What Protection Does Symantec DLP Provide?
In this article, I would try to provide some basics about DLP. This article is for beginner who wants to understand the following about DLP:
Where does DLP fit?
What does DLP do and what protection it provides?
To start with let’s see endpoint protection. Endpoint protection has antivirus, anti spyware, network threat protection (host based firewall and host based intrusion prevention) and proactive threat protection which protects based on behavior of a program. But, it doesn’t warn or stops user from copying something which is sensitive on CD/DVD or USB drive, say for example, thousands of customer sensitive information being written on USB drive.
Similarly, perimeter security also does not stop a user from sending sensitive information over email or over HTTP/HTTPS or FTP. There is no way endpoint or perimeter or network security identifies that which data is sensitive.
Therefore, DLP technology came into picture where security is built around data itself. So, once DLP is in place, data loss through endpoints (CD/DVD or USB drive or floppy drive), and data loss through network (email, HTTP/HTTPS or FTP or any TCP/IP protocol for that matter) can be prevented. So, we can say DLP fits around data itself.
Sensitive information can be defined by writing ‘rule’ in DLP.
DLP primarily focuses on the following channels for preventing data loss:
1. Endpoints (desktop/laptop)
2. Network (email, HTTP/HTTPS or FTP)—also called as data in motion
3. Data residing at file server, NAS, hard drive of server – also called as Data at rest.
For endpoints there is an agent which is installed on the endpoints. That agent monitors all data going outside that endpoint against the ‘rule’ which is defined centrally. Rule is very critical and important aspect of DLP. Endpoint agent communicates with DLP server located centrally whenever user connects on network. It generates an incident whenever DLP rule is violated. Depending on how DLP is configured, endpoint agent can monitor or even prevent the data copy to external drive. Now question arises here is- desktop admin can always uninstall the DLP endpoint agent once he comes to know about it? Answer is no, uninstalling the DLP endpoint agent requires uninstallation password. Also, we are assuming that user may not have admin rights on his laptop/desktop. There are many advanced control in latest version of DLP (ver 11.x.x) to hide and protect DLP agent on endpoints from damage.
Network DLP requires DLP network component to be present inline (or like a sniffer) with email traffic (corporate email) and/or web traffic (proxy servers)
Data at rest component scans for target mentioned, for any sensitive information. Once found, it can generate incident and/or move the data to safer location and leave a mark there, stating that this data is moved to safer location. It can also provide the contact information of the person, in case user wants to retrieve the data.
In the heart of all three channels resides the ‘rule’. Defining the rule is very critical and should be done very carefully. Defining the rule is a huge subject in itself. Symantec, however, helps with many templates across different kind of industries- viz- Pharma, Banking and finance etc. Organizations mature in years in terms of defining the rule to block the traffic. Rules are required to be fine-tuned over a period of time to reduce false positives.
DLP has the following components:
1. DLP Enforce where policy can be defined and administration can be done. Incidents can also be viewed.
2. Database Server- DLP uses Oracle as database to store incidents and other information.
3. Endpoint Servers- These are used to manage endpoint agents.
4. Network Prevent / Web Prevent Servers for protection with respect to email/web.
5. Discover Server used for identifying sensitive data on various storage like NAS, HDD, file server etc.
I hope this article has at least given the very basic understanding of how DLP works. DLP is very vast solution in itself and can be configured to achieve many objectives. It is a must for organizations who wants to protect their information from leaking/theft. Data loss/theft is mostly done from an insider, knowingly or unknowingly.