Tag Archives: Verdasys

Why the Europeans are not buying DLP

It’s one of those things that European-based information security consultants must  ask themselves at times – why isn’t my phone ringing off the hook for DLP solutions if the European Data protection directives are so clear on the requirement to protect privacy?

The central guideline is the EU Data Protection Directive – and reading the law, we begin to get an answer to our dilemma.

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this

The top 2 responses to data security threats

How does your company mitigate the risk of data security threats?

Is your company management adopting a policy of “It’s other peoples money”?

In a recent thread on LinkedIn – Jody Keyser shared some quotes from David Vose’s book on risk, reliability and computerized risk modeling:  Risk Analysis a quantitative guide.

The responses to correctly identified and evaluated risks are many but generally fall into one of the following categories:

– Cancel Project
– Eliminate ( do it another way)
– Transfer (insure back to back contract)
– Share (with partner or contractor )
– Reduce (take a less risky approach)
– Add a contingency (increase budget, deadline etc.,to allow for possibility of risk)
– Collect more data to better understand risk
– Do nothing (cost is just too dang high)
– Increase ( maybe the plan is too cautious )

In my experience – when it comes to data security, data loss prevention, DLP projects – the top 2 responses to data security threats are “accept the risk” followed by “cancel the project” in a close second place.

The other alternatives are almost all non-starters. The question is – why?

Eliminating risk by changing the business process is often not an option or too much trouble for employees. For example – consider the process of transferring documents to external contractors – even though it’s trivial to encrypt documents inside a Zip file and share the password – most companies don’t make it part of their security procedure and those that do require encryption of documents sent to external business partners, don’t deploy DLP monitoring to ensure compliance with the encryption policy.

There are multiple reasons for data security risk being accepted by business managers.  Most are related to cost, complexity, changing business requirements and a tacit disbelief in effectiveness of technology in preventing data theft and fraud.

The reasons for accepting data security risk are related to  the difference between being secure and feeling secure.  Since most companies don’t monitor data flows, they don’t know how many sensitive digital assets are being leaked to the competition – ergo they don’t have the empirical data to analyze their data security threats and measure data security risks in terms of dollar threat to the business.  This would lead to enable a business to deploy data security countermeasures and be secure at an acceptable cost. It would also enable them to measure the cost effectiveness of their data security technology and challenge their innate beliefs and skepticism.

However – the company management already feel secure because they have delegated that part of  the business to the information security folks and reading the papers tells them that customers (not the business management) pay the cost of a data security breach.

As a kid growing up in South Jersey – when there was the occasional report of an urban boondoggle or million dollar NASA toilets – my Dad (who worked for RCA on defense projects and knew about these things) would always use the expression – “Other peoples money” or if it was closer to home – “Pa’s rich and Ma don’t care”…which is really close to home this year for Americans as President Obama takes the US to an unprecedented $1.35 trillion budget deficit in  2010.

Tell your friends and colleagues about us. Thanks!
Share this

The 4 questions

One of the famous canons in the Jewish Passover “seder” ritual is 4 questions from 4 sons – the son who is wise, the son who is wicked, the son who is innocent and the son who doesn’t know enough to ask.

I sometimes have this feeling of Deja vu when considering data security technology solutions. Although the analogy is not at all parallel – I have written a list of 4 questions to be asked when considering a DLP solution – these questions require clear, authoritative answers just like in the Passover seder (להבדיל).

  1. What is the key threat scenario?
  2. How much Value at Risk is on the table?
  3. Who owns the project?
  4. Does the DLP technology fit the threat scenario?

1 – What is the key threat scenario?

Here are some typical threat scenarios – the key threat scenario should keep a C-level executive awake at night.

Threat Scenario

Sample Asset(s)

Threat(s)

Vulnerabilities

Countermeasures

Leakage or theft of PII (personally identifiable information)

Customer data and/or credit cards

Insiders

Resellers

Criminals

Hackers

Terrorists

Employees may be bribed or exploited

Weak passwords

Wi-Fi networks

Temporary files

Firewalls

Proxy bypass

Web services

FTP services

Operating systems

Network DLP

Database DLP

Encryption

Policies

Procedures

Software security assessments

Patching

Loss of IP on servers

Designs

Insiders

Competitors

Same

Network DLP

Loss of IP in the cloud

Designs

Insiders

Competitors

Vendor employee

Same +

Unreliable cloud vendor

Network DLP at provider

Loss of IP on notebooks

Designs

Employees

Theft

Loss

Employees in airports

Agent DLP

Encryption

Loss of data from business partners

Customer data, IP

May steal the data

Partner systems

Web based links

Firewalls

Network DLP

Agent DRM or

Agent DLP

See http://www.software.co.il/wordpress/2010/02/is-there-a-business-need-for-dlp/

2 – What is your value at risk?

