Securosis

Research

Implementing DLP: Getting Started

In our Introduction to Implementing and Managing a DLP Solution we started describing the DLP implementation process. Now it’s time to put the pedal to the metal and start cranking through it in detail. No matter which path you choose (Quick Wins or Full Deployment), we break out the implementation process into four major steps: Prepare: Determine which process you will use, set up your incident handling procedures, prepare your directory servers, define priorities, and perform some testing. Integrate: Next you will determine your deployment architecture and integrate with your existing infrastructure. We cover most integration options – even if you only plan on a limited deployment (and no, you don’t have to do everything all at once). Configure and Deploy: Once the pieces are integrated you can configure initial settings and start your deployment. Manage: At this point you are up and running. Managing is all about handling incidents, deploying new policies, tuning and removing old ones, and system maintenance. As we write this series we will go into depth on each step, while keeping our focus on what you really need to know to get the job done. Implementing and managing DLP doesn’t need to be intimidating. Yes, the tools are powerful and seem complex, but once you know what you’re doing you’ll find it isn’t hard to get value without killing yourself with too much complexity. Preparing One of the most important keys to a successful DLP deployment is preparing properly. We know that sounds a bit asinine because you can say the same thing about… well, anything, but with DLP we see a few common pitfalls in the preparation stage. Some of these steps are non-intuitive – especially for technical teams who haven’t used DLP before and are more focused on managing the integration. Focusing on the following steps, before you pull the software or appliance out of the box, will significantly improve your experience. Define your incident handling process Pretty much the instant you turn on your DLP tool you will begin to collect policy violations. Most of these won’t be the sort of thing that require handling and escalation, but nearly every DLP deployment I have heard of quickly found things that required intervention. ‘Intervention’ here is a polite way of saying someone had a talk with human resources and legal – after which it is not uncommon for that person to be escorted to the door by the nice security man in the sharp suit. It doesn’t matter if you are only doing a bit of basic information gathering, or prepping for a full-blown DLP deployment – it’s essential to get your incident handling process in place before you turn on the product. I also recommend at least sketching out your process before you go too far into product selection. Many organizations involve non-IT personnel in the day-to-day handling of incidents, and this affects user interface and reporting requirements. Here are some things to keep in mind: Criteria for escalating something from a single incident into a full investigation. Who is allowed access to the case and historical data – such as previous violations by the same employee – during an investigation. How to determine whether to escalate to the security incident response team (for external attacks) vs. to management (for insider incidents). The escalation workflow – who is next in the process and what their responsibilities are. If and when an employee’s manager is involved. Some organizations involve line management early, while others wait until an investigation is more complete. The goal is to have your entire process mapped out, so if you see something you need to act on immediately – especially something that could get someone fired – you have a process to manage it without causing legal headaches. Clean directory servers Data Loss Prevention tools tie in tightly to directory servers to correlate incidents to users. This can be difficult because not all infrastructures are set up to tie network packets or file permissions back to the human sitting at a desk (or in a coffee shop). Later, during the integration steps, you will tie into your directory and network infrastructure to link network packets back to users. But right now we’re more focused on cleaning up the directory itself so you know which network names connect to which users, and whether groups and roles accurately reflect employees’ job and rights. Some of you have completed something along these lines already for compliance reasons, but we still see many organizations with very messy directories. We wish we could say it’s easy, but if you are big enough, with all the common things like mergers and acquisitions that complicate directory infrastructures, this step may take a remarkably long time. One possible shortcut is to look at tying your directory to your human resources system and using HR as the authoritative source. But in the long run it’s pretty much impossible to have an effective data security program without being able to tie activity to users, so you might look at something like an entitlement management tool to help clean things up. This is already running long, so we will wrap up implementation in the next post… Share:

Share:
Read Post

Incite 1/25/2011: Prized Possessions

So I was sitting in Dunkin Donuts Sunday morning, getting in a few hours of work while the kids were at Sunday school. You see the folks who come in and leave with two boxes of donuts. They are usually the skinny ones. Yeah, I hate them too. You see the families with young kids. What kid doesn’t totally love the donuts? You snicker at the rush at 11am when a local church finishes Sunday services and everyone makes a mad dash for Dunkin and coffee. You see the married couples about 20 years in, who sit across from each other and read the paper. You see the tween kids fixated on their smartphones, while their parents converse next to them. It’s a great slice of life. A much different vibe than at a coffee shop during the week. You know – folks doing meetings, kibitzing with their friends while the kids are at school, and nomads like me who can’t get anything done at the home office. There is an older couple who come in most Sundays. They drive up in a converted van with a wheelchair ramp. The husband is in pretty bad shape – his wife needs to direct his wheelchair, as it seems he has no use of his hands. They get their breakfast and she feeds him a donut. They chat, smile a bit, and seem to have a grand time. I don’t know what, but something about that totally resonates with me. I guess maybe I’m getting older and starting to think about what the second half of my life will be like. The Boss is a caretaker (that’s just her personality), so should I not age particularly well, I have no doubt she’ll get a crane to load me into my wheelchair and take me for my caffeine fix. And I’d do the same for her. She probably has doubts because I’m the antithesis of a caretaker. On the surface, it’s hard to imagine me taking care of much. But we entered a partnership as kids (we got married at 27/28) without any idea what was in store. Just the knowledge that we wanted to be together. We have ridden through the good and bad times for over 15 years. I will do what needs to be done so she’s comfortable. For as long as it takes. That’s the commitment I made and that’s what I’ll do. Even if she doesn’t believe me. We were out last weekend with a bunch of our friends, and we played a version of the Newlywed Game. One of the questions to the wives was: “Name your husband’s most prized possession.” The answers were pretty funny, on both sides. A bunch of the guys said their wife or their kids. Last time I checked, a person isn’t a possession, but that’s just me. But it was a cute sentiment. The Boss was pretty much at a loss because I don’t put much value on stuff, and even less value on people who are all about their stuff. I figured she’d say our artwork, because I do love our art. But that’s kind of a joint possession so maybe it didn’t occur to her. She eventually just guessed and said, “Mike’s iPad is his most prized possession.” That got a chuckle from the other couples, but she wasn’t even close. My iPad is a thing, and it will be replaced by the 3rd version of that thing when that hits in 60-90 days. I like my iPad and I use it every day, but it means nothing to me. The answer was obvious. At least it was to me. Maybe she missed it because it’s so commonplace. It’s with me at all times. It’s easy to forget it’s even there. But for me, it’s a reminder of what’s really important. Of the thing I value the most. My most prized possession is my wedding ring. And there is no second place. -Mike Photo credits: “Nobel-Prize” originally uploaded by Abhijit Bhaduri Heavy Research We started two new series this week, so check them out and (as always) let us know what you think via comments. Bridging the Mobile Security Gap: Staring down Network Anarchy: This series will focus on how we need to start thinking a little more holistically about the tidal wave of mobile devices invading our networks. Implementing and Managing a DLP Solution: Rich is taking our DLP research to the next level by getting into the specifics of deployment and ongoing management of DLP. It’s not enough to just pick a solution – you need to make it work over time. And remember you can get our Heavy Feed via RSS, where you can access all our content in its unabridged glory. Incite 4 U Cyberjanitors: Someone needs to clean up the mess: I’m not a big fan of poking someone in the eye without offering potential solutions. Jeff Bardin goes after RSA a bit, particularly their focus on response, which means they have given up on stopping attackers. Wait, what? Sorry man, there’s doing what you can to stop the bad guys before they get it, and then there’s Mr. Reality. Jeff is calling for “true innovative thought that uses cyber intelligence, counterintelligence and active defense and offensive measures…” WTF? Like what, launching DDoSes on everyone you think might attack or be attacking? I hate this puffery. Yeah, don’t wait to be attacked, go get ‘em, tiger! Well, Jeff, how do you suggest we do that? There were always those guys who gave the janitors a hard time in high school. Making a mess and generally being asses. They didn’t understand that not everyone gets to chase shiny objects. Someone has to pull out the mop and clean up the mess because there is always a mess. Do we need to innovate more? Clearly. But saying that a focus on detection and response is giving up is ridiculous. – MR Overaggressively managing reputation: Comments are one of the truly great features of the Internet, giving people fora to voice

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.