The Truth About DLP & SIEM: It’s A Process Not A ProductIf you know what data is critical to your organization and what activities are abnormal, data loss prevention and security information event management work pretty well. But that's not usually the case.
I work with organizations each and every day, building out their cybersecurity programs. During my many conversations with security teams struggling with data loss prevention (DLP) and security information event management (SIEM) -- and the security vendors that support them -- I have noticed a surprising trend. Each time either DLP or SIEM is mentioned, they are described as “products”-- a “DLP Product” or an “SIEM Product.”
Butthe reality of the matter is that the “products” are not the problem. The central issue is a misunderstanding of what SIEM and DLP truly are: a process, not a product.
DLP and SIEM defined
First, some definitions to be sure we are all on the same page. DLP is a strategy designed to prevent the loss of data. DLP is often mentioned as a way to prevent users from uploading sensitive information into email, cloud storage services, and unauthorized file transfer capabilities.
SIEM is an approach to security management that enables organizations to collect information from all of their disparate devices. Information (or data logs) are stored in a single location which provides the opportunity for advanced aggregation and correlation of data to help complete a more holistic view of an organization’s IT security posture. Using advanced techniques for correlation and aggregation, the SIEM looks for patterns which will help security teams identify technical issues, security breaches, and attacks more easily, and more importantly, allow for more timely response. Because prevention will at some point fail, it is more important than ever to be able to nimbly respond and recover the environment.
Seems pretty straightforward, right? Not so fast, there is more.
DLP works well if you know what data is critical to your organization. But if you don’t, your DLP efforts will likely fail. For example, I constantly hear people talk about securing credit card information and healthcare data -- all of which is incredibly important information. However, rarely is this the only important information within the company. There is other important data that needs to be secured, but you must know what it is, and where it is, otherwise you can’t secure it. The process of understanding and identifying what data is important to your company is paramount to DLP success. Yes, I said process.
In the case of SIEM, while it is great to have all of your data in one place, if you don’t know what is normal and abnormal for your environment -- or even how to make sense of all of the noise of the logs themselves -- confusion is sure to follow.
I often compare SIEM deployments to intrusion detection system (IDS) deployments, as both share some common issues. Each environment is different. What might look like (and be) an attack in one environment might simply be standard traffic within another environment. If you don’t understand your environment, your IDS deployment will fail, just like if you don’t understand your environment, your SIEM process won’t be successful. (And yes, I said process again).
Achieving DLP and SIEM success
While I would like to say vendors should play a role in fixing these issues, they aren’t in the best position to do so. Why? Because DLP and SIEM are not “one size fits all” (despite being sold as such). Thus vendors will continue to sell a “product” that is billed as ‘just install it and it works’. Meanwhile, deployment issues will continue to plague customers. So, what is the answer for achieving DLP and SIEM success?
First, everyone (vendors and security teams alike) need to realize DLP and SIEM are processes. They are not products nor do they serve as a quick fix to a problem. To succeed, security teams deploying DLP and SIEM solutions must understand their environment and what data is important.
Second, IT, infosec, and executives all need to be involved in the DLP process. Part of the issue is that it isn’t always the security team or the technical team making the decision: it is often high-level executives driving the push for a particular product or solution. They’ve heard the buzzwords and think DLP and SIEM can help with compliance, so they check a box. Don’t get me wrong -- DLP and SIEM success absolutely needs executive support and buy-in in order to be successful. Just remember that being compliant and being secure are not the same. I want my clients’ security posture to make them automatically compliant. Compliance should be a by-product of a secure posture.
Third, IT and security teams need to understand what information is critical within their environment. While many believe they know what data is important, they often overlook critical data. There are controversial questions I like to ask of my customers, and the attendees that attend my SANS training. “Do you know what makes your company your company? Do you know the mission of your company? Do you really understand the business processes that make the company viable?” You might think you know your company…but are you sure? Surprisingly, most employees do not know their company as well as they think. If you don’t understand what is important, there is no way to protect it.
Fourth, education and training is key. Understanding how to get quick, tactical wins from the data you have within your environment is essential to protecting it. Hands-on, immersion-style training from real-world practitioners is essential for helping individuals understand what they need to look for and go down the path of detecting malicious activity. The adversary doesn’t want us to know the answers to my questions about data. In fact, the adversary depends upon your ignorance.
Security is far from being a lost cause; the more we are able to detect the adversary and respond, the more our adversaries must adjust their tactics. And when we make them adjust, it actually makes them more detectable. And the best part? It is circular. The more we detect, the more we can feed into response capabilities. And the more we learn from our response, the more we can feed back into detective capabilities. Let’s put ourselves on the winning team. We need to understand what works and what doesn’t. And that starts with understanding that two of the most important things we can do in the name of cybersecurity, DLP and SIEM, are process -- not product.
Bryan Simon is a SANS Certified Instructor and an internationally recognized expert in cybersecurity, with a special focus on defensive and offensive capabilities. Bryan's scholastic achievements have resulted in the honor of sitting as a current member of the Advisory Board ... View Full Bio