Data Loss Prevention – What the DLP Companies Don't Tell You

I've written on this subject before and have seen a great deal being written but mostly from DLP companies who give you their view into the topic.  Data Loss Prevention (DLP) tools are great solutions. They detect what’s flowing out of your virtual boundaries examining sex, drugs, rock & roll, intellectual property (IP), personally identifiable information (PII) and most anything you wish across any and all internet protocols. They can crawl your local area network searching unstructured data sources (Word, Excel, PowerPoint, Acrobat, text files, etc.) for credit card information, social security numbers, pornography, salary information and termination lists. DLP can be the greatest thing since sliced bread if and only if you have a plan in place long before you deploy any solution.

Most security engineers and even many CISOs get that glazed over look in their eyes when they hear of all the wonderful things that a DLP solution can do. Plug it in and the problems just go away. What you are not told during the sales pitch is the Pandora’s Box you not only are about to open but completely unhinge. What you really need to understand is how deep does the business want you to go?

If you go too deep meaning if you detect too many sensitive things too soon or at all, you may find yourself in an uncomfortable position since you have not prepared the chain of command and the business for what you will find. Personal experience tells me that you will not be seen as the savior you fashion yourself to be, but potentially an enemy of the state. The bodies you discover may eventually lead to your own undoing. Here are some tips on ensuring the proper depth and the structure you need to have in place prior to and during a DLP solution rollout:

1.             Determine the risk appetite of the company. Let them know that you are going to enable all filters for 1 week across all protocols and share this information only with senior members of Legal, Compliance, Privacy, HR, Internal Audit and the CIO.

a.       Have the vendors run the solution for 1 week prior to purchase (try before you buy).

b.      Compare results

c.       Examine false positives

d.      Brace them for what they may find. (I have found pornography, white supremacist activity, the buying and selling of AK47s, unsavory videos, credit cards flowing with impunity outside of the company along side of intellectual property, salary information, malware, adulterous activity, plots within plots within plans to subvert something or someone, social security numbers and corporate business plans, businesses being run off corporate servers; you get the idea.

2.             Establish policies ahead of the time to expand your coverage – (ensure you have air cover).

a.       These policies must be created with Legal, Compliance, Privacy, HR and the CIO.

b.      What are the corporate policies in place today supporting DLP?

                                                               i.      Is there an expectation of privacy for your users (employees, vendors, contractors) when using your assets?

                                                             ii.      Is HR prepared to sanction your users when data is discovered leaking?

1.       What data does HR and Legal care about – what is their risk appetite?

2.       Does your have the forensic resources to perform investigations in support of HR and Legal’s desired sanctions?

3.             Get your awareness plan updated and prepare to re-execute based upon your new and existing policies.