Time To Take Action Against Data Loss

The latest round of security products focuses on data loss prevention everywhere on the network, but the real work still requires a human touch.

Jordan Wiens, Contributor

November 16, 2007

4 Min Read
InformationWeek logo in a gray background | InformationWeek

GROWING PAINS
As new communication channels become increasingly popular, DLP solutions must stay in sync. Consider blogs and wikis: In a recent survey, MarketIQ found that only 5% of 600 respondents reported being concerned with applying content security measures to blogs and wikis. This may be partially because blogs and wikis are less widely deployed than, say, e-mail, but that can't entirely account for the lack of interest. More likely it's because organizations don't realize how much sensitive content these new conduits contain and the technical solutions are less adept at protecting them. Code Green Networks' CI-750 Content Inspection Appliance demonstrates this point when scanning a wiki required writing custom code to integrate wiki content into the fingerprint database. Future Watch MICRO INTEGRATION
Data loss prevention vendors will continue to add multiple DLP approaches to their existing products like Reconnex did earlier this year when it expanded its network-based offering with an endpoint product. Fewer products will target just one area, like the network, discovery, endpoints, or databases, as capabilities are added across the board. MACRO INTEGRATION
With pure DLP solutions being snapped up by the big boys in security and IT (Cisco Systems, McAfee, Symantec, and RSA all have made purchases in the last year), there will be fewer standalone products and more integration of DLP functionality into management, security monitoring, and other products. Look for McAfee and Symantec to do this with their all-in-one endpoint security software. AUTOMATION CLAIMS
Just as with intrusion-detection systems, the pain of classifying, tuning, and managing will encourage vendors to claim that their products are "automatic" and require no tuning. While there are some limited types of data that this may apply to, in general, this will turn out to be even less true for DLP products than network monitoring software. After all, the data in a specific environment is much more likely to be unique than the protocols running on the network. Another painful reality that can hit DLP deployments is the issue of false positives. While some technologies are less prone to them than others, most products come preloaded with the ability to recognize certain types of structured data like Social Security numbers and credit cards. Unfortunately, Social Security numbers are very commonly going to show up randomly. Any random nine-digit number will be a potentially valid SSN about three out of four times since, unlike credit cards, they don't contain a checksum. Additionally, the more aggressive the technology is about trying to identify fragments of protected content, the more likely it will trigger on nonprotected content.

In the intrusion-detection world, there are two different and separable purposes for monitoring the network. The first is for extremely accurate alerts that indicate a problem right now and will set off your pager in the middle of the night. The second is a more forensics-based approach that assumes there's a problem with one particular endpoint or individual and gathers as much information as possible. (For more information on what a complete forensic toolkit and attitude looks like, see "Forensics: New Options For The Enterprise".)

The first purpose requires a very low false-positive rate (in the case of active DLP products, this equates to wanting a low false-positive rate so that legitimate communications aren't mistakenly blocked), while the second requires a very low false-negative rate. To illustrate the value of the second, consider Gary Min, the DuPont employee who was recently sentenced for stealing trade secrets from his former employer (see "Former DuPont Scientist Sentenced For Trade Secret Theft" ). That's a perfect example of how forensic data and good audit logs work. Standard exit procedures in a company for someone with access to sensitive data should include an audit of what documents they've been accessing. In this particular case, Min's excessive access was so obvious that it prompted DuPont to contact the FBI.

When deploying DLP solutions, both alerting and forensic approaches matter, but each is geared toward a different problem. Whether you use one product or more than one, make sure you're able to solve each problem independently.

Read more about:

20072007

About the Author

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights