Data Loss Prevention - Without the New Blinky Boxes

Thursday, December 08, 2011

Rafal Los


I can't help but notice that amongst the Information Security professionals I've talked to lately at various conferences and venues across the country there is a very serious push to return to basics.

There is a backlash against vendors selling an appliance of a quick fix to point-in-time problem.

The glut of blinking lights, and devices that require time and effort to manage has gotten out of control... or so I'm being told. I've not manged an Information Security team in 4 years now (my how time flies!) but even back when I managed the glut of boxes, products and solutions was becoming too much to bear. I can only imagine it now.

So, first let me start off by saying that I'm with you. I understand the over-dependence on solutions sold by vendors who aren't really thinking of your enterprise long-term, past their point of sale. Let's look at how Data Loss Prevention (DLP) can be addressed without having to put in a $1M solution...

Before I get to that though... I do completely acknowledge that there are some organizations which cannot even identify where their data is, much less do much about it's loss without adding more complexity and hardware/software to the portfolio... that's OK because at least you have a real reason to add...

7 Practical Ways to Reduce Data Leakage (Aid Data Loss Prevention (DLP) )

  • Know what's important - This may sound elementary and simplistic, but if you don't know what your critical data is, you won't be able to tell where it is on your networks and devices, or how to best protect it. Step 1 of every good protective strategy is being able to identify what your critical assets are. Not necessarily what files, or what data types, or what servers - but what the content is you care about. Do you care about your secret recipe, a top-secret blueprint or schematic, a go-to-market program, or latest product innovation? Once you know what you can start to understand what format that data is in, then where it could be, and how its handled... otherwise you're just shooting blind hoping to catch something worthwhile. Odds are if you don't know what you're looking for, you're just going to generate even more noise you won't be able to analyze.
  • Manage privileges - Does your enterprise have a junk drawer where everything is stuffed "temporarily" and then turns into forever? Does everyone have access to shares, folders, servers, systems and applications they probably don't need? Are you managing role changes internally within the organization, including things like people leaving the company? The fastest way to leak critical data is by giving people access to too much of it. Most of your employees aren't hackers and can't circumvent corporate security well ... so they'll rely on your administrators giving them more access than they need. This should be your second step in preventing data loss and leakage. You should also look into turning up your auditing on access attempts (failed or successful) to the critical data areas. Someone accessing data rapidly or out of turn can be just as bad as lots of failed attempts at system access. You'll probably need to filter this information into something (I recommend a SIRM... more on that in a second).
  • Engage physical security - It's staggering the amounts of money corporations spend trying to prevent employees from stealing their data virtually, when someone can walk out with a computer, or a hard drive, or other devices from the corporate data center or offices without much issue. Do you trust your employees too much with physical security? I'm willing to bet you have a reasonably strong physical security posture, so why not apply it to data loss prevention?
  • Prevent network cross-connect - One of the best ways to lose corporate critical information is through the cross-connect of the corporate and other networks. This usually happens when someone VPNs into the corporate office from home while on their cable modem, or malware-ridden home network. This is difficult, but opening a gateway into your corporate network from unnecessary places is critical. The good news, though, is that this strategy doesn't require a large new purchase ...rather a re-evaluation of strategic network architecture.
  • Disable access to 'cloud storage' services - Sure, that shiny new DLP system will prevent corporate information from being emailed out to a competitor or home system - but how does it do against the likes of DropBox, Trend Micro's SafeSync, or other encrypted "cloud storage and backup" services? Basically these services use HTTP or more likely HTTPS to send encrypted bits of your corporate data out to somewhere in the cloud where it can be synched back to another machine or system you likely don't control. Putting in place a policy that both has strong discouragement of using these types of services (and offers alternatives that are corporate approved), and a blocking plan will tremendously improve your ability to stop data leakage.
  • Encrypt data at rest - This is simple, secure data at rest by encrypting it. Today enterprises are unsure where or what their critical data is so they're forced to treat everything the same, and encrypt data in-transit or inside the application. The more sane approach is to identify (See item #1) and then encrypt the data itself ...which means that it's safe at rest, in transit, or even when accidentally synched off-site.
  • Engage your SIM/SEIM/SIRM for intelligence - This should probably be a blog post in itself ...but I'll try to summarize my thoughts - Security Information and Risk Management (or where your SIM/SEIM is evolving to) is something you probably already have, and are not utilizing to its full potential. Security intelligence relies on extremely high capability to correlate, process and separate the 'potential' from the 'critical' issues. Without the ability to process massive amounts of information quickly, in near-real-time you won't have a prayer of reacting, or adjusting your protective strategies fast enough to prevent a leak from turning into a broken dam.

Now that I've written this, I just realized that each of these 7 points will probably require its own blog post over the next few weeks... if you feel strongly about one of these posts, please leave me a comment or note... or hit me on Twitter and we can talk about it.

I welcome contributions and ideas!

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Information Security
Encryption Cloud Security Management Data Loss Prevention SIEM DLP IDS/IPS Solutions
Post Rating I Like this!
Elliott Franklin Totally agree that there are many run the business type projects that do not require purchasing any hardware, they simply require meeting with the network and server teams and auditing permissions as well as network architecture. Also agree that using SIEM can help identify data leakage. It has helped me numerous times. Great article!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.