Again about choosing a DLP system and whether it is necessary (choice)

What problem do you want to solve with DLP?
Here I usually tell two stories.
Story No. 1.
This story is from my student days, but it gave me food for thought.
One company (in the distant kingdom) also decided to “run” towards DLP. However, the head of the information security was a very competent and strong-willed employee, he revealed
the most important risk (task) for all interested parties – and this turned out to be the task of controlling correspondence on Skype. Then he is under the local domain administrator,
I started collecting a Skype correspondence file, independently wrote a “reader” for this format and analyzed it (correspondence from all workstations) using keywords.
The management was fine with this.
Story No. 2.
It's more of a trend. When an organization did not answer the question “WHY” at the beginning, I often observed that further functionality was reduced to reading correspondence in instant messengers.
Watch story #1.
Believe me, DLP is not a magic box, it is a tool, and the tasks that you wanted to achieve can perhaps be achieved by other means (and this is quite common). At the same time, I am not only talking about technical means, but also about the talent and tasks of immediate managers.

Let's assume that the question “WHY” was answered, now “HOW”.
What do I mean by how?

  1. Will you implement DLP secretly or tell your employees about it? I don’t want to get into a “holivar” about legal issues.
    But from my experience I will say that you will skim off all the “cream” by piloting the products, and then you can inform your employees about this.
    For the first month, employees will control themselves, then they will stop.

  2. According to what scheme? DLP has 2 main connection schemes (someone will come and write in the comments that there are others. Yes, there are).
    Connecting to a mirroring port (for a Cisco system this is a SPAN port, for example) and using agents.
    Let's say right away that connecting to the mirroring port will give you little to analyze, so go straight to the story with the agents.

    Note: Traffic mirroring may not appreciate your switching equipment.

  3. How much and what do you want to store?! Many people often don’t ask this question and then suffer.
    In my practice, we worked clearly with only one client. They immediately said that they wanted to store printed documents for 6 months. We calculated the volume
    printed documents and multiplied by the average quality of one sheet – we got the requirements for storage systems.
    You can return me to my own words and you will be right. We further considered them and not DLP at all.

  4. Policies, what policies are you ready to develop for work now. By policies I mean a set of control rules.
    This question correlates with the question “WHY”.
    “Shovelling” with your hands and eyes this entire volume of information is unrealistic. Although…although I know companies that had 10 people on staff to do this.
    Here I have life hacks that I have developed over the years. Attention – I'm sharing!!!

  5. Many DLPs have what are called statistical rules. That is, a policy that shows who has printed more than 1,000 pages per day or sent more than
    1000 messages per day in the messenger, so the rules are based on statistics and a specific number.
    Methodically set critical values ​​and monitor.
    For example, a policy that shows more than 100 files on removable storage means there is a 90% chance that the employee is preparing to quit. And he doesn’t understand that he is already encroaching on the intellectual assets of the enterprise.

  6. Very often, information security and electronic security tasks are far from each other. DLP will easily combine this. How?
    Personally, I don’t see anything wrong when an employee has his own business, but the question is again about the limits of what is permitted.
    The economic security officer provides the information security officer with a list of tax identification numbers and names of legal entities of employees, and based on this information, he creates policies for tracking.
    And if an employee, for example, starts printing invoices for his legal entity, wait for alerts.
    In general, many DLPs have predefined reports and policies to help you. For example, tracking archives with a password, transferring credit cards using regular expressions, searching for a job, etc.

  7. Do you plan to block information flows or monitor and detect?
    Again, here is my personal belief that blocking and creating blocking policies require even more resources and time (often there is no understanding).
    For example, in one Excel file we will have a list for salads for the New Year, in another there will be a specification in the same format. In order not to create many points in the classic situation, you enabled control of encrypted traffic (as a rule, DLP will replace the certificate), but such certificates as for the bank-client system, purchases are irreplaceable, as a result, a conflict and the business process arose (a clear example of the lack of preliminary analysis) .

  8. And finally, the last “HOW”. Do you have an employee to whom you are willing to entrust such a tool? do you trust his moral principles?
    Believe me, the question is important. I won't give examples.

Go ahead. WHY and HOW answered.
What to choose?
In recent years I have been implementing one DLP, but I am not going to turn the article into advertising. But this is also connected with what I am focusing on, that DLP is a tool. For example, I can deploy a system in 5 minutes and quickly draft policies.
Therefore, when it comes to a specific choice, pay attention to the following steps.

  1. Make your choice only after the pilot. Take 2-3 months for the volume of automated workplace, at least 30%. By the way, and this is normal, maybe after such pilots you will understand that you do not need a purchase. But it will be enough for you to install such a system once a year for 2 months.

  2. Believe me, now all DLP systems are similar. Therefore, analytically select (limit yourself) 3-4 systems for piloting (pilot everything – you will reach a dead end). Immediately throw comparison tables out of your head, they won’t show you anything good. Compare: technical requirements for hardware and software, the ability to integrate with AD (yes, there are those that do not support), the presence of OCR, the cost of acquisition, the cost of ownership, the presence of an FSTEC certificate (optional), ease of use and deployment (here only by key questions such as how long does basic deployment and configuration take, look at the management console in advance (there may be more than one convenient console, but three or more).

Already during piloting, check:
3) Does the system allow you to save settings so that you can later load them into a newly installed system (this goes to point 1 if you understand that you need DLP for a short period of time per year).
Does the system allow you to quickly and without errors remove an agent on one batch of workstations and install it on another batch (as part of saving licenses). Does the system allow you to purchase licenses modularly?
4) Is there local data storage, that is, when the computer is not on the network (creates a shadow folder), but will transfer all information when connected.
5) Allows you to hide the operation of the system from processes.
6) You can play with the quality of the keylogger interception (via the virtual keyboard).
7) Does the system track the structure of the file, and not its extension. That is, when an employee changed the file extension or removed the extension, but the system will still put it under control (for example, some drawing).
8) I really recommend checking how complex the system is for training employees who are far from IT (respectively, the instructions and manual are in Russian).
If you increase the number of points to 10, then I would also check:
9) Does the system allow you to work in terminal mode and does it have different access rights (for example, they installed it on one workstation without a network with administrator rights, then received information – such cases were for monitoring electronic scales and metering electricity at remote sites).
10) I advise you to contact the integrator and/or manufacturer with the opportunity to communicate with a client whose system is already functioning.

Completion

For me, in this article, even more important are the thoughts that I described in the questions WHY and HOW.
I tried to briefly describe the main points in the “WHAT” category.
It is important to understand that DLP is not a magic box, but will work as a comprehensive security element and only that way.
For example, what is the point of an agent if the employee has local administrator rights?
Why require the DLP functionality, for example, to block cloud storages, when it is more reasonable and adequate to block them (access to cloud storages) in other ways.
I hope this essay will be useful to you.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *