A consistent question following the loss of sensitive network data is: Where were the controls?
By controls, critics are referring to automated tools designed to prevent data leakage. As technologists, we know there is no magic system to identify or prevent the loss of data. Indeed, the most important step an organization can take is to train users on how to handle sensitive data. But tools -- designed to track, log and prevent unauthorized access to sensitive data -- can help. That's where network-based data loss prevention (DLP) applications come in. In this post, I'll introduce the concept and discuss some of the products designed to support a robust sensitive data protection strategy.
DLP approaches vary by protection offered
DLP is a sizable discipline with options divided into two basic categories: endpoint protection and network protection.
Both use classification and rules to protect sensitive data. Most products allow manual classification of data along with some type of search-based capability. Once critical data is tagged, rules can be applied to control the data's flow. Prevention tactics range from logging and alerting, to blocking the transfer of sensitive information.
Identifying critical information is one of the most difficult aspects of sensitive data protection. Although manual classification has the benefit of reducing or outright eliminating false positives, most enterprises -- with their huge store of data sets -- don't have the time or the bandwidth. In a large distributed environment, most customers rely on automated data analysis. All major DLP products leverage pattern recognition and algorithms to identify and classify sensitive data. For example, they will process 16-digit numeric data strings to determine credit card data.
Another important consideration in building a sensitive data protection strategy is the point at which protection will occur. Endpoint protection focuses on individual host devices that may include servers, workstations and storage, while network protection occurs at network egress points. There is some overlap, with some network protection tools providing plug-ins to oversee such infrastructure services as email servers.
Most users will need both endpoint and network protection to meet their DLP and sensitive data protection objectives. Not all data traverses the network. Consider the scenario of a worker who creates sensitive data on her local workstation and then copies it to removable media. No amount of network scanning would catch this transfer, but an endpoint approach -- one that has removable device controls -- would. Keep in mind, however, that endpoint tools have limitations as well.
Bottom-up approach is the best way to achieve sensitive data protection
Protecting data at the endpoint is a bottom-up approach. The granular nature of endpoint protection produces performance overhead similar to host-based virus protection or intrusion prevention systems (IPS). As a result, the drivers for implementing network-based IPS are similar to those for implementing network-based DLP products. Just as with IPS, customers should take an integrated approach to DLP. Let's summarize two network-based products that are parts of larger DLP suites.
McAfee DLP Monitor: DLP Monitor is part of McAfee's Total Protection for Data Loss Prevention (TPDLP) portfolio. While the majority of the suite is software, DLP Monitor comes as either a physical or virtual appliance. DLP Monitor collects data using either port spanning or network taps -- with a top throughput of 200 Mbps.
The true benefit of DLP Monitor is its integration with the rest of the TPDLP portfolio; there is no enforcement functionality in the standalone version. All of the components are managed through a centralized console and users can create rules to govern their specific security policies.
By exploiting this integrated approach, security admins can, for example, use the insights from DLP Monitor to track data leakage to the source endpoint and, thus, create policies to tighten the flow of any critical data -- including information transmitted via email.
Symantec Data Loss Prevention for Network: McAfee and Symantec share some similarities in their sensitive data protection approaches. Like McAfee, Symantec integrates its Symantec DLP for Network with its endpoint, cloud, mobile and storage products. And like McAfee, Symantec offers its DLP platform as either a physical or virtual appliance.
Where Symantec stands out is how it meshes its network- and services-based DLP products, particularly DLP Email and DLP Web. This combination allows administrators to keep tabs on sensitive data that may appear in an email and take steps to ensure that information -- say a credit card number -- is stripped out before the email is transmitted.
Because sensitive data is no longer being created within the physical boundaries of the organization, administrators should also examine DLP tools that integrate with cloud services. For instance, McAfee is looking to integrate its DLP platform with Office 365. The cloud is just another reminder of how a DLP approach must traverse several systems -- with network DLP an integral part.
Endpoint protection: What you need to know
Using DLP to safeguard sensitive information
DLP and sensitive data exfiltration