Comments on: Thoughts on DLP http://infosecplace.com/blog/2008/01/21/thoughts-on-dlp/ Commentary on the State of Information Security Sun, 10 Jan 2010 16:13:08 -0700 http://wordpress.org/?v=2.9.1 hourly 1 By: Rob Lewis http://infosecplace.com/blog/2008/01/21/thoughts-on-dlp/comment-page-1/#comment-21571 Rob Lewis Thu, 31 Jan 2008 04:14:05 +0000 http://infosecplace.com/blog/2008/01/21/thoughts-on-dlp/#comment-21571 An interesting read and viewpoint on DLP is this by Nick Selby of 451 Group. One basically finds out about all this data leakage but is left with the question-"Now what?". Tying the Business Problem of Data Leakage to IT Processes - recovering from the deer-in-the-headlights moment http://nickselby.com/yak/2007/11/20/tying-the-business-problem-of-data-leakage-to-it-processes-recovering-from-the-deer-in-the-headlights-moment/ An interesting read and viewpoint on DLP is this by Nick Selby of 451 Group. One basically finds out about all this data leakage but is left with the question-”Now what?”.

Tying the Business Problem of Data Leakage to IT Processes – recovering from the deer-in-the-headlights moment

http://nickselby.com/yak/2007/11/20/tying-the-business-problem-of-data-leakage-to-it-processes-recovering-from-the-deer-in-the-headlights-moment/

]]> By: Kevin Rowney http://infosecplace.com/blog/2008/01/21/thoughts-on-dlp/comment-page-1/#comment-21544 Kevin Rowney Mon, 28 Jan 2008 19:34:13 +0000 http://infosecplace.com/blog/2008/01/21/thoughts-on-dlp/#comment-21544 Actually, there are DLP vendors that cover both structured and unstructured data. Choosing the right vendor is key here, since not all of them have these capabilities. With the right vendor, coverage for unstructured data is *way* more advanced than just hashing the file. Full file hashing is (as you point out) brittle. It has low false posivity (i.e. good precision) but bad false-negativity (i.e. bad recall) since hash functions change their output quickly with the slightest change to the input. There are better ways to do this. The better DLP vendors have indexing algorithms that can detect not just whole copies of the file but even small cut-and-paste fragments of these files. Not only is it theoretically possible to provide good protection on unstructured data using these algorithms, but these systems are now actually deployed at big enterprises against use-cases similar/identical to your examples. There are also strong algorithms to protect structured data with these same properties (i.e. still detects with high accuracy even on cut-and-paste fragments of the original.) Here again, capabilities of various vendors varies enormously. LonerVamp has got it right. There are a bunch of enterprises making that same calculation: attacking the large amount of risk presented by well-meaning insiders is one of the biggest untreated information security problems out there. Actually, there are DLP vendors that cover both structured and unstructured data. Choosing the right vendor is key here, since not all of them have these capabilities. With the right vendor, coverage for unstructured data is *way* more advanced than just hashing the file. Full file hashing is (as you point out) brittle. It has low false posivity (i.e. good precision) but bad false-negativity (i.e. bad recall) since hash functions change their output quickly with the slightest change to the input.

There are better ways to do this. The better DLP vendors have indexing algorithms that can detect not just whole copies of the file but even small cut-and-paste fragments of these files. Not only is it theoretically possible to provide good protection on unstructured data using these algorithms, but these systems are now actually deployed at big enterprises against use-cases similar/identical to your examples.

There are also strong algorithms to protect structured data with these same properties (i.e. still detects with high accuracy even on cut-and-paste fragments of the original.) Here again, capabilities of various vendors varies enormously.

LonerVamp has got it right. There are a bunch of enterprises making that same calculation: attacking the large amount of risk presented by well-meaning insiders is one of the biggest untreated information security problems out there.

]]> By: IP Chaperon http://infosecplace.com/blog/2008/01/21/thoughts-on-dlp/comment-page-1/#comment-21517 IP Chaperon Tue, 22 Jan 2008 18:42:06 +0000 http://infosecplace.com/blog/2008/01/21/thoughts-on-dlp/#comment-21517 Implementing DLP helps with protecting your Data. Protecting source code Intellectual Property (IP) requires a different approach. Take look at Chaperon Secure technology. It is designed to protects source code at every stage of the software development life cycle (SDLC) – no matter who is working on it. The source code IP is protected from creation and transport to storage and retrieval whether it remains in-house, is outsourced or even sent offshore. A combination of the two approach might allow you to sleep well at night :-) Implementing DLP helps with protecting your Data. Protecting source code Intellectual Property (IP) requires a different approach. Take look at Chaperon Secure technology. It is designed to protects source code at every stage of the software development life cycle (SDLC) – no matter who is working on it. The source code IP is protected from creation and transport to storage and retrieval whether it remains in-house, is outsourced or even sent offshore.

A combination of the two approach might allow you to sleep well at night :-)

]]> By: LonerVamp http://infosecplace.com/blog/2008/01/21/thoughts-on-dlp/comment-page-1/#comment-21516 LonerVamp Tue, 22 Jan 2008 14:20:27 +0000 http://infosecplace.com/blog/2008/01/21/thoughts-on-dlp/#comment-21516 We will be implementing DLP in the near future (this year), but I am pretty certain we are getting it to stop inadvertant loss (basically dumb users who know how bad it is to email CC numbers, but do it anyway because that's the easy thing to do). We'll be deploying in monitor mode to see just how badly we need not only this product but also user education about data security. I don't think any of us on our team really expect this product to protect data against skilled malicious attackers, or maybe even unskilled malicious insiders. But taking a huge chunk out of the "negligence" and inadvertant loss pies is worth the cost. At least for now. :) We will be implementing DLP in the near future (this year), but I am pretty certain we are getting it to stop inadvertant loss (basically dumb users who know how bad it is to email CC numbers, but do it anyway because that’s the easy thing to do). We’ll be deploying in monitor mode to see just how badly we need not only this product but also user education about data security. I don’t think any of us on our team really expect this product to protect data against skilled malicious attackers, or maybe even unskilled malicious insiders. But taking a huge chunk out of the “negligence” and inadvertant loss pies is worth the cost. At least for now. :)

]]>