Document Sample
Echelon2_DLP Powered By Docstoc
					Date: January 1, 2010
Title: When to DLP and When Not to DLP?
Written by: Dr. Anton Chuvakin


DLP technology has emerged as the most recent silver bullet for solving the Data
Security concerns. Many DLP vendors have promised that this technology can
finally realize the ultimate goal of automated data protection. How to decide
when to use and when not to use this technology?

The Issue

Data leak prevention (DLP), also sometimes called Content Monitoring and
Filtering (CMF), is a recent addition to the information security toolset. DLP
technology has rushed out of relative obscurity in recent years. Given today’s
security and compliance challenges, the need to protect the security of
confidential, regulated and customer data has created the perfect storm for DLP.
This storm is made even more severe by the fact that many older security
safeguards, such as encryption, have failed to turn the tide of losses and

Overall, DLP technology solves the problems of discovering, monitoring and
preventing the leaks of sensitive data, in both structured and unstructured forms.
While the industry debate on the efficiency of DLP for preventing the deliberate,
malicious attacks rages on, and its value for stopping negligent but still highly
damaging leaks is largely unquestioned. And while DLP technology is not
directly mentioned in any of the recent compliance mandates, laws and
regulations, it can bring value to many information security projects that are
driven by regulatory requirements.

However, as with any new security technology, many challenges await the
enterprise that is planning to deploy data leak prevention. In this note, we will
discuss the preconditions and criteria for deploying data leak protection
technologies. We will also look at some common scenarios for when DLP must,
can, and should not be used.

                                       Page 1
                                  Echelon One 2010

Given the current rush to deploy DLP technology, many companies have
discovered the limitations and challenges of this technology and its applicability
to their problems. As most security professionals know, no individual security
technology, no matter how innovative, will solve a significant portion of
information security challenges as silver bullets simply do not exist. In fact, DLP
runs the risk of being one of the most overhyped technologies in the security
domain. It is complex, often complicated to deploy and expensive.

Despite all of the above, the main obstacle for DLP deployment success is lack
of clarity in deployment requirements, expectations and success criteria as well
as failing to adopt the business processes and procedures to allow would DLP to
do its work.

For example, few admit that this technology is most effective at stopping
accidental data leaks. Others believe that DLP can only be deployed after an
extensive, and expensive, enterprise-wide role management project and a
comprehensive information classification project. In reality, while these are
extremely useful and can make your DLP deployment more painless, neither is
the strict requirement for data loss protection success.

On the other hand, creating monitoring and response procedures as well as
making information owners aware (and, in fact, actively involved in) of DLP
Technology deployment are essential. Similarly, most modern DLP solutions
deploy on both network level and system-level in order to monitor and protect
data at rest, data in motion, and data in use. Thus obtaining the cooperation of
network managers as well as desktop and server managers is absolutely crucial
for project success.

Let’s review what technologies as well as places and procedures are mandatory,
helpful or non-essential for DLP.

Having a mature identity management infrastructure in place is very helpful for
DLP deployment. In fact, the common enterprise identity store can be queries by
DLP solution in order for it to make its protection decisions. If identity
management infrastructure can provide a DLP tool with roles and responsibilities
for all the users in an organization, it will significantly contribute to project
success. Moreover, in some cases, the DLP data monitoring features have
helped to refining user roles and rules, governing the use of sensitive information
inside the organization.

Few enterprises nowadays can boast they have a comprehensive information
classification effort. It appears that classifying by sensitivity will remain main
primarlily a government endeavor. Modern DLP solutions can effectively
fingerprint data in order to simplify telling sensitive data from public data.

                                        Page 2
                                   Echelon One 2010
Even though knowing where all the sensitive data is stored is not absolutely
mandatory before starting with the DLP project, utilizing the discovery tools
bundled with DLP Technology is an absolute must. Many of the commercial DLP
tools will help you identify sensitive and regulated data across many systems
with relatively little effort. Date crawling tools can often unveil regulated
information that could cause major brand, reputation and financial damage if

On the compliance side, knowing which systems and applications house
regulated data is absolutely essential. This will allow users to create rules that
will minimize the chance of regulated data from being leaked by mistake and thus
causing not only a public affairs nightmare but also possible fines from
regulators. In addition, configuring the types of data that are commonly regulated
to detect it is useful. For example, most DLP tools can automatically detect
credit card account numbers, social security numbers and other types of
regulated data.

Knowing where DLP can be used to satisfy regulatory mandates or serve as a
compensating control for other, more complicated security technologies, such as
database encryption, is very useful. This might provide a much needed shortcut
to achieving compliance and improving security without engaging in risky
deployments of unproven technologies.

On the other hand, DLP tools will not and cannot automatically solve a broad
range of poorly defined information security challenges. Complex distributed
environments with large amounts of regulated sensitive invaluable data cannot
be secured by simply dropping a DLP box in them.

Conclusion and next steps

To summarize, before initiating a DLP project, an enterprise must perform a
careful assessment of what goals are to be accomplished by using DLP
technology, what information security problems are to be solved. Next, it is
important to be aware of DLP tool capabilities requirements and limitations. It is
also extremely useful to know what technologies, what polices, what procedures
as well as what people inside the organization can help (or, sometimes, hurt) this
chances of a successful DLP project. All the hidden requirements, hidden
assumptions and unspoken success criteria before engaging with DLP must be

Only after completing steps listed above can it be concluded whether to seek
deployment of data leak protection tools. It will also define the value derived
from data discovery components, data security monitoring components or data
leak blocking components of the DLP tools. Finally, it is critical to know which

                                       Page 3
                                  Echelon One 2010
regulatory compliance mandates can be satisfied by deploying data leak
protection tools and whether DLP is, in fact, the best way for addressing those
regulatory requirements. Completing the steps listed above will increase the
probability of success when DLP tools are implemented and allow an
organization, maximize its investment, and control its information effectively and

This is an updated author bio, added to the paper at the time of reposting in 2011.
Dr. Anton Chuvakin ( is a recognized security expert in the field of
log management and PCI DSS compliance. Anton leads his security consulting practice, focusing on logging, SIEM, security strategy and
compliance for security vendors and Fortune 500 organizations.
He is an author of books "Security Warrior" and "PCI Compliance"
( and a contributor to "Know Your Enemy II",
"Information Security Management Handbook"; and now working on a book about
system logs. Anton has published dozens of papers on log management, correlation, data
analysis, PCI DSS, security management (see list His blog is one of the most popular in the industry.
In addition, Anton teaches classes (including his own SANS class on log management)
and presents at many security conferences across the world; he recently addressed
audiences in United States, UK, Singapore, Spain, Russia and other countries. He works
on emerging security standards and serves on advisory boards of several security start-
Dr. Anton Chuvakin was formerly a Director of PCI Compliance Solutions at Qualys.
Previously, Anton worked at LogLogic as a Chief Logging Evangelist, tasked with
educating the world about the importance of logging for security, compliance and
operations. Before LogLogic, Anton was employed by a security vendor in a strategic
product management role. Anton earned his Ph.D. degree from Stony Brook University.

                                         Page 4
                                    Echelon One 2010

Shared By:
Description: Misc security dump