DLP Evaluation Criteria

Written by David Torre

What is DLP?

The term data loss prevention (or sometimes data "leak" prevention) is often used to describe a specific product or technical solution which addresses the need to prevent loss of intellectual property or otherwise sensitive information. Although the goal here is to help you examine such products, it is important to realize that the path to DLP Zen lies not in choosing the right products, but to view DLP as an overall strategy. DLP itself encompasses many facets of information security which often intersect various technological boundaries. Getting your head around the fact that DLP is process, and not a product, is the first step in building an effective DLP solution.

DLP Benefits

Many of the information security offerings on the market today, including intrusion detection systems (IDS), unified threat management systems (UTM), and countless others, are primarily geared towards protecting internal assets from external threats. Conversely, the goal of a DLP system is to protect sensitive or proprietary information from "leaking" outside the enterprise to unauthorized or unprotected locations. For example, a DLP system may be used to prevent credit card numbers from being transmitted in cleartext email, or perhaps ensuring that employees' social security numbers are not accessible to those outside of the human resources department. Put simply, DLP solutions focus not on keeping the bad elements out of your network, but rather on keeping the sensitive data located within protected at all times.

DLP Evaluation: Preflight Checklist

Before diving head-first into the nuts and bolts of a DLP deployment, one must become acquainted with a few prerequisites which most DLP implementations will entail. First off, if you think your DLP deployment will be "plug-and-play," best think again. Unlike antivirus, IDS, or UTM products which come packaged with hundreds or even thousands of generic signatures, DLP solutions ship lean and mean; often with only a handful of signatures to detect exceedingly common patterns such as US social security numbers and credit card patterns from the various payment card industry institutions.

Remember, DLP solutions focus on protecting internal information. As such, you must have intimate knowledge of key business processes, common business lingo/phrases, and recognizable data flow patterns well before deploying a DLP solution. After all, how can one protect business data if the business itself is misunderstood? Regardless of your personal degree of business aptitude, it is often advantageous to enlist the help of business unit managers to assist in identifying high-risk areas as well as acceptable usage of such information. Doing so will surely result in a far more effective implementation.

DLP Architecture

Data is everywhere within the enterprise. It traverses numerous network paths to eventually land on file servers, web sites, or laptops. As DLP solutions target data at rest as well as data in motion, specific vendor solutions will often target strategic "chokepoints" for deployment such as the network itself, file servers, and client systems. Each of these areas are described in detail below, along with essential functionality one must consider when evaluating such products.

DLP Network Modules

The primary purpose of a DLP network module is to analyze data in motion. Similar to a firewall or IDS system, network DLP modules are often placed at the perimeter of the enterprise network in order to monitor data as it enters or leaves the organization.

DLP network modules can be passive, reactive, or both. With passive deployments, traffic is merely monitored and business rule violations shall trigger alerts. When examining a passive network modules, one must carefully evaluate what protocols the module can interpret, as well as whether or not the product can be tuned to monitor custom applications. For example, most DLP network modules have inherent functionality for examining HTTP, FTP, and SMTP. Yet, data leaks can and do occur over other network channels such as instant messaging. Therefore, it is imperative to ensure your DLP network module can be "trained" to monitor any text-based protocol operating over any TCP or UDP port.

Monitoring can be taken a step further to provide reactive measures which actually prevent data loss from occurring altogether. This is achieved by placing the DLP network module somewhere on the network, and forcing traffic through the device. The device then makes a pass/no-pass decision based on business rules. The important thing to note here is that almost all DLP network modules operate at the application layer (Layer7) of the OSI model, which means traffic is not routed through the device, but rather proxied using application-specific protocols. Given that the "pass/no-pass" decision is application-specific, so too are the reactive DLP network modules. For instance, proactive monitoring of email will require SMTP-awareness, which often requires the DLP module to function as a full-fledged mail transfer agent. Mail is routed via SMTP to the DLP module, and business rules determine whether the mail is delivered, encrypted, or quarantined for further review. Likewise, web traffic is proxied to the DLP module via web proxy protocols such as ICAP or WCCP. The requested web page is either returned to the user, or an HTML error page is returned instead. As reactive network modules are application specific, it is often difficult or even impossible to extend the product's reactive behavior to new protocols. Do keep this in mind when comparing the various vendor offerings.

DLP Discovery and DLP Storage Modules

DLP discovery and DLP storage modules primarily target data at rest. The basic mode of operation is to index data repositories hosted on your enterprise network, and report findings pertaining to data which is either misplaced or insufficiently protected with lax permissions. When examining discovery modules, take stock of the various information repositories within the organization, and ensure the product supports the corresponding access protocols. In environments which make use of UNIX file servers, NFS is often the protocol of choice. Microsoft shops often require the use of CIFS, and filers can and often do utilize multiple protocols. Moreover, be sure to examine whether or not the DLP solution can integrate into your directory service for credentialed scans. When masquerading as a particular user in Microsoft environments, Active Directory integration is a must. Similarly, UNIX environments may require integration with NIS or Apple Open Directory.

Once connectivity has been established to your assortment of storage silos, the DLP system must be able to read and analyze the various file formats found throughout the organization. Out of the box, practically all vendors will support file format recognition of the usual suspects such as Microsoft Office and PDF documents. However, take note of any special requirements your organization may have, such as scanning of AutoCAD drawings, Visio diagrams, or indexing of metadata often found in multimedia files.

Finally, take extra consideration of web servers. As more and more applications become web-based, we find more and more data living on web and database systems. If your organization makes use of internal web servers, be sure your DLP discovery product can authenticate and ultimately crawl the Wiki, SharePoint portal, or generic intranet server to thoroughly inventory the data in question. Several DLP discovery solutions also offer direct access to enterprise database management systems such as Oracle and Microsoft SQL Server, allowing the DLP module to bypass presentation details often handled by web servers in order to access the data directly.

Like DLP network modules, storage and discovery modules can be proactive or reactive. Reactive measures typically involve removing the file in question to quarantine, then triggering some type of notification for further action. Removing a file and recreating it elsewhere obviously requires read-write access to the data source in question, which further emphasizes the importance of authentication directory integration.

DLP Endpoint Modules

The task of the DLP endpoint module is to protect data on end-user systems, which interestingly enough, covers both data at rest as well as data in motion. Endpoint modules are designed to enforce business rules regardless of client location. When an endpoint module is installed on a laptop or workstation, centralized business rules are downloaded at predefined intervals, and monitoring of user actions occurs in real time.

Like the network DLP module, reactive endpoint protection is application-specific. Take the use case scenario of a DLP-protected client attempting to send social security numbers via a Yahoo webmail account. If the client is on the road, there are no protective enterprise network devices such as web proxies or corporate-owned SMTP gateways. Consequently, the chokepoint defaults to the application itself, which the DLP component must be able to monitor. In the case of Windows laptops, it is most likely either the Firefox or Internet Explorer web browser. When evaluating DLP endpoint solutions, it becomes imperative to inventory all client applications which can be used to disseminate information, and ensure such applications are covered by the DLP solution. As mentioned, common web browsers must be supported, as well as mail clients such as Microsoft Outlook or Lotus Notes. Instant messaging is also common with end-users, so be sure all sanctioned clients such as AIM or Yahoo-IM are covered. For heterogeneous network administrators who openly support Mac and Linux clients, beware of potential heartburn when examining DLP endpoint solutions, as Microsoft Windows is often the only supported client operating system.

Being operating directly by end-users means client systems are perhaps the most complex and challenging type of system to secure. DLP endpoint solutions are a step in the right direction, but will prove futile if end-users can simply uninstall the security software, or perhaps install alternative applications which the DLP product is unaware of. Therefore, a DLP implementation should be backed by stringent client restrictions which prevent DLP agent tampering and installation of unauthorized applications. Furthermore, non-enterprise-managed clients themselves should be prevented from joining the enterprise network, which itself may warrant the use of other complex technologies such as network access control (NAC). Planning a DLP endpoint deployment should not be overwhelming, but do take the big picture into consideration before buying products a la carte.

On the topic of client security products, obviously there is no shortage of solutions on the market. From antivirus to whole disk encryption, client systems are at times jam-packed with security utilities which degrade performance and ultimately increase help desk calls. Study DLP endpoint solutions to determine if monitoring and enforcement activities can be throttled to ensure the performance hit is negligible.

General DLP Functionality

Having examined the specific DLP modules in isolation, a brief word on general DLP functionality is in order. As DLP solutions are inherently modular, keep in mind that global management of rules, roles, and rights is a must. DLP rules themselves should be centralized and synchronized across the various components. False positives must be addressed only once, and automatically adapt to the various products in use.

As your DLP deployment stabilizes, you will quickly find that the bulk of data loss prevention management is not technical, but rather administrative. Inevitably, you will work with human resources and help desk staff to identify broken business processes and address various violations. If your information security staffing levels are lean, it may make sense to delegate DLP system access directly to HR or help desk technicians. Active Directory and other directory integration functions which can read the organizational structure and determine group membership of HR and other departmental groups is extremely beneficial. Also take into consideration whether or not the DLP management interface can obfuscate or "scrub" sensitive data captured so that such information is not exposed yet again to those tasked with remediation.

DLP Evaluation Summary

If you are reading this article, you are probably well aware that there are no silver bullets in information security and risk management. Of course, DLP is no exception to this rule. However, viewing DLP as an overall strategy will certainly improve enterprise security posture and aid in lowering risk. Hopefully you found the technical criteria in this guide useful. The criteria listed in this article is also available for download in Microsoft Excel spreadsheet format for use in technical evaluations.

Microsoft Excel Worksheet

AtomicFissionDLP-Eval.xlsx