Quick Wins with DLP Light: The ProcessBy Rich
The objective of the Quick Wins process is to get results and show value as quickly as possible, while setting yourself up for long-term success. Quick Wins for DLP Light is related to the Quick Wins for DLP process, but heavily modified to deal both with the technical differences and the different organizational goals we see in DLP Light projects.
Keep this process in perspective – many of you will already be pretty far down your DLP Light path and might not need all these steps. Take what you need and ignore the rest.
There are two preparatory steps before kicking off the project:
Establish Your Process
Nearly every DLP customer we talk with discovers actionable offenses committed by employees as soon as they turn the tool on. Some of these require little more than contacting a business unit to change a bad process, but quite a few result in security guards escorting people out of the building, or even legal action.
Even if you aren’t planning on moving straight to enforcement mode, you need a process in place to manage the issues that will crop up once you activate your tool. You should set up two different processes to handle the three common incident categories:
- Business Process Failures: DLP violations often result from poor business processes, such as retaining sensitive customer data and emailing unencrypted healthcare information to insurance providers. This process is about working with the business unit to fix the problem.
- Employee Violations: These are often accidental, but most DLP deployments result in identification of some malicious activity. Your process should focus on education to avoid future accidents; as well as working with business unit managers, HR, and legal to handle malicious activity.
- Security Incidents: Traditional security incidents, usually from an external source, which require response and investigation.
Determine Existing DLP Capabilities
The next step is to determine which DLP Light capabilities you have in-house, even if the project is driven by a particular tool. You might find you already have more capability than you realize.
Check for existing DLP features in the main technology areas covered in our last post. It’s also worth reviewing whether you are current on product versions, as DLP features might be cheap or even free if you upgrade (discounting upgrade costs, of course).
Build a list of the DLP Light tools and features you have available, with the following information:
- The tool/feature
- Where it’s deployed
- Protected “channels”: Network protocols, storage locations, endpoints, etc.
- Content analysis capabilities/categories
- Workflow capabilities: DLP-specific vs. general-purpose; ability to integrate with SIEM and other management tools
This shouldn’t take long and will help you choose the best path for implementation.
The next step is to determine your goal. Are you more concerned with protecting a specific type of data? Or do you want to look more broadly at overall information usage? While the full-DLP Quick Wins process is always focused on information gathering vs. enforcement, this isn’t necessarily the case in a DLP Light project. No matter you specific motivation, we find that individual projects then sift into three main categories:
- Focused Monitoring: The goal is to track usage of, and generate alerts on, a specific kind of information. This is most often credit card numbers, healthcare data, or other personally identifiable information.
- Focused Enforcement: You concentrate on the same limited data types as above, but instead of merely alerting you plan to enforce policies and block activity.
- General Information Gathering: Rather than focusing on a single type of data, you use tools to get a better sense of information usage throughout the organization. You turn on as many policies to monitor information of interest as possible.
Choose Deployment Type
This is a three-step process for making the final decisions required to deploy:
- Map desired coverage channels: Determine where you want to monitor and/or enforce – email, endpoints (USB), etc. List every place you want to cover vs. what you know you already can cover with your existing capabilities. This also needs to map to your objective, and content analysis requirements.
- Match desired to existing coverage: Now figure out what you have and where the gaps are.
- Fill the gaps: Obtain any additional products or licenses so that your project can meet your objectives.
Your entire project might be as simple as, “we want to catch credit card numbers in email using our existing tool”, in which case this entire process up to now probably took about 10 seconds. But if you need a little more guidance, this will help.
Implement and Monitor
Now it’s time to integrate the product (if needed), turn it on, and collect results. The steps are:
- Select content analysis policies: For a focused deployment, this will only include the policy that targets the specific data you want to protect, although if you use multiple products that aren’t integrated you will use the most appropriate policies in each tool. For a general deployment you turn on every policy of interest (without wrecking performance – check with your vendor).
- Install (if needed)
- Integrate with other tools/workflow: If you need to integrate multiple components, or with a central workflow or incident management tool, do that now.
- Turn on monitoring
We have a few hints to improve your chance of success:
- Don’t enable enforcement yet – even if enforcement is your immediate goal, start with monitoring. Understand how the tool will can impact workflow first, as we will discuss next.
- Don’t try to handle every incident at first. You will likely need to tune policies and educate users over time before you have the capacity to handle every incident – depending on your focus. Handle the most egregious events now and accept that you will handle the rest later.
- Leverage user education. Users often don’t know they are violating policies. One excellent way to reduce your incident volume is to send them automated notifications based on policy violations. This has the added advantage of helping you identify the egregious violators later on.
At this point you have focused your project, picked your tools, set your policies, and started monitoring. Now it’s time to evaluate your results and decide what’s next. You might start by looking for the following:
- A business unit sending out sensitive data unprotected as part of a regularly scheduled job.
- Which data types broadly trigger the most violations.
- The volume of usage of certain content or files, which may help identify valuable assets that don’t cleanly match a pre-defined policy.
- Particular users or business units with more violations or unusual usage patterns.
- False positive patterns, for tuning policies later.
Then make two important decisions:
- Is it time to enforce? If you know you want to start blocking activity, determine the potential impact on business activities, then reduce violations to an manageable level with education and manual enforcement. The fastest way to kill a DLP project is to jump into enforcement too quickly and interfere with important operations.
- Should we stay or grow? If you are happy with your results, stop here. You may also decide to either enable additional policies or consider expanding your deployment through additional DLP Light tools/feature, or even by migrating to full DLP. If you aren’t ready to make these decisions now, put a date on the calendar to revisit them.
What Did We Achieve?
If you followed this process, by now you have a firm foundation for your ongoing DLP Light usage, ready to achieve useful short-term goals. In a short amount of time you have:
- Established a flexible incident management process.
- Integrated with major infrastructure components.
- Assessed information usage and risk exposure.
- Established a foundation for additional efforts and long-term management.
By following the Quick Wins process you can show immediate results while establishing the foundation of your program.