Chapter 1 - The Concept of DLP.
The questions that I am about to answer are:
What is DLP?
- How should we look at DLP?
- How do we define what is confidential to the organization?
- Howwill we find the confidential data, and why should we find it.
We should start at the beginning. DLP is sort of a buzz word, an abstract expression that every
security vendor/security organization defined differently and claims to have.
So for starters, "DLP" also known as "Data Loss Prevention" is a concept in which by defining
rules and policies we can control the data flow inside and outside the corporation.
Controlling the flow of data - what does it mean? It means that:
We have control over the locations in which confidential data is stored We have control over
the allowed methods of confidential data transfer We have control over what is written by our
employees over secured/unsecured channels.
Now that we have a baseline on what we can control; and before I go directly into the ways we
can control the flow of data, there is an important question we should ask ourselves: What are
we looking to control upon? or we could ask this question in another way,
What is Confidential data?
As you might assume, the term "confidential data" is different in every organization, but there
is one thing that is always right about all organizations, confidential data is the data that
we want to keep inside our organization. Confidential data could have many faces: employee
payroll, project blueprints, commercial plans and much more. Most of the time, the
Costumer/CISO has a pretty good idea of what is confidential for the corporation. The Customer
should provide keywords like project names, specific watermarks of confidential information
etc. Another way of identifying what is confidential to the customer is by using pre-made
policies (also known as solution packs). Solution packs are packs of rules and policies that
contain general objects that most of the time are considered confidential for example: Social
security number, credit card number, regulatory obligations, words (Confidential, for internal
use only) and more. Another advantage of solution packs is that they are designated to the
customer's industry. There are many types of solution packs, for example: "Telecom solution
pack" contains information like phone IMEI and regulations that are obligatory to the telecom
industry.
After we find out what is confidential for our costumer, we need to help him or her protect
that data, and then the following question comes to mind:
How Can We find our Confidential Data?
There are a few methods that should be considered. These
methods are mostly in regard to Symantec Vontu DLP capabilities and they will not be correct
when approaching another vendor's solution.
1) Consult with the Customer/CISO - we need to be in touch with employees that have a cross
organizational view and approach. Most of the time knowledgeable personnel can tell us where
60%-80% of the confidential data in the organization is stored.
2) Use Vontu DLP's network monitoring ability - Vontu DLP has the ability to "tap in" to the
heart of the network using a Mirror Port (also known as SPAN Port). The network monitor has the
ability to analyze all of the network traffic. It would give a good indication of the knowledge
running on our network, the type of transformation method (Instant Messaging, mail, file
copying and more) and the destination of the data. When we receive big amounts of data, we can
create rules and policies with this data. When implementing DLP in the organization, it is
suggested to install Network Monitor in order to study the network. The amount of learning time
needed is different between each client and is defined by the network bandwidth in use.
3) Use Vontu DLP Network Discover/Protect - Vontu DLP has the ability to scan a verity of
components (Data Bases, SharePoint's, Storage, File Servers, Endpoint Clients and more) in
order to find confidential data that is laying around on the corporate network.
Summary
In this article we defined what is confidential to the organization. We also found out
were the confidential data is stored. Now we are ready to start monitoring that data and
enforce security policies over the data. We will discuss ways to do so in the next chapter.
There will be three chapters in this series. This is the end of Chapter 1. The next chapter
will focus on monitoring and blocking and education.
Regards,
Naor Penso
Security Engineer Netcom Malam-Team