Category Archives: Anti-Fraud

Run security like you run the business

Anti-Fraud, Compliance, Data leakage, ,

Is there any conceivable reason why should not run your security operation like you run your core business?

The sales people in your firm have sales quotas and are measured by gross profit margin and collections. The people who run manufacturing and distribution have quotas for manufacturing throughput and inventory cycle times.

So why shouldn’t your CSO, CIO, information security staffers, network managers and software developers have measurable quotas and compensation for meeting or exceeding their information security numbers?

If you don’t currently measure and report internally your security performance  (unlike companies  such as Intel and Motorola that have a strong metrics culture, and measure everything),  you should consider managing your security operation like you manage a business unit and adopting a tightly focussed strategy on customers, market and competitors.

Without well-defined, standard, vendor-neutral threat models and performance metrics. there cannot be improvement; and continuous improvement is what customers want and have come to expect. Consider that we all expect that after the iPhone 4 comes the iPhone 5 and we should be expecting that after better data security comes reduced cost of data security.

A business lives on it’s information assets. Whether you’re a contractor digging ditches for a cable provider or if you’re the cable provider CEO, you live on information. Key company assets (such as customer records) are digital and live in a PC, a Windows server, a Linux server or mainframe; the paper is a “hard-copy” not the original.

Your firm manages fixed assets and produces 10Q reports if publicly traded, but do you identify and valuate digital assets that are key to the operation? Can you calculate ROI for digital asset protection technology or prove compliance with Sarbanes Oxley 906 without measuring the value of your key operational digital assets ?

Choose a business strategy for information security. Information security today works on a cycle of reaction and acquisition.  You have a data breach event or an outbreak of a worm in your network – you react by acquiring products and services.

Information security needs to operate continuously and proactively within a well-defined, standards-based threat model that can be benchmarked against the best players in your industry just like companies benchmark earnings per share.

In his classic article, “What is strategy?” Michael Porter writes how “the essence of strategy is what not to choose…a strong competive position requires clear tradeoffs and choices and a system of interlocking business activites that fit well and sustain the business”. Security of your business information also requires a strategy.

Measure in order to manage, improve and comply There are widely accepted and practiced revenue models, costing models and performance metrics that work for all kinds of business units. To cost a product or service, we see that a distribution business uses mark up margins, a manufacturing unit uses bill of material costing and a professional services unit uses standard and activity costing. If you want to evaluate cash flow, just look at cash flow from operations. or free cash flow (FCF) – simply cash from operations, minus capital expenditures. True, FCF omits the cost of debt but you have an objective indicator to go by that can be measured every week, every quarter, every month of the year.

Several years ago, a major supermarket chain in Israel lost $5M in sales in one month, because their purchase prices of fresh produce were leaked to a competitor by an employee using instant messaging. The firm reacted with locked doors and cameras, but locked doors and cameras can’t audit information flows and provide data security performance metrics that will help them prevent the next leak of sensitive information.

Test your information security business strategy IQ

  • Is your data security spending driven by compliance regulation?
  • Are Gartner Group white papers a key input for your information security purchasing decisions ?
  • Are you running without data security win/loss metrics?
  • Do you have separate physical and data security teams reporting to different managers?
  • Is your data security purchasing cycle over 2 years?
  • Are you short on head count, and using that as an excuse for not implementing data security technologies?
  • Are you a CTO and you never personally sold or installed one of your company’s products?

If you answered YES to 4 out of 7 questions, you need a business strategy with operational metrics for your information security  operation.

