One of the famous canons in the Jewish Passover “seder” ritual is 4 questions from 4 sons – the son who is wise, the son who is wicked, the son who is innocent and the son who doesn’t know enough to ask.
I sometimes have this feeling of Deja vu when considering data security technology solutions. Although the analogy is not at all parallel – I have written a list of 4 questions to be asked when considering a DLP solution – these questions require clear, authoritative answers just like in the Passover seder (להבדיל).
- What is the key threat scenario?
- How much Value at Risk is on the table?
- Who owns the project?
- Does the DLP technology fit the threat scenario?
1 – What is the key threat scenario?
Here are some typical threat scenarios – the key threat scenario should keep a C-level executive awake at night.
|
Threat Scenario |
Sample Asset(s) |
Threat(s) |
Vulnerabilities |
Countermeasures |
|
Leakage or theft of PII (personally identifiable information) |
Customer data and/or credit cards |
Insiders Resellers Criminals Hackers Terrorists |
Employees may be bribed or exploited Weak passwords Wi-Fi networks Temporary files Firewalls Proxy bypass Web services FTP services Operating systems |
Network DLP Database DLP Encryption Policies Procedures Software security assessments Patching |
|
Loss of IP on servers |
Designs |
Insiders Competitors |
Same
|
Network DLP |
|
Loss of IP in the cloud |
Designs |
Insiders Competitors Vendor employee |
Same + Unreliable cloud vendor |
Network DLP at provider |
|
Loss of IP on notebooks |
Designs |
Employees Theft Loss |
Employees in airports
|
Agent DLP Encryption |
|
Loss of data from business partners |
Customer data, IP |
May steal the data |
Partner systems Web based links Firewalls |
Network DLP Agent DRM or Agent DLP |
See http://www.software.co.il/wordpress/2010/02/is-there-a-business-need-for-dlp/
2 – What is your value at risk?
Once you have identified the key threat scenario, you must know how much value at risk is generated when a threat exploits vulnerabilities to cause damage to assets. The basis for measuring VaR (value at risk) is the asset value (generally determined by the CFO) –
VaR = asset value x threat probability x estimated damage to asset value in a percentage
The VaR is reduced by a set of security countermeasures that also have a cost. VaR is best calculated in a data security based risk assessment that uses DLP technology to measure frequencies of threat occurrence and a calculative threat model to derive VaR.
Most companies are not at a sufficient level of security maturity to do this exercise themselves – and will need an independent consultant with specific data security expertise and the ability to do analytical threat modeling.
Within a couple weeks, you should be able to get a picture of your current data security events, know your data value at risk in Euro and build a prioritized program for cost-effective DLP countermeasures.
See http://www.software.co.il/wordpress/2010/01/building-a-business-case-for-dlp/
3 – Who owns the project?
Beware of organizational politics and silos and conflicting agendas. Need I say more?
4 – Does the DLP technology fit the threat scenario?
Just because the vendor sold you an anti-virus product doesn’t mean that his DLP technology is a good fit (even if it’s free)
Example A: A network DLP solution may be required with 1GB throughput, if the technology saturates at 200MB/S then the solution is not a good fit.
Example B: An agent DLP solution may be required that is capable of identifying IP in AutoCAD files; if the content analysis software is incapable of decoding AutoCAD, then the countermeasure does not mitigate the vulnerability.
Follow
One thought on “The 4 questions”