Practical DLP Deployment
Practical DLP Deployment for your Organization
DLP Basics Overview
♦
A few items discussed today
– What is DLP?
– Define a DLP program using business driven approach
– DIM, DIU and DAR details
– DLP incident triage, reporting and remediation
What is DLP?
♦ Context aware analysis of data at the network, endpoint and storage levels with the ability for preventative actions
– Key here is Data Loss “Prevention”
♦ Business driven – the business has to work with the
DLP team to identify the sensitive information that is valuable to the organization – this becomes the
Business Driven Approach
♦ Key steps with all DLP programs
– Conduct DLP “Workshops” to identify the following:
♦ Discuss current business processes to identify sensitive content you would like to protect with DLP
♦ Discuss acceptable use cases of sensitive content
♦ Gather sample sensitive content to design and tune DLP policies
– Determine “where” to apply DLP Policies to monitor
SMTP/HTTP (DIM), Endpoint USB (DIU), NAS Shares (DAR), etc.
– As confidence with DLP grows, slowly introduce preventative actions such as block email, modify HTTP sessions or even block copy to unapproved USB devices
DLP Policies
♦
Area of DLP where you define the sensitive
data (context) to filter on - includes both out of
the box and custom policies
♦
Can be combination of multiple detection
technologies including keywords, regular
expressions (DCM), file indexing (EDM/IDM),
file type, etc.
♦
Multiple rules can be combined in policy logic
to increase the accuracy and reduce the false
positive rate of DLP incidents
DLP Deployment Planning
♦
Crawl, Walk then Run works best
– Start slow with one vector such as Network or Endpoint
– Pick 3-5 policies in audit only mode to assess leakage scope
– As DLP program matures, slowly add additional policies, vectors and proactive actions such as block or quarantine
– You can only protect sensitive information you have identified moving forward – DLP can’t look
Data in Motion (Network)
♦ Monitors SMTP, HTTP, HTTPS* and other clear text protocols
– SMTP is most common starting point as most organizations already have web filtering in place via proxy servers
♦ Can be inline or passive
– Inline is most common for SMTP
– DLP can connect to existing proxy servers via ICAP
– Passive monitoring is common for internal to internal network monitoring via network tap or spanning port
♦ Inline is required if you plan on implementing preventative actions such as block, modify, etc.
Data in Use (Endpoint)
♦
Monitors data at the endpoint such as local
disk, copy to USB, printing, etc.
– Allows context driven analysis of both stored data and actions such as copy to local disk and USB storage devices, printing, application monitoring
– Can be configured to monitor both on and off the network
– Logic can be built into Endpoint policies to allow copy to approved USB devices while blocking copy to unapproved USB storage devices
Data at Rest (Storage)
♦ Monitors stored data on NAS, SharePoint, Exchange and Databases
– NAS is most common starting point as most organizations struggle to identify where sensitive data is stored
– Supports multiple vendors such as NetApp, EMC and Win NAS ♦ SharePoint is rapidly become more common in DAR
– Lack of user access control and organization leads to proliferation of sensitive data on SharePoint sites
♦ Database scanning supports Oracle, SQL server, DB2 and other common formats
DLP Incident Triage
♦
This is where the DLP analyst reviews each
incident to verify accuracy and determine
follow up actions
♦
Dedicated, full time resources here will quickly
recognize broken business processes,
potential security violations and provide much
more ROI with DLP than shared resources
♦
Don’t create an incident unless you can review
DLP Reporting
♦
While DLP does a great job of explaining
incident details, manual analysis of exported
incident data is usually required for trending
♦
Reports detailing trending analysis of users,
increase/decrease of DLP incidents over time
and incidents by business units are common
♦
Consider third party tools such as IT
Analytics, SIEM, etc. to improve reporting
capabilities
Use Case – Large Healthcare
♦
Large healthcare company providing medical
services
– Primary goal is protection of PHI and PII – custom index (IDM) policies created from PHI & PII databases, additional regular expressions/keywords (DCM) PHI & PII policies
– DIM for HTTP and SMTP, DAR for PII and PHI stored on unsecured network shares and external facing SharePoint sites
– DIU for endpoint copy to USB with exception for copy to
approved USB, quarterly scans for PHI and PII data stored on local disk
Use Case – Small Manufacturing
♦
Small manufacturing company with
engineering designs in various file formats
– Custom index (EDM/IDM) policies for all designdocuments, additional regular expression/keywords (DCM) policies for similar design documents
– Unique situation with Office 365 in use for SMTP
– Endpoint SMTP monitoring via Outlook application monitoring*, endpoint copy to USB and printing
Recap
♦
What did we cover today?
– What is the difference between DLP and other security tools? – Context
– Business driven approach
– Deployment details on DIM, DIU and DAR
– Incident triage and reporting
Contact Information
♦ Jon Damratoski, DLP Architect, Black Diamond Technology
– Office (615) 469-2468
♦ Chris Mitchell, Senior Security Solutions Engineer, TN, Symantec