Take action to protect your assets like you run your business

  • Setup indicators and publish them once a week on the company Intranet for everyone to see. Start with 3 indicators: the number of network anomalies your IDS found that week, your current patch cycle time and how much overtime your security staff worked that week.
  • Do continuous security audits. Purchase a tool for network audit and run it once a week on a different part of the network. The guys over in the warehouse stopped doing full physical counts once a year 15 years ago, they count a little bit of inventory every day with hand-held barcode terminals. Get a consultant to help you set it up and run it yourself.
  • Make the number of overtime hours your network security staff works a key monthly indicator
  • Build a threat model and maintain database of your key assets, threats and vulnerabilities and start using practical threat analysis today.
  • Define your competitive strategy for security operations. Is it low cost? Is it single vendor? Is it Linux desktops? Is it end-point security focus?
  • Implement a consistent set of activities, for example standardizing on diskless thin clientsremote desktops and Windows Terminal services.
  • Think how activities can reinforce each other – for example by installing personal firewall software that reports on intrusion attempts to a central server so that you can plan your response to future attacks.
  • Identify sets of activites that optimize your efforts. Perhaps you have a totally flat network with a spagetthi plate of servers and workstations today. Segment the network into VLAN’s, put the application servers on one segment, the data servers on another and client workstations on departmental segments and so forth. Performance and security will improve and you’ll be able to monitor content effectively. You’ll spend less time firefighting and more time thinking.
  • Install your company’s products yourself. After you do that, follow a customer home and watch how they do the install, time it and take notes. Update the threat model with your findings.

For more perspective on competitive strategy see Michael Porter’s article What is Strategy at the Harvard Business Review online edition.

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

The psychology of data security

Anti-Fraud, Compliance, Data leakage, Information security, PCI DSS, , ,

Over 6 years after the introduction of the first data loss prevention products, DLP technology has not mainstreamed into general acceptance like firewalls. The cultural phenomenon of companies getting hit by data breaches but not adopting technology countermeasures to mitigate the threat requires deeper investigation but today, I’d like to examine the psychology of data security and data loss prevention.

Data loss has a strange nature that stems from unexpected actions by trusted insiders in an environment assumed to be secure.

Many IT managers are not comfortable with deploying DLP, because it requires admitting to an internal weakness and confessing to  not doing your job. Many CEO’s are not comfortable with DLP as it implies employee monitoring (not to mention countries like Germany that forbid employee monitoring) . As a result, most companies  adopt business controls in lieu of technology controls.  This is not necessarily a mistake, but it’s crucial to implement the business controls properly.

This article will review  four business control activities: human resources,  internal audit, physical security and information security. I will highlight disconnects in each activity and recommend corrective action at the end of the article.

The HR (human resources) department

Ensuring employee loyalty and reliability is a central value for HR, which has responsibility for hiring and guiding the management of employees. High-security organizations, such as defense contractors or securities traders, add additional screening such as polygraphs and security checks to the hiring process. Over time, organizations may sense personality changes, domestic problems or financial distress that indicate increased extrusion risks for employees in sensitive jobs.

Disconnect No. 1: HR isn’t accountable for the corporate brand and therefore doesn’t pay the price when trusted employees and contractors steal data. What can you do?  Make HR part of an inter-departmental team to deal with emerging threats from social media and smart phones.

Internal audit

Data loss prevention is ostensibly part of an overall internal audit process that helps an organization achieve its objectives in the areas of:

  • Operational effectiveness
  • Reliability of financial reporting
  • Compliance with applicable laws and regulations

Internal auditors in the insurance industry say regulation has been their key driver for risk assessment and implementation of preventive procedures and security tools such as intrusion detection. Born in the 1960s and living on in today’s Windows and Linux event logs, log analysis is still the mainstay of the IT audit.  The IT industry has now evolved to cloud computing,  virtualization,Web services and converged IP networks. Welcome to stateless HTTP transactions, dynamic IP addressing and Microsoft Sharepoint where the marketing group can setup their own site and start sharing data with no controls at all. Off-line analysis of logs has fallen behind and yields too little, too late for the IT auditor! According to the PCI Data Security council in Europe – over 30% of companies with a credit card breach discovered the breach after 30 days and 40% after more than 60 days.

