Considering the monetary impact that data loss has on affected companies, whether intentional or unintentional, 10 percent seems trivially small. If we look at the recent lost-and-found USB flash drive in the U.K., there is more than just a company's money at stake. The technological impact to an organization can mean downtime, a lengthy investigation, and new technical constraints to prevent future data loss. It also proves that no organization, foreign or domestic, is immune. Government, private, public, nonprofit -- they are all fair game for embarrassing and costly data loss.There are several good points that can be made based on the eWeek article:
- DLP has been difficult to define because of the myriad approaches taken by the different vendors.
- Customers are now interested in DLP on the endpoint instead of just network-based DLP.
- Customers didn't understand where their sensitive data was stored in their networks.
- DLP solutions are now starting to tie leaked data directly back to its source.
The first item is obvious if you've ever looked at DLP products. The approaches have ranged from simple content monitoring and filtering at a network gateway to advanced endpoint monitoring with DLP agents running on each host. Unfortunately, evading network-based monitoring solutions is easy given the numerous methods to encrypt and transform data before transmitting out of the network or by simply copying data to a USB flash drive and walking away with it. This is why the second item is being realized by customers. The data needs to be monitored where the users have direct access to view it, manipulate it, copy it, etc.
No. 3 can be summed up in two words: data discovery. Someone grab a clue stick and start beating people! I've discussed numerous times here how you can't protect what you don't know about. It's about time that DLP customers realized this and DLP vendors have finally started providing the tools to do it as part of a standard featureset. If you're in the market for a DLP solution and are looking at one that doesn't provide discovery tools, move on.
Finally, the last item is an interesting one. According to Rod Murchison, VP of marketing and strategic alliances for Code Green Networks, they are "taking source data out of the database, fingerprinting it, and exactly matching it." This can be immediately useful in two ways: The first is to know that data coming from a particular database should never get out of the company and block it. The second is be able to quickly track back where data might have leaked from instead of having to look in 20 places if a breach does occur. It's an ambitious effort, but one I can still see being easily circumvented without tying endpoint agents with network detection.
I'm still a skeptic when it comes to DLP, but I'm glad to see that the DLP vendors are finally maturing and customers are realizing what features they need in a solution to be able to find and protect the data in their networks. In another year, I hope to see another article on how DLP has finally grown up, apparent by the gradual decrease in media reports of data loss and increase in market penetration. One can hope, right?
John H. Sawyer is a Senior Security Engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.