Checklist for DLP (Data Loss Prevention) implementation
No.
Stage
What questions to answer
Example from practice
Risks
1
2
3
4
5
0
Understanding, let's assume that you have answered the question “WHY” you need DLP (what are the goals, objectives, metrics).
I described this stage in the article:
https://habr.com/ru/articles/802819
I also have recommendations regarding the choice of DLP, but this point will be skipped here.
By examples in this case I mean the answer to the question WHY.
Very often at the end of the story there are two cases:
1) We bought a DLP system, installed it, and read the correspondence in messengers.
2) We bought a DLP system, installed it, and found out who is planning to fire.
In my opinion, this is a negative experience.
Ineffective waste of financial and time resources.
1
Preparation of server capacities and data management.
1) The risks are assessed and local server capacity or cloud capacity is selected.
2) Familiarize yourself with the manufacturer’s recommendations, understand what server power is needed, understand what factor influences scalability (often this is the number of licenses).
3) Realize that disk space is needed to store the intercepted data. Try to understand:
3.1) how much space does one controlled station generate per month.
3.2) what information is intercepted (and what protocols) and how long each category of data should be stored in the database.
For example, Excel for six months, RAR archives for three months.
Additional questions:
How secure do you want your DLP server to be?
Call it something else (not DLP), think about whether the server could be “pulled out” to a separate server in a separate room.
Two cases of their practice:
1) A rare case when one of the federal banks clearly said that we want to store everything that was sent to print for six months, according to printing statistics this is the