Disconnect No. 2: IT auditors have the job, but they have outdated tools and are way behind the threat curve.  What can you do?  Give your internal auditors, real-time network-based data loss monitoring and let them do their job.

Physical security

Physical security starts at the parking lot and continues to the office, with tags and access control. Office buildings can do a simple programming of the gates to ensure that every tag leaving the building also entered the building. Many companies run employee awareness programs to remind the staff to guard classified information and to look for suspicious behavior.

Disconnect No. 3: Perfect physical security will be broken by an iPhone.  What can you do? Not much.

Information security

Information security builds layers of firewalls and content security at the network perimeter, and permissions and identity management that control access by trusted insiders to digital assets, such as business transactions, data warehouse and files.

Consider the psychology behind wall and moat security.

Living inside a walled city lulls the business managers into a false sense of security.

Do not forget that firewalls let traffic in and out, and permissions systems grant access to trusted insiders by definition. For example, an administrator in the billing group will have permission to log on to the accounting database and extract customer records using SQL commands. He can then zip the data with a password and send the file using a private Web mail or ssh account.

Content-security tools based on HTTP/SMTP proxies are effective against viruses, malware and spam (assuming they’re maintained properly). These tools weren’t designed for data loss prevention. They don’t inspect internal traffic; they scan only authorized e-mail channels. They rely on file-specific content recognition and have scalability and maintenance issues. When content security tools don’t fit, we’ve seen customers roll out home-brewed solutions with open-source software such as Snort and Ethereal. A client of ours once  used Snort to nail an employee who was extracting billing records with command-line SQL and stealing the results by Web mail.  The catch is that they knew someone was stealing data – and deployed Snort as a way of collecting incriminating evidence, not as a proactive real-time network monitoring tool.

Disconnect No. 4: Relying on permissions and identity management is like running a retail store that screens you coming in but doesn’t put magnetic tags on the clothes to prevent you from wearing that expensive hat going out. What can do you? Implement real-time data loss audit using passive network monitoring at the perimeter. You’ll get an excellent picture of anomalous data flowing out of your network without the cost of installing software agents on desktops and servers.  The trick is catching and then remediating the vulnerability as fast as you can.  If it’s an engineer sending out design files or a contractor surfing the net from your firewall – fix it now, not 3 months from now.

Conclusion

To correct the disconnects and make data security part of your business, you need to start with CEO-level commitment to data security.  Your company’s management controls should explicitly include data security:

  • Soft controls: Values and behavior sensing
  • Direct controls: Good hiring and physical security
  • Indirect controls: Internal audit
Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

Has the threat of cyberwar been grossly exaggerated?

Anti-Fraud, Compliance,

Bruce Schneier writes that The Threat of Cyberwar Has Been Grossly Exaggerated

Not unpredictably – the essay yielded a lively discussion,  I agree with Bruce – especially because of all the hype around Stuxnet. On one hand – the locals in Israel more or less know, or guess who worked on the project and on the other hand – there are clumsy attempts at disinformation – Shai Blitzbau is trying to claim that it is not military code, but didn’t do his homework regarding WinCC ( a Siemens Windows application for industrial command and control, not a special version of Windows for SCADA systems as Blitzbau wrote).

Software Requirements
WinCC V6.2 is released for the following operating systems:

Windows XP Professional Service Pack 2 (client / single-user station)

  • Windows 2000 Professional Service Pack 4 (client / single-user station)
  • Windows Server 2003 Service Pack 1 (client / single-user station / server)
  • Windows Server 2003 R2 (client / single-user station / server)

Microsoft SQL Server 2005 SP1 is used as the database and is supplied with WinCC Version 6.2. The SQL Server system administrator password can be assigned by the user and supports adherence to company password conventions.

While Blitzbau is probably trying to link-bait some headlines with  contrarian opinion –  500MB of well written code by a large multi-disciplinary team looks and smells like cyber war no matter what languages the developers speak and use.

Nonetheless – cyber war is overhyped.

I found it significant that Schneier’s article and the resulting discussion thread – skimmed over the obvious:  namely that:

In real war (as defined by soldiers of one state fighting soldiers of another state) or real terror (as defined by bad people who kill civilians) – real people get killed.

As an Israeli – I find the American fixation on cyber terror and cyber war somewhat amusing.

Although I understand that it is fundamentally a way of generating more business for the Raytheons of this world – the American fixation on cyber-war and cyber terror goes beyond DoD and Pentagon turf wars.

For many Americans, cyber war must seem like a safe way of vicariously participating in some kind of a cool war effort without having to pay the physical and emotional price of dealing with losing friends and families to real world terrorists or soldiers.

Perhaps – if I might speculate – it is possible that the President Obama has not declared war on Afghanistan because it runs contrary to his liberal weltanschaung of “lets solve conflicts by talking to everyone since everyone are created equal”.

Cyber war and cyber terror are proofs of the inequality of life and the inequality of war.

While the DHS, NSA, FBI, CIA would have difficulty producing a single example of a real person being murdered by a piece of targeted malware – any Israeli you meet – including yours truly, has close friends or family who were killed by real wars and real terrorist.

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

Will smart phones replace credit cards?

Anti-Fraud, Compliance, , , ,

A recent post “Can smartphones replace credit cards” wonders whether or not consumers are ready to  trade in their plastic for their cell-phone.

Mobile payment technology has been around for about 10 years and it has not really taken off in a big way – although there are niche applications.  In Tel Aviv for example, you can buy drinks in vending machines with your cell phone and pay for parking.

Clearly it’s not a technology barrier to entry but a cultural barrier to entry.

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

More nonsense with numbers

Anti-Fraud, Compliance, Data leakage, , , ,

Now it’s some lazy journalist at Information Week aiding and abetting the pseudo-statistics of of the Ponemon Institute – screaming headlines of  the cost of data breaches of PHI – protected healthcare information

According to Information Week; Analysis: Healthcare Breach Costs May Reach $800 Million

Since the Health Information Technology for Economic and Clinical Health Act or HITECH Act of 2009 came to being, a number of new privacy, security and reporting and non-compliance penalty provisions went into effect. And as summarized by this report from HITRUST, there have been 108 entities who have reported security breaches since September of last year.

Those breaches comprise about 4 million people and records.

In the analysis, Chris Hourihan Manager, CSF Development and Operations, HITRUST used the 2009 Ponemon Institute Cost of a Data Breach Study [.pdf], which found the average cost for each record within a data breach to be $204. That’s $144 of indirect costs and $60 of direct costs. An overview of the Ponemon study is available here.

What is the connection between the Ponemon studies (sponsored by data security vendors) and the PHI leakages.

Nothing.

Why is a PII leak and a meaningless plug number of $60 relevant to PHI (which requires a combination of medical data and personal identifiers?

Why can’t someone make a phone call and ask how much the companies actually paid in fines and then make a few more phone calls and start estimating ancillary costs and direct costs such as legal.

Why not just multiply by the average cost of an iPhone?

After all you can steal data with your mobile easily enough can’t you.

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

Data security breaches can wreak havoc on people’s lives

Anti-Fraud, Compliance, Data leakage, Information security, , , ,

Aug 7, 2010 WASHINGTON, D.D.—U.S. Senators Mark Pryor (D-AR) and John D. (Jay) Rockefeller IV (D-WV) today introduced legislation to require businesses and nonprofit organizations that store consumers’ personal information to put in place strong security features to safeguard sensitive data, alert consumers when this data has been breached, and provide affected individuals with the tools they need to protect their credit and finances. Currently, there is no single federal standard for guarding many types of consumer information.

I cannot believe my eyes – “no single federal standard”??

