The 4 questions

One of the famous canons in the Jewish Passover “seder” ritual is 4 questions from 4 sons – the son who is wise, the son who is wicked, the son who is innocent and the son who doesn’t know enough to ask.

I sometimes have this feeling of Deja vu when considering data security technology solutions. Although the analogy is not at all parallel – I have written a list of 4 questions to be asked when considering a DLP solution – these questions require clear, authoritative answers just like in the Passover seder (להבדיל).

  1. What is the key threat scenario?
  2. How much Value at Risk is on the table?
  3. Who owns the project?
  4. Does the DLP technology fit the threat scenario?

1 – What is the key threat scenario?

Here are some typical threat scenarios – the key threat scenario should keep a C-level executive awake at night.

Threat Scenario

Sample Asset(s)

Threat(s)

Vulnerabilities

Countermeasures

Leakage or theft of PII (personally identifiable information)

Customer data and/or credit cards

Insiders

Resellers

Criminals

Hackers

Terrorists

Employees may be bribed or exploited

Weak passwords

Wi-Fi networks

Temporary files

Firewalls

Proxy bypass

Web services

FTP services

Operating systems

Network DLP

Database DLP

Encryption

Policies

Procedures

Software security assessments

Patching

Loss of IP on servers

Designs

Insiders

Competitors

Same

Network DLP

Loss of IP in the cloud

Designs

Insiders

Competitors

Vendor employee

Same +

Unreliable cloud vendor

Network DLP at provider

Loss of IP on notebooks

Designs

Employees

Theft

Loss

Employees in airports

Agent DLP

Encryption

Loss of data from business partners

Customer data, IP

May steal the data

Partner systems

Web based links

Firewalls

Network DLP

Agent DRM or

Agent DLP

See http://www.software.co.il/wordpress/2010/02/is-there-a-business-need-for-dlp/

2 – What is your value at risk?

Once you have identified the key threat scenario, you must know how much value at risk is generated when a threat exploits vulnerabilities to cause damage to assets. The basis for measuring VaR (value at risk) is the asset value (generally determined by the CFO) –

VaR = asset value x threat probability x estimated damage to asset value in a percentage

The VaR is reduced by a set of security countermeasures that also have a cost. VaR is best calculated in a data security based risk assessment that uses DLP technology to measure frequencies of threat occurrence and a calculative threat model to derive VaR.

Most companies are not at a sufficient level of security maturity to do this exercise themselves – and will need an independent consultant with specific data security expertise and the ability to do analytical threat modeling.

Within a couple weeks, you should be able to get a picture of your current data security events, know your data value at risk in Euro and build a prioritized program for cost-effective DLP countermeasures.

See http://www.software.co.il/wordpress/2010/01/building-a-business-case-for-dlp/

3 – Who owns the project?

Beware of organizational politics and silos and conflicting agendas.  Need I say more?

4 – Does the DLP technology fit the threat scenario?

Just because the vendor sold you an anti-virus product doesn’t mean that his DLP technology is a good fit (even if it’s free)

Example A:  A network DLP solution may be required with 1GB throughput, if the technology saturates at 200MB/S then the solution is not a good fit.

Example B:  An agent DLP solution may be required that is capable of identifying IP in AutoCAD files; if the content analysis software is incapable of decoding AutoCAD, then the countermeasure does not mitigate the vulnerability.

Related Posts Plugin for WordPress, Blogger...
Tell your friends and colleagues about us. Thanks!
Share this

One thought on “The 4 questions

Leave a Reply

Your email address will not be published. Required fields are marked *