Comments on: Data Leak Prevention as protection from intentional theft or disclosure? http://gsandahl.net/2007/11/22/data-leak-prevention-as-protection-from-intentional-theft-or-disclosure/ Random rants on Defensive Security Fri, 21 Nov 2008 21:46:56 +0000 http://wordpress.org/?v=2.2.2 By: goran http://gsandahl.net/2007/11/22/data-leak-prevention-as-protection-from-intentional-theft-or-disclosure/#comment-11398 goran Sat, 08 Mar 2008 12:09:10 +0000 http://gsandahl.net/2007/11/22/data-leak-prevention-as-protection-from-intentional-theft-or-disclosure/#comment-11398 Hi Michael, Surely a leak prevention system will provide value, just not the kind of value and the amount of value it says it does. Your examples of using the DLP system as a part of a user awareness initiative and as an actual assessment of how data and information is actually being used are all good points. Still, I'm not convinced that this merits procuring these kinds of solutions. Companies put too much money into solutions that in reality is only effective on very few threats and attack vectors. Whenever a malicious party with a little talent actually wants something, they are often home free. Hi Michael,

Surely a leak prevention system will provide value, just not the kind of value and the amount of value it says it does. Your examples of using the DLP system as a part of a user awareness initiative and as an actual assessment of how data and information is actually being used are all good points.

Still, I’m not convinced that this merits procuring these kinds of solutions. Companies put too much money into solutions that in reality is only effective on very few threats and attack vectors. Whenever a malicious party with a little talent actually wants something, they are often home free.

]]> By: Michael Schmidt http://gsandahl.net/2007/11/22/data-leak-prevention-as-protection-from-intentional-theft-or-disclosure/#comment-10960 Michael Schmidt Fri, 25 Jan 2008 12:02:08 +0000 http://gsandahl.net/2007/11/22/data-leak-prevention-as-protection-from-intentional-theft-or-disclosure/#comment-10960 I agree with most of your points. Reg. export on floppy, CD-ROM, USB drive etc.: Endpoint-based DLP systems (e.g. systems that install an agent on the endpoint) typically do address this threat. I think it is important to understand and accept that DLP will not efficiently address intentional, malicious data export, performed by IT experts. It's simply too easy to camouflage the data to be exported using a coding scheme (e.g. ROT-13) that the DLP system does not understand, or to export the data via a channel that the DLP system does not (yet) cover. Hence, the DLP system will only stop inexperienced malicious users. However, a DLP system will add substantial value in the following areas: 1. Training of innocent users who would inadvertently leak confidential data, by pointing them to a potential problem. For instance, certain DLP systems pop up a dialog that explains the problem, possibly prompts the user to enter an explanation for the intended export, which is logged centrally. 2. Performing an assessment of the existence and actual handling of confidential documents within the corporate IT infrastructure. This is achieved by logging any export of confidential data over a certain period of time without further sanctions. Alternatively, many DLP products offer the opportunity to scan the corporate IT infrastructure for the existence of confidential documents. This is performed without any interception of actual document exports. Evaluation of the results will help IT to introduce and enforce proper secure workflows for confidential documents (e.g. encryption on export). 3. Meeting compliance regulations (esp. in the US): Using a DLP system will help to meet regulations like Sarbanes-Oxley, HIPAA etc. Michael I agree with most of your points.

Reg. export on floppy, CD-ROM, USB drive etc.:
Endpoint-based DLP systems (e.g. systems that install an agent on the endpoint) typically do address this threat.

I think it is important to understand and accept that DLP will not efficiently address intentional, malicious data export, performed by IT experts. It’s simply too easy to camouflage the data to be exported using a coding scheme (e.g. ROT-13) that the DLP system does not understand, or to export the data via a channel that the DLP system does not (yet) cover. Hence, the DLP system will only stop inexperienced malicious users.

However, a DLP system will add substantial value in the following areas:

1.
Training of innocent users who would inadvertently leak confidential data, by pointing them to a potential problem. For instance, certain DLP systems pop up a dialog that explains the problem, possibly prompts the user to enter an explanation for the intended export, which is logged centrally.

2.
Performing an assessment of the existence and actual handling of confidential documents within the corporate IT infrastructure. This is achieved by logging any export of confidential data over a certain period of time without further sanctions. Alternatively, many DLP products offer the opportunity to scan the corporate IT infrastructure for the existence of confidential documents. This is performed without any interception of actual document exports. Evaluation of the results will help IT to introduce and enforce proper secure workflows for confidential documents (e.g. encryption on export).

3.
Meeting compliance regulations (esp. in the US):
Using a DLP system will help to meet regulations like Sarbanes-Oxley, HIPAA etc.

Michael

]]>