DLP Solutions – Limited or Limitless?
Published:
November 18 2009, 02:52 PM
by
David Miller
Security executives tend to agree that sensitive data is at risk within their enterprises - and that something must be done about it. Data Loss Prevention (DLP) products are the front-runner for solving this problem.
Although DLP is the leading response to this type of security risk, practitioners must ask the question - what are DLP's limitations? Essentially this question was raised in an insightful article written by Larry Walsh in his Channel Insider blog, Secure Channel (click here to access the article and reader comments: Congressional Ethics Leak Demonstrates DLP Shortcomings). The article and the associated commentary got me thinking about the challenges of operationalizing the powerful capabilities of DLP solutions.
Can DLP realistically identify and protect unstructured sensitive data?
Yes. "Unstructured" data refers to data that doesn't follow a specific pattern or format (like credit card numbers). DLP detection technology today is advanced so that DLP policies can combine the use of basic keywords and phrases with other criteria such as off-sets to detract from a score. Other techniques include identification of missing content (such as a disclaimer) and immediate qualifiers and disqualifiers (to leverage document tags indicating different levels of confidentiality). These techniques provide a valid contextual understanding of data and ad-hoc end user activity. (Unstructured data is a real security risk, particularly for Federal government IT executives. See a CA-sponsored Ponemon Institute study released today).
Does data need to be pre-registered in order for a DLP solution to accurately identify it?
Although DLP can be used to pre-classify or register sensitive data before protecting it, this is not needed. Flexible DLP detection policies can accurately identify data that's generally known to be sensitive. In the article mentioned above, an example could be to look for the names of at least five congressmen and women (i.e. a count of five or more from a set of data) with the term "investigation" present (i.e. a "must be present" element).
Can DLP do all of this without generating a heap of false positives?
Yes. This can be a major differentiator among the various DLP solutions. Be sure to understand what each solution offers to minimize false positives including the techniques listed above. Black-box technologies (such as "natural language processing" and other canned algorithms) provide very little control over how they operate. Use techniques that can be customized to operate optimally in your environment. If you know of certain phrases or data types, incorporate that information in your policies!
Would knowing a user's identity help improve detection?
Absolutely! Simply stated - a solution that understands the user involved can make better real-time decisions. If a "low level aid" had possession of a document identifying congressmen and women in an investigation, the document should be quarantined or destroyed. On the other hand, if a senior official possessed the document, perhaps only warning them of the risk and moving it to a protected location would be sufficient. By leveraging user identity, DLP can take the right action more often.
When deploying DLP solutions, your imagination should be the limit for designing policies to work dynamically and effectively - even for the most rare data or content.