In this article I will show that DLP technology such as Fidelis XPS, Mcafee DLP, Verdasys Digital Guardian, Websense Data Security Suite and Symantec Data Loss Prevention 9 – is a necessary but not sufficient condition for effective data security. I submit that effective data security is a three-legged stool of:
- Monitoring – using DLP technology
- Training – strengthening of ethical values with training and personal example at all levels of management
- Accountability – paying the price when a data loss event happens
The role of data security in IT
Why data security and not information security?
For the sake of convenience – I will define data security as a sub-discipline of information security that focuses on protecting the confidentiality, integrity and availability of data – regardless of storage, communications and transaction processing systems that handle the data. It’s about protecting the good stuff rather than stoppping the bad guys. You can have updated, patched systems, encrypted communications, strong passwords, digital rights management, separation of duties, minimum rights granted to users and still have a major data loss event. Why? Because a trusted insider with appropriate rights, who is familiar with the transaction systems can steal or manipulate the data.
The role of culture in data security
It seems to me that there is a fundamental difference in culture between American and European approaches to data security.
According to the Wikipedia, culture is the set of shared attitudes, values, goals, and practices that characterizes an institution, organization or group. Is data security part of your company’s shared values, goals and practices – or is it a CSO project?
Most Americans prefer technology solutions and most Europeans prefer cultural solutions. For what it’s worth – like many other things, Israelis tends to follow American trends, and discipline is not a strong point of most Israeli corporations – just like it’s not a strong point of most Israeli drivers.
Examples
Case # 1 – Technology without culture
The American Hannaford Brothers Supermarkets chain was, and still is PCI DSS compliant. They perform PCI DSS audits, buy servers from IBM and check off payment card compliance as a mission accomplished. They were compliant but still had a major data loss event, losing over 4 million credit cards. US customers who install DLP systems from companies like IBM, Mcafee, Fidelis Security, Verdasys, Websense or Symantec DLP, often see them as essential to their privacy compliance program, but do not use DLP monitoring capabilities as a tool in an overall cultural effort to protect company data assets from being stolen or manipulated by employees and business partners.
Case # 2 – Culture without technology
A European firm might see data security as an ethical and regulatory issue, and decide not to invest in DLP technology on grounds of cost. However, without data loss monitoring – the organization will never know what’s really going on, never be able to prevent a major data loss event and certainly not have the monitoring capability that is required for reinforcing the culture.
Case # 3 – Culture and technology without enforcement
I recently told a client (who uses a Fidelis XPS network DLP system) that about 30% their outbound traffic was Gmail compared to 35% of outbound traffic on Microsoft Exchange. The client had trouble believing this until confronted with the data. Even then – the attitude was “ok, so what can we do?” My suggestion, was to to do take a cultural approach to reduce use of gmail with awareness training at the group leader and department manager levels in order to drive the message home that company digital assets need to stay inside the company and not make a side trip to Mountain View, California. They never did the awareness training and 6 months later, they had a major data loss event of proprietary company intellectual property over gmail. The point is; increased Web mail traffic is an indicator of a bigger attack surface. Make the attack surface smaller and you become more robust to a data loss event ( a smaller attack surface, means you have a smaller target that’s easier to defend). After the data loss event, the VP Global IT wrote a memo to all the employees and stopped there. The volume of gmail traffic and overall level of data security violations has not changed significantly.
The role of user accountability and training in data security
As we can see from the above cases – DLP technology is a necessary but not sufficient condition for effective data security. I submit that effective data security is a three-legged stool of:
1. Monitoring – using DLP technology
2. Training – strengthening of ethical values with training and personal example at all levels of management
3. Accountability – paying the price when a data loss event happens
Accountability
Ensuring employee loyalty and reliability starts with HR, which has responsibility for hiring and guiding the management of employees. High-security organizations such as defense contractors, diamonds or securities traders add additional screening such as polygraphs and background checks to the hiring process. Over time, organizations should try to sense personality changes, domestic problems or financial distress that indicate increased data loss risks for employees in sensitive jobs. Even though it’s hard to quantify financial damage of a data loss event, at a very basic level data loss impacts the corporate brand.
Therefore, make your HR group and the direct managers of employees/contractors involved in a data loss event, personally accountable for the corporate brand and ensure that they pay the price when trusted employees and contractors steal data.
Training
Although it won’t help you sell more widgets, digital asset protection is part of an overall company training process that helps an organization achieve its objectives in the areas of:
- Operational effectiveness – if you don’t lose your new price list to the competition, you won’t have to create a new one…
- Reliability of financial reporting – data security is not only data loss, it’s also data integrity and data availability
- Compliance with applicable laws and regulations – privacy and payment card security
Use a professional trainer to develop train-the-trainer programs and make it the job of the managers at all levels to train their employees on data security.
