Think Before You DLP – A Parental Advisory

Data Loss Prevention tools are great solutions. They detect what’s flowing out of your boundaries examining sex, drugs, rock & roll and even IP across any and all protocols (except for sneakernet). They can crawl the LAN searching unstructured data sources for credit card information, social security numbers, pornography, salary information and termination lists. DLP can be the greatest thing since sliced bread but you had best plan for what you will find.

Most security engineers and even many CISOs get that glazed over look in their eyes when they hear of all the wonderful things that a DLP solution can do. Plug it in and the problems just go away. What they fail to understand or foresee is the Pandora’s Box they not only opened but completely unhinge.  What you really need to understand is how deep does the business want you to go?

If you go too deep, experience tells me that you will not be seen as the savior you fashion yourself to be but an enemy of the state. The bodies you discover may eventually lead to your own undoing. Here are some tips (10 only although there are more) on ensuring the proper depth and the structure you need to have in place prior to and during a DLP solution rollout:

1.       Determine the risk appetite of the company. Let them know that you are going to enable all filters for 1 week across all protocols and share this information only with senior members of Legal, Compliance, Privacy, HR, Internal Audit and the CIO. 

a.       Have the vendor run the solution for 1 week prior to purchase.

b.      Brace them for what they may find. (I have found pornography, white supremacist activity, the buying and selling of AK47s, unsavory videos, credit cards flowing with impunity outside of the company along side of intellectual property, salary information, malware, adulterous activity, plots within plots within plans to subvert something or someone, social security numbers and corporate business plans, businesses being run off corporate servers; you get the idea. 

2.       Establish policies ahead of the time to expand your coverage – (ensure you have air cover).

3.       Get your awareness plan updated and prepare to re-execute.

4.       Ensure your data classification policies and procedures are up to date and plan to communicate these.

a.       Determine how you will consolidate the 20 copies you find of the same file containing intellectual property.

b.      Determine where you will store the reduce number of copies.

c.       Determine who owns the information.

d.      Determine access rules and rights.

e.      Determine any regulatory requirements over the discovered information including potential eDiscovery / Legal Hold issues.

5.       Determine if the company wants to announce the use of such tools as deterrence or if they want to hide their usage (there are companies who believe that it is big brother to announce usage and not big brother by using them without announcement (go figure)).