By Yuval Shavit, Features Writer
Data leak prevention (DLP) is a growing market, but the technology, designed to monitor or block data being sent to third parties, is still nascent. A successful DLP deployment often depends as much on fixing business processes as on using the right product, so it behooves you to provide data leak prevention consulting services in addition to reselling the technology. In this installment of our Hot Spot Tutorial on DLP, we review the services you can provide with DLP.
Because the DLP market is so young, your data leak prevention consulting responsibilities start with making sure your client knows what the products can and can't do, said Nick Selby, research director of enterprise security at The 451 Group in Boston. That's not just for the customer's sake; a better-educated client will understand that there isn't an off-the-shelf solution to DLP and won't walk away disappointed after a long sales pitch.
Finding sensitive data
Before installing a DLP product at a client's site, you need to find and classify the sensitive data you want to target. Structured data is relatively easy to find. For instance, if a department uses an application that handles information, you can classify all of the information in the application's database as sensitive, said Bill O'Brien, president of Commercium Technology Inc., an IT consultancy in Rumson, N.J.
But companies typically have a lot of data in unstructured formats like Word documents, Excel spreadsheets or emails, Selby said. Finding those documents is harder, and your best bet is to use the filters built into DLP tools, said Mark Finegan, president of SIM2K, an Indianapolis consultancy. For instance, filters can catch any instance of a series of numbers that look like a Social Security number.
You should also monitor the network for a few weeks to get a sense of which departments are creating the most internal and external traffic, Selby said. That will give you a rough idea of the path that potentially sensitive data takes in the organization, and you'll be able to better focus your data leak prevention consulting efforts.
Configuring the DLP tools themselves is fairly easy. There are a few dozen predefined filters, and your client can set a given priority for each and define what actions to take when that filter is triggered. Once your client has a sense of what data it wants to monitor or block, you can go through the software and effect those policies.
But turning on too many options at once -- even as few as five -- can deluge your client with thousands of hits each week, said Rob Eggebrecht, senior partner and CEO at BEW Global, a Castle Rock, Colo., security consultancy. Instead, start with just the core three or four categories, and only within strategic groups that pose the highest risk for data leakage.
Once the company has gotten used to handling those cases, you can expand those categories to a broader base or even the whole company. This will naturally cause an uptick in hits, but your client will already have an established system for handling them on a departmental level, Eggebrecht said. Each time you turn on more categories or expand them to more departments, the number of hits will jump up at first but should soon subside as employees get used to the new policy, he said.
At that point, you can start fine-turning the categories. For instance, your client may find that it needs to look for documents in which 10 to 15 credit card numbers are being sent, instead of just one or two. Similarly, very egregious cases -- more than 1,000 numbers, for instance -- may go directly to the compliance officer, Eggebrecht said.
The human aspect
For now, at least, DLP is focused on stopping accidental breaches rather than malicious acts. About 98% of data leaks are accidental, and those are relatively easy to catch, Selby said. Another 1.5% are carried out by malicious employees who are moderately technologically skilled, and the last 0.5% of breaches are carried out by highly skilled employees and are virtually impossible to stop, Selby said.
Because so many leaks are accidental, training is a big part of data leak prevention consulting. DLP products help by providing opportunities for you to remind employees of company policies, Selby said. If you can show employees exactly when they sent sensitive data and phrase the discussion in a positive way instead of in an accusing tone, they often react well and correct their behavior, he said.
Rather than blocking data if it triggers a filter, many companies choose to monitor it for later audits. This method can actually be more secure than outright blocking because it happens quietly in the background, Finegan said. If a malicious employee knows he's triggered a filter, he may try to get around it.
Another possibility is to have the DLP tool pop up an alert warning the user that a document contains sensitive data and shouldn't be sent over insecure mediums or to certain parties, O'Brien said. This makes employees think about data leakage more proactively and reduces innocent mistakes. A similar option is to install a plug-in that prompts users to classify each email as it's sent, O'Brien said. This not only helps the tool catch sensitive data, it forces users to think about what they're sending, he said.
Depending on how much your client wants to invest, data leak prevention technology can be just one piece of the puzzle. In the next installment, we look at alternate technologies that work toward the same goal of making sure your client's sensitive data doesn't fall into the wrong hands.
This was first published in March 2008