Monitoring
The best way I can explain data security monitoring with DLP technology is to use a physical security paradigm.
Physical security starts at the parking lot and continues to the office, with tags and access control. Office buildings can do a simple programming of the gates to ensure that every tag leaving the building also entered the building.
Data security starts with network DLP (like a Fidelis Security Systems XPS extrusion prevention system or Symantec Data Loss Prevention) at the network perimeter of the organization and continues into the office with agent DLP (like Verdasys Digital Guardian or McAfee DLP) at endpoints. Centralized organizations might rely on network DLP only and very dispersed operations might rely on agent DLP only. Very large, geographically dispersed organizations might used network DLP to provide wide data security coverage and agent DLP in order to provide a fine level of control at the point of use.
Whatever DLP products you buy (Verdasys Digital Guardian, Fidelis Security XPS, McAfee DLP, Websense Data Security Suite or Symantec Data Loss Prevention ); monitoring is the third leg of our three-legged stool – a sort of data security AWACS/NORAD/early warning system where violations of company data security policy are detected in real-time. A security team staffer sees the event on a management console – pulls up the IP address and user involved in the violation, gets the forensics – and goes over to the employee and has a little chat. No more than 10′ elapses from the time the data security event was detected until the time a security staffer is sitting in the employee’s cubicle or talking to them on the phone about the incident.
Summary
The objective of cost-effective data security is to make the organization more robust to Black Swan events -a major, unpredictable data loss event that can maim or destroy your business.
Since it is impossible to predict when or how a high impact data loss event will happen, it is also highly unlikely you will be able to prevent it.
Real-time monitoring with DLP is an excellent way of reinforcing training, creating accountability and making your organization more robust to data loss events.
Symantec is big in the DLP market, and they also heavily emphasize the importance of the training use of DLP.
That said, there are two important distinctions regarding Symantec.
1) As with most network based solutions (including our friends at Fidelis Security Systems), enforcement is nearly instant, but the follow up training is not always instant. For example, a blocked email with Symantec is subject to network lag, content inspection appliance lag, network lag again, and then the warning is sent to you in an email. If you receive and email 5 minutes later saying “hey! That email you sent was not compliant!” . . . would you always know what it was referring to?
The point here is that training is most effective if it coincides with the security event. If it is not paired, then it may be more of an annoyance. “I have to drop my current task, remember what I wanted to convey, fix the email because of the $#*!&% guys in security, then resume my other work.” It is as if in a training class, someone makes a mistake during their presentation, but only hears the correction after the class has ended.
2) Symantec Data Prevention 9 has a heavy reliance on network components. For example, their IM / Email / ftp etc. controls are solely network based. More than half their content inspection capabilities are also based on network appliances (their hashing, etc).
As a result of this, they have unequal controls on and offline. On or off network, which leads to a much different training message. “I can’t use gmail while I’m using my laptop at my desk, but if I go downstairs to the coffee shop, I can gmail whenever I want. I’ll write my next gmail during my coffee break.”
I fully agree with your view that both technology and cultural is required to prevent data loss. However, I do think that they are not necessarily separate issues . Similar to the way ERP applications tend to dictate best practice business processes, agent DLP like Verdaysys Digital Guardian or Mcafee DLP influence the culture through the technology and combine the three aspects you mention – monitoring, training and accountability.
Agent DLP like Mcafee DLP or Verdasys Digital Guardian monitors what users do to a very low level of Windows operating system events and then aggregates the events to a security countermeasure like ‘warning’ the user when she does something that is wrong in the eyes of the organization. In my experience – this sort of real time training and reinforcement is usually much more effective than reading security policies or attending security courses.
As for accountability, this can be done in two levels – at the end-user’s level and at the management’s level. First, the organization can decide that in certain circumstances the user is required to justify his/her actions. Second – the standard way of using agent DLP is to define automatic notifications so that serious enough violations generate on-the-spot alerts that may be sent to the user’s manager (and not only the security person) as soon as a policy violation occurs. In addition, periodical summaries of such actions in the manager’s department are sent, along with specific parameters that allow the manager to understand what happened, when it happened (and sometimes even why). These two are aimed to ensure that both the user and his managers are accountable for data loss events.
This is all great input. Thanks guys.
I liked the comment on how agent DLP influences culture because in my experience – network DLP like Fidelis Security Systems XPS Extrusion Prevention system is generally kept under wraps by the information security team and used in a passive monitoring and/or active prevention role.
Danny Lieberman