I am at a loss to understand why the US needs another data security bill – when there are already a plethora of regulations regarding personal information – Graham Leach Bliley (financial services), PCI DSS (credit cards), HIPAA (health care) and the state data security bills (CA SB 1386, Mass Data privacy etc.. ).  This is without even mentioning FISMA and the NIST security requirements for implementing HIPAA. With Obamacare in effect – it seems to me that the gold standard for PII protection will soon become HIPAA and since health care appears to becoming nationalized in the US – NIST will soon be the king of data security control frameworks.

Looking at data security  as an exercise in providing cost effect security countermeasures, it appears to me that the bill is most likely either a public relations play  or congressional logrolling. The interesting item is the requirement to provide credit card monitoring services after a breach for a year – perhaps the bill is intended to help stimulate the business of companies like Experian, Symantec, RSA and Mcafee.

The US does not need more data security regulation (requiring “strong security features” whatever that means) because with over 350 million US credit cards breached – the data is already out there. This bill is equivalent to closing the barn door after the horses have already fled.

What I would recommend to the esteemed Senators is a totally different approach – one adopted by Poland. Poland, which is a member of the EU and subject to the EU Privacy Law decided a few years back to make data security breaches expensive. If a firm in Poland breaches personal data – they are liable to up to a 2.5% fine of their annual gross revenue.

None of this hokey – “provide monitoring services and notify within 60 days” nonsense. Make US data breachers pay for their security vulnerabilities and even the playing field with the consumers – who are indeed paying the price for poor data security at American retailers and banks.

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

Database activity monitoring

Anti-Fraud, Compliance, Data leakage, Information security, Internal security, , ,

If you deploy or are considering data security technology from Websense, Fidelis, Verdasys , Guardium, Imperva or Sentrigo – do you give a DAM ?

It seems that DLP (data loss prevention)  vendors are moving up the food chain into DAM (database activity monitoring)? As customers deploy two products in parallel (for example Imperva and Fidelis) for DLP and DAM – the opportunity for reducing TCO (total cost of ownership) seems to be a clear imperative.

Both Websense and Fidelis Security  provide DLP functionality for structured data in databases (Fidelis calls it internal DLP) and Websense provides fairly granular fingerprinting of combinations of relational table columns using their PreciseID technology.

Although Websense focuses on deep content analysis and stays away from application security, Verdasys provides application logging at the end point and Fidelis provides application analysis via the network session in addition to the deep content inspection. Both are functions strongly related to database activity monitoring.

Here are the goals I would put down for database activity monitoring, due to the high level of interaction with client/sever and Web applications

  • Perform  monitoring of ERP, CRM, HR, BI/data warehouse, financial application access to the data model  in order to detect irregular patterns indicative of fraud (for example – repetitive access to celebrity account numbers)
  • Audit  database segregation of duties (SOD) – for example, detecting select all statements by the database administration on schema involving customer data.
  • Measure the extent of  database vulnerabilities in order to quantify probability of occurrence
  • Do it without having to touch the database management system software – for example, by  sniffing of database network traffic and decoding the protocols – like Oracle OCI.
Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

The next generation of risk analysis

Anti-Fraud, Compliance,

“What me worry – I’ve got a regulatory check list and an enterprise risk management system to manage the process”.

I want to talk about under-thinking the risk analysis and over-spending on the solution.

I believe that there is a fundamental flaw in  enterprise risk management systems –  they don’t really tell the organization something it doesn’t already know and if  we don’t bring some fresh input and new risk intelligence to the board room,we are not going to be very effective at mitigating new threats.

The  problem with  enterprise risk management systems starts with a   focus on managing internal business processes, as if mitigating threats to intellectual property is like producing a purchase requisition.

Systems like Oracle ERM help “assess risk for a portfolio across multiple parameters” and provide a powerful way of collecting data from users by asking them how ‘risky’ is their part of a business process and then roll up the total risk in the business process. This approach of self-assessments may actually be a very bad idea for an effective risk mitigation program, since users can answer  self-guided questionnaires any way they feel like. It’s called GIGO, garbage in garbage out – i.e. a system that rolls up a bunch of arbitrary answers will give an arbitrary result which might help the auditor rack up billable hours but may not help the management anticipate and mitigate threats in a cost-effective way.

Most of these systems seem to try to satisfy one kind of compliance regulation or another. Asking a bunch of people how risky their part of the business process whether they care about it or not is not a good way of ensuring quality data collection.  This sort of risk assessment doesn’t  help people do their job better and doesn’t help a business protect customer data more effectively.

Another vulnerability of enterprise risk management stems from a standardized check list approach which encourages under-thinking the analysis and over-spending on the solution.  Check lists like PCI DSS 1.2 were outdated the moment they were publicized and comprehensive checklists like ISO27001 are lacking security metrics and prioritization of control implementation – although, I will grant that ISO is moving in that direction.

While checklist applications are important for the customer and the auditor in order to prove compliance – sticking blindly to a checklist doesn’t help an organization find cost-effective security controls, respond to new threats or sustain a consistent level of security.

There are a few things that I’d like to see in a next generation risk management system that might help organizations get out from under their rock and discover new threats and new ways of implementing countermeasures:

  • Believe it or not – a totally different user interface – like maybe Facebook for risk assessment. If risk assessment was a must-have business resource like general ledger, then the user interface might not matter but I suspect that a social-networking application of  risk data collection and collaboration between analysts, attackers, vendors and managers might go a long way. SMS and email, for example, were hard to use when they were first introduced, but the network connectivity value that users got out of it was so high that people used it anyway and then the  applications took off like sky rockets.
  • Global catalog of risk model classes & entities – like a Wikipedia of risk
  • Multiple language support (let’s face it, most of  the world doesn’t speak English)
  • Open source plugin  risk models and model inheritance – that would enable a threat analyst in India to build a risk model base class and have an analyst in San Francisco be able to inherit the model and add new functionality
  • Risk model authoring and entitlement – this would help risk analysts monetize their efforts.
Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

Standardized screening for data security risk

Anti-Fraud, Compliance, Data leakage, Information security, Internal security, , , ,

Best practices for data security are still evolving – as there are no industry-standard data security metrics and a confusing array of regulatory compliance and industry standards – PCI DSS 1.2, Sarbanes-Oxley, FISMA, ISO2700x – just to name a few.

Organizations (government included) currently use a combination of tactics – penetration testing, vulnerability analysis (usually at the network and sometimes at the application software layer), “fire and forget” compliance exercises and technology countermeasures such as IPS/IDS, network DLP, agent DLP, database firewalls, encryption on demand, Web application firewalls.

The one countermeasure I have never seen is standardized screening.  Borrowing an approach from health-care, consider the following:

Standardized screening for suicide risk in primary care can detect adolescents with suicidal ideation, allowing referral to a behavioral healthcare center before a fatal or serious suicide attempt is made, according to the results of a study reported online April 12 and published in the May print issue of Pediatrics.

“Several associations and federal agencies have called for depression screening in pediatric primary care,” writes Matthew B. Wintersteen, PhD, from Thomas Jefferson University in Philadelphia, Pennsylvania. “Screening for suicide risk is a natural adjunct to this call….To our knowledge, this is the first study to prospectively examine the impact of standardized screening for suicide risk on detection and referral rates in pediatric primary care.”

The goals of the study were to evaluate whether brief standardized screening for suicide risk in pediatric primary care practices could improve detection of youth with suicidal ideation, maintain improved rates of detection and referral, and be duplicated in other practices.

It seems to me that duplicating brief standardized screening to data security practice is eminently possible.   A possible approach would involve using a standard threat model based on a comprehensive set of security controls – (ISO 27001 would work fine for this purpose).  The process would start with a pre-screening preparation exercise that an organization could do in the office in 1-2 hours.   After the preparation exercise, a group of 3-5 people from a business unit would meet with a data security specialist for the standardized screening that would walk through the threat model and gauge probability of occurrence of vulnerabilities and  percent damage to assets by threats.  Based on my experience, this sort of walk-through would take 2-3 hours using the structured threat model.  The result of the threat analysis would be a level of value at risk to the organization for data security and indeed a 1/2 day qualifies as brief enough.

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

The 4 questions

Anti-Fraud, Compliance, Data leakage, Information security, Internal security, , , ,

One of the famous canons in the Jewish Passover “seder” ritual is 4 questions from 4 sons – the son who is wise, the son who is wicked, the son who is innocent and the son who doesn’t know enough to ask.

I sometimes have this feeling of Deja vu when considering data security technology solutions. Although the analogy is not at all parallel – I have written a list of 4 questions to be asked when considering a DLP solution – these questions require clear, authoritative answers just like in the Passover seder (להבדיל).

  1. What is the key threat scenario?
  2. How much Value at Risk is on the table?
  3. Who owns the project?
  4. Does the DLP technology fit the threat scenario?

1 – What is the key threat scenario?

Here are some typical threat scenarios – the key threat scenario should keep a C-level executive awake at night.

Threat Scenario

Sample Asset(s)

Threat(s)

Vulnerabilities

Countermeasures

Leakage or theft of PII (personally identifiable information)

Customer data and/or credit cards

Insiders

Resellers

Criminals

Hackers

Terrorists

Employees may be bribed or exploited

Weak passwords

Wi-Fi networks

Temporary files

Firewalls

Proxy bypass

Web services

FTP services

Operating systems

Network DLP

Database DLP

Encryption

Policies

Procedures

Software security assessments

Patching

Loss of IP on servers

Designs

Insiders

Competitors

Same

Network DLP

Loss of IP in the cloud

Designs

Insiders

Competitors

Vendor employee

Same +

Unreliable cloud vendor

Network DLP at provider

Loss of IP on notebooks

Designs

Employees

Theft

Loss

Employees in airports

Agent DLP

Encryption

Loss of data from business partners

Customer data, IP

May steal the data

Partner systems

Web based links

Firewalls

Network DLP

Agent DRM or

Agent DLP

See http://www.software.co.il/wordpress/2010/02/is-there-a-business-need-for-dlp/

2 – What is your value at risk?

Once you have identified the key threat scenario, you must know how much value at risk is generated when a threat exploits vulnerabilities to cause damage to assets. The basis for measuring VaR (value at risk) is the asset value (generally determined by the CFO) –

VaR = asset value x threat probability x estimated damage to asset value in a percentage

The VaR is reduced by a set of security countermeasures that also have a cost. VaR is best calculated in a data security based risk assessment that uses DLP technology to measure frequencies of threat occurrence and a calculative threat model to derive VaR.

Most companies are not at a sufficient level of security maturity to do this exercise themselves – and will need an independent consultant with specific data security expertise and the ability to do analytical threat modeling.

Within a couple weeks, you should be able to get a picture of your current data security events, know your data value at risk in Euro and build a prioritized program for cost-effective DLP countermeasures.

See http://www.software.co.il/wordpress/2010/01/building-a-business-case-for-dlp/

3 – Who owns the project?

Beware of organizational politics and silos and conflicting agendas.  Need I say more?

4 – Does the DLP technology fit the threat scenario?

Just because the vendor sold you an anti-virus product doesn’t mean that his DLP technology is a good fit (even if it’s free)

Example A:  A network DLP solution may be required with 1GB throughput, if the technology saturates at 200MB/S then the solution is not a good fit.

Example B:  An agent DLP solution may be required that is capable of identifying IP in AutoCAD files; if the content analysis software is incapable of decoding AutoCAD, then the countermeasure does not mitigate the vulnerability.

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow