Research

Two of the most common criticisms of DLP that comes up in user discussions are a) its complexity and b) the fear of false positives. Security professionals worry that DLP is an expensive widget that will fail to deliver the expected value – turning into yet another black hole of productivity. But when used properly DLP provides rapid assessment and identification of data security issues not available with any other technology. I don’t mean to play down the real complexities you might encounter as you roll out a complete data protection program. Business use of information is itself complicated, and no tool designed to protect that data can simplify or mask the underlying business processes. However, there are steps you can take to obtain significant immediate value and security gains without blowing your productivity or wasting important resources. Over the next few posts I’ll highlight the lowest hanging fruit for DLP, refined in conversations with hundreds of DLP users. These aren’t meant to incorporate the entire DLP process, but to show you how to get real and immediate wins before you move on to more complex policies and use cases. Establish Your Process Nearly every DLP reference I’ve talked with has discovered actionable offenses committed by employees as soon as they turn the tool on. Some of these require little more than contacting a business unit to change a bad process, but quite a few result in security guards escorting people out of the building, or even legal action. One of my favorite stories is the time the DLP vendor plugged in the tool for a lunchtime demonstration on the same day a senior executive decided to send proprietary information to a competitor. Needless to say, the vendor lost their hard drives that day, but they didn’t seem too unhappy. Even if you aren’t planning on moving straight to enforcement mode, you need to put a process in place to manage the issues that will crop up once you activate your tool. The kinds of issues you need to figure out how to address in advance fall into two categories: Business Process Failures: Although you’ll likely manage most business process issues as you roll out your sustained deployment, the odds are high some will be of such high concern they will require immediate remediation. These are often compliance related. Egregious Employee Violations: Most employee-related issues can be dealt with as you gradually shift into enforcement mode, but as in the example above, you will encounter situations requiring immediate action. In terms of process, I suggest two tracks based on the nature of the incident. Business process failures usually involve escalation within security or IT, possible involvement of compliance or risk management, and engagement with the business unity itself. You are less concerned with getting someone in trouble than stopping the problem. Employee violations, due to their legal sensitivity, require a more formal process. Typically you’ll need to open an investigation and immediately escalate to management while engaging legal and human resources (since this might be a firing offense). Contingencies need to be established in case law enforcement is engaged, including plans to provide forensic evidence to law enforcement without having them walk out the door with your nice new DLP box and hard drives. Essentially you want to implement whatever process you already have in place for internal employee investigations and potential termination. In our next post we’ll focus more on rolling out the tool, followed by how to configure it for those quick wins I keep teasing you with. Share:

Tuesday, March 16th at 11am PST / 2pm EST, I will be presenting a webinar: “Understanding and Selecting a Database Assessment Solution” with Application Security, Inc. I’ll cover the basic value proposition of database assessment, several use cases, deployment models, and key technologies that differentiate each platform; and then go through a basic product evaluation process. You can sign up for the webinar here. The applicability of database assessment is pretty broad, so I’ll cover as much as I can in 30 minutes. If I gloss over any areas you are especially interested in, we will have 10 minutes for Q&A. Or you can send questions in ahead of time and I will try to address them within the slides, or you can submit a question in the GoToMeeting chat facility during the presentation. Share:

I love the week after RSA. Instead of being stressed to the point of cracking I’m basking in the glow of that euphoria you only experience after passing a major milestone in life. Well, it lasted almost a full week – until I made the mistake of looking at my multi-page to-do list. RSA went extremely well this year, and I think most of our pre-show predictions were on the money. Not that they were overly risky, but we got great feedback on the Securosis Guide to RSA 2010, and plan to repeat it next year. The Disaster Recovery Breakfast also went extremely well, with solid numbers and great conversation (thanks to Threatpost for co-sponsoring). Now it’s back to business, and we need your help. We are currently running a couple concurrent research projects that could use your input. For the first one, we are looking at the new dynamics of the endpoint protection/antivirus market. If you are interested in helping out, we are seeking for customer references to talk about how your deployments are going. A big focus is on the second-layer players like Sophos, Kaspersky, and ESET; but we also want to talk to a few people with Symantec, McAfee, and Trend. We are also looking into application and database encryption solutions – if you are on NuBridges, Thales, Voltage, SafeNet, RSA, etc… and using them for application or database encryption support, please drop us a line. Although we talk to a lot of you when you have questions or problems, you don’t tend to call us when things are running well. Most of the vendors supply us with some clients, but it’s important to balance them out with more independent references. If you are up for a chat or an email interview, please let us know at info@securosis.com or one of our personal emails. All interviews are on deep background and never revealed to the outside world. Unless Jack Bauer or Chuck Norris shows up. We have exemptions for them in all our NDAs. Er… I suppose I should get to this week’s summary now… But only after we congratulate David Mortman and his wife on the birth of Jesse Jay Campbell-Mortman! Webcasts, Podcasts, Outside Writing, and Conferences Database Security Metrics for the Community at Large Security Optimism Verizon Offers Up Its Data Breach Framework Analysis: Does the storm over cloud security mean opportunity? Some coverage of Rich and Hoff at RSA. Favorite Securosis Posts Adrian Lane: Ten reasons I love RSAC Rich: Database Security Fundamentals: Patching. Database Patching. It’s not just a good idea, it’s the… well not the law, but it’s really important. Mike Rothman: RSA Tomfoolery: APT is the Fastest Way to Identify Fools and Liars. Rich nails it here. Idiocy is self-selecting, and we are seeing lots of folks choose stupidity. Other Securosis Posts Low Hanging Fruit: Quick Wins with Data Loss Prevention Upcoming Webinar: Database Assessment Is It Wireless Security or Secure Wireless? SecurosisTV: Low Hanging Fruit – Endpoint Security Favorite Outside Posts Adrian Lane: Security Comes in All Different Shapes and Sizes. And yes, I think Caleb’s comments are marketing B.S. Rich: On the Risk of Overfocusing on Seductive Details. In paramedic school they teach us to focus not on the screaming patient, but the quiet one who’s likely in a much more serious condition. To ignore the blood, and focus on the breathing. This is an awesome post – it’s far too easy to be distracted by what’s more attention-grabbing than what’s really more important. Mike Rothman: Bringing Planned Disruption to the Organization. Change is good. Clearly the status quo isn’t good enough. ‘nuf said. Pepper: RSA key extracted with electrical manipulation. “Ve haf vays of making you talk.” Project Quant Posts Project Quant: Database Security – Configuration Management Project Quant: Database Security – Masking Project Quant: Database Security – WAF Research Reports and Presentations Report: Database Assessment Top News and Posts Poll – What is your experience with security in the Software Development LifeCycle? TJX Conspirator gets 4 years Microsoft’s Elevation of Privilege. The Threat Modeling Game, or what I have been calling ‘Threat Deck’. Pretty cool! I picked up three at RSA to play with. Verizon’s Incident Framework IIS 0-day FTC To ControlScan: Your Web Site Security Seals Are Lies Vodafone Android Phone: Complete with Mariposa Malware Exploit Code Published for Latest IE Zero-Day. It’s in Metasploit folks. Turn on compensating controls now. Pennsylvania fires CISO over RSA talk. What an atrocious decision. Matasano Releases Open Source Firewall Rule Scanner Blog Comment of the Week Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to Garry, in response to RSA Tomfoolery: APT is the Fastest Way to Identify Fools and Liars. APT = China, and we (people who have serious jobs) can’t say bad things about China. That pretty much covers it, yes? Share: