear view of the real behavior patterns of malicious insiders. Too often nowadays, nearly everyone assumes the average malicious insider will be able to show considerable evasive skills; however, the reality is quite different.
Most of these crimes are in fact preventable with DLP.
Kevin