Once you have identified the key threat scenario, you must know how much value at risk is generated when a threat exploits vulnerabilities to cause damage to assets. The basis for measuring VaR (value at risk) is the asset value (generally determined by the CFO) –

VaR = asset value x threat probability x estimated damage to asset value in a percentage

The VaR is reduced by a set of security countermeasures that also have a cost. VaR is best calculated in a data security based risk assessment that uses DLP technology to measure frequencies of threat occurrence and a calculative threat model to derive VaR.

Most companies are not at a sufficient level of security maturity to do this exercise themselves – and will need an independent consultant with specific data security expertise and the ability to do analytical threat modeling.

Within a couple weeks, you should be able to get a picture of your current data security events, know your data value at risk in Euro and build a prioritized program for cost-effective DLP countermeasures.

See http://www.software.co.il/wordpress/2010/01/building-a-business-case-for-dlp/

3 – Who owns the project?

Beware of organizational politics and silos and conflicting agendas.  Need I say more?

4 – Does the DLP technology fit the threat scenario?

Just because the vendor sold you an anti-virus product doesn’t mean that his DLP technology is a good fit (even if it’s free)

Example A:  A network DLP solution may be required with 1GB throughput, if the technology saturates at 200MB/S then the solution is not a good fit.

Example B:  An agent DLP solution may be required that is capable of identifying IP in AutoCAD files; if the content analysis software is incapable of decoding AutoCAD, then the countermeasure does not mitigate the vulnerability.

Tell your friends and colleagues about us. Thanks!
Share this

Do you have a business need for DLP?

To be able to do something before it exists,
sense before it becomes active,
and see before it sprouts.


The Book of Balance and Harmony

(Chung-ho chi).
A medieval Taoist book

Will security vendors, large to small  (Symantec, McafeenexTierANBsys and others..) succeed in restoring balance and harmony to their customers by relabeling their product suites as unified content security (Websense) or enterprise information protection (Verdasys)?

I don’t think so.

Unfortunately – data security is not an enterprise suite kind of problem like ERP. You don’t have harmony, synergy and control over business process; you have orthogonal attack vectors:

  • Human error – cc’ing a supplier by mistake on a classified RFP document
  • System vulnerabilities – Production servers with anonymous file transfer protocol (FTP) turned on
  • Criminal activity – Break-ins, bribes and double agents (workers who spy for other groups or companies)
  • Industrial competition/breach of non-disclosure agreements – the actuary who went to work for the competition

After 5 years of hype, most  customers have a high awareness of DLP products but fewer (especially outside the US) are buying DLP technologies  and even fewer are succeeding with their DLP implementations. This stems from the customer and vendors’ inability to answer two simple questions:

  1. Who is the buyer?
  2. What is her motivation to protect information?

A common question I hear from my clients, is, “Who should ‘own’ data security technology?” Is it the vice president, internal auditor, chief financial officer, CIO or CSO, our security consultants or our IT outsourcing vendor; IBM Global Services?

If there is no clear business need for information protection (the kind that a CEO can enunciate in a  sentence) – the company is not going to buy DLP technology.

The business need for data security derives directly from  the CEO and his management team. In firms with outsourced IT infrastructure, the need for data security becomes more acute as more people are involved with less allegiance to the firm.

To help qualify an organization’s business need for DLP technology, let’s examine the decision drivers, or what compels companies to buy data security products, and the decision-makers, or those who sign off on the products. Let’s look at seven industries: banking, credit card issuing, insurance, pharmaceuticals, telecommunications, health care and technology.

INDUSTRY TYPICAL DATA SECURITY DRIVERS DECISION – MAKERS
BANKING A real event, such as theft of confidential customer account information by trusted insiders

Privacy regulations such as the Gramm-Leach-Bliley Act, HIPAA

The Sarbanes-Oxley Act, for transparency and timeliness in reporting of significant events

CSO or CIO
CREDIT CARD ISSUERS Ongoing theft of customer transactional information by customer service reps

Data breach threat to credit card numbers that haven’t yet been printed on plastic cards and issued to card holders

Privacy regulations, Sarbanes-Oxley , nondisclosure agreements with business partners

The security officer or information security officer (many issuers have separate functions for physical and information security)
INSURANCE A real event, such as theft of customer lists by competitors

Fear of losing actuarial data

Exposure to data leakage of credit card numbers in online systems

General counsel, VP of internal audit, CFO
PHARMACEUTICALS Theft of chemistry, manufacturing and control information, product formulation and genome data by trusted insiders

Difficulty in preserving secrecy of sensitive intellectual property prior to patent filings

Sensitivity of company records during due diligence processes

General counsel, CFO, chief compliance officer
TELECOM/ONLINE BUSINESS
(Telecom service providers and large online operations such as Yahoo collect and aggregate huge quantities of data, and the higher up the value chain you go with data aggregation, the more valuable and vulnerable the asset.)
Prepaid code files

Pricing data

Strategic marketing plans

Call detail records (analogous to credit card transaction records, these are extrusions by customer service representatives to private investigators and difficult to detect)

Customer credit card records

VP of internal audit, VP of technologies
HEALTH CARE Privacy regulations/HIPAA

Need to protect pricing data of drugs and supplies purchased by the health care organization

CSO, VP of internal audit
TECHNOLOGY COMPANIES Theft of:

Source code

Designs, pictures and plans of proprietary equipment

Strategic marketing plans

CEO, CTO
Tell your friends and colleagues about us. Thanks!
Share this

Free agent DLP from Sophos

Sophos anti-virus

Sophos has announced that they will soon include endpoint data loss prevention functionality in their anti-virus software. Developed in-house, Sophos will have an independent offering – unlike Websense, RSA, Symantec, Trend Micro and McAfee (who all purchased DLP technology) and have integrated it into their product lines with various levels of success (or not).

The Sophos move to include agent DLP functionality for free is a breath of fresh air in a data security industry long known for long-winded, heavy-handed, clumsy and frequently amateurish attempts at exploiting the waves of data breaches into a franchise that would drive sales of products purchased from visionary DLP startups.

Sophos is known to be independent and may not be inclined to partner with other pure-play  data security vendors like the network DLP company – Fidelis Security Systems. They may not have to partner if the play works well.

Beyond strategic speculation, the Sophos move should give customers a very good reason to ask why they should spend $80-150 for a Verdasys Digital Guardian agent, or $40-80 for  McAfee agent DLP software.

If Sophos can do a solid job on detecting and preventing loss of digital assets such as credit cards or sensitive Microsoft Office files at the point of use, then free looks like an awfully good value proposition.

With the recent deal that Trend Micro did at Israel Railroads for almost free ($10/seat) for 2500 seats (Trend can’t be making money on that transaction); but free or almost-free is not a bad penetration strategy if it gets your agent on every desktop in the enterprise and you get footprint and recurring service revenue for anti-virus.

I know I will be taking a close look when the software is released.

Tell your friends and colleagues about us. Thanks!
Share this

The Americanization of IT Research

The Burton Group have released the results of their research that concludes that Symantec (Vontu), RSA (Tablus) and Websense (Port Authority) are the leading DLP vendors.

Burton’s choice is indicative of the Americanization of the information security space, where government compliance regulation and large security vendor marketing agendas appear to drive US customer security decisions. (Note that compliance is not equivalent to security  for several fundamental reasons as I noted in my post Compliance is the new security standard)

Outside the US, the story is a bit different.

We hardly encounter RSA in EMEA as a DLP solution – RSA Security have the largest development group dedicated to data loss prevention and that counted for a lot in the Burton study. I’m not sure why. Great software today is usually written by small teams, I would not equate number of programmers with quality of software.

I recently met Bill Nagel from Forrester and he told me that in a seminar that Forrester ran recently (September 09) in Holland – none of the CISO’s at the seminar were planning a DLP implementation this year and only 20% were considering a DLP implementation in 2010.

Clients I speak with in EMEA are less interested in enterprise information protection (although the advantages are patently clear, the technology is patently not there yet…) and more interested in exploring tactical solutions like DLP “Lite” – monitoring SMTP and HTTP channels for data security violations and using that information to enforce business process and improve employee behavior.

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this

DLP – a Disturbing Lack of Process?

Please do not disturb, we are testing DLP technologyTed Ritter has suggested that we rename DLP a Disturbing Lack of Process

Indeed DLP is not a well-defined term – since so many vendors (Kaspersky anti-virus, McAfee anti-virus, Symantec anti-virus, Trend Micro Provilla, CA Backup…you name it) have labeled their products “Data loss prevention” products in an attempt to turn the tide of data breaches into a  franchise that will help them grow sales volume.

I disagree however – that DLP might be renamed as a “Disturbing lack of process” . Not even as a joke.

I do not think that lack of business process is the issue. Any company still afloat today has  business processes designed to help them take orders, add value and make money. They understand by themselves that they must protect  their intellectual property from theft and abuse.

The question is not lack of process but whether or not security is being used to help enforce business process in the relevant areas of product safety, customer service, employee workplace security and information protection in business-to-business relationships.

In a profitable company, the business processes are aligned with company strategy to one degree or another. Good companies like Intel are strong on business strategy, process and execution while government organizations tend to be strong on strategy (President Obama) and regulation (FISMA) and short on execution (Obama Nobel Peace Prize).  This is true in most countries, maybe Germany, Singapore and Japan do a better job than most.

I think we are doing most businesses an injustice by asserting that they have a “disturbing lack of process”- instead we should focus on the question of where and how security fits into the business strategy and how it can help enforce relevant processes in the areas of customer protection and privacy, customer service, employee security and privacy and information protection with business partners.

An approach that uses data security for process enforcement automatically aligns data security with company strategy (assuming that the business processes support the company strategy, we may assume an associative relationship).

Using data security for process enforcement also simplifies DLP implementations since the number of business processes and their data models is far smaller than the number of data types and data records in the organization. Easier to enumerate is easier to protect.

It is indeed immensely easier to describe a 7 step customer service process and use DLP to enforce it than try and perform e-Discovery on 10 Terabyte of customer data contained in databases and workstations.

The 3 basic tenets of information security are data confidentiality, integrity and availability. DLP addresses the confidentiality requirement, leaving integrity and availability to other technologies and procedures that are deployed in the enterprise.

The key  to effective enterprise information protection is making information security part of enterprise business processes – for example:

  • Confidentiality: not losing secret chemical formulas to the competition. (Note that credit card numbers on their own, are not confidential information according to any of the US state privacy laws. A single credit card number without additional PII is neither secret nor of much use).
  • Integrity: not enabling traders to manipulate forex pricing for personal advantage.
  • Availability: protecting servers from DDOS attacks.

DLP is having an uphill battle because (in the US at least), DLP technologies are point solutions deployed for privacy compliance rather than for business process enforcement and enterprise information protection.

DLP technology is best used as a process enforcement tool not as a compliance trade off;  unlike PCI DSS 1.2 section 6.6 that mandates a Web application firewall or a software security assessment of your web applications. It is easier (but perhaps more expensive) to buy a piece of technology and check off Section 6.6) than fix the bugs in your software – or … enforce your business processes.

Tell your friends and colleagues about us. Thanks!
Share this

Data security for SMB

Yesterday, I gave a talk at our Thursday security Webinar about data security for SMB (small to mid-sized businesses).

I’ve been thinking about DLP solutions for SMB for a couple of years now; the market didn’t seem mature or perhaps SMB customer awareness was low, but with the continued wave of data security breaches, everyone is aware.  The DLP vendors like Verdasys, Fidelis and Vontu (now Symantec) have focused traditionally on Global 1000 companies, but Infowatch is now preparing a product specifically tailored for the SMB market business requirements and pocket.  There are about 10 million SMBs in the world so this would be appear to be a fertile market for both attackers and defenders.

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this

Is PCI DSS a failure?

A recent Ponemon survey found 71% of companies don’t consider PCI as strategic though 79% had experienced a breach. Are these companies assuming that a data security breach is cheaper than the security?

How should we understand the Ponemon survey.  Is PCI DSS a failure in the eyes of US companies?

Let’s put aside the technical weaknesses, political connotations and commercial aspects of the PCI DSS certification franchise for a second.

Consider two central principles of security – cost of damage and goodness of fit of countermeasures

a) The cost of a data security breach versus the cost of the security countermeasures IS a bona-fide business question. If the cost of PCI certification is going to be 1M for your business and your current Value at Risk is only 100k – then PCI certification is not only not strategic, it is a bad business decision.

b) Common sense says that your security countermeasures should fit your business not a third-party checklist designed by a committee and obsolete by the time it was published.

The fact the Ponemon study shows that 71% of businesses surveyed don’t see PCI as strategic is an indication that 71% have this modicum of common sense. The other 29% are either naive, ignorant or work for a security product vendor.

Common sense is a necessary but not sufficient condition
If you want to satisfy the two principles you have to prove 2 hypotheses:
Data loss is currently happening.

  • What data types and volumes of data leave the network?
  • Who is sending sensitive information out of the company?
  • Where is the data going?
  • What network protocols have the most events?
  • What are the current violations of company AUP?

A cost effective solution exists that reduces risk to acceptable levels.

  • What keeps you awake at night?
  • Value of information assets on PCs, servers & mobile devices?
  • What is the value at risk?
  • Are security controls supporting the information behavior you want (sensitive assets stay inside, public assets flow freely, controlled assets flow quickly)
  • How much do your current security controls cost?
  • How do you compare with other companies in your industry?
  • How would risk change if you added, modified or dropped security controls?

If PCI is a failure, it is  not because it doesn’t prevent credit card theft (there is no such animal as a perfect set of countermeasures) but PCI is a failure because it does not force a business to use it’s common sense and ask these practical, common-sense business questions

Danny Lieberman
Join me every Thursday for an online discussion of best practices – Register now

Tell your friends and colleagues about us. Thanks!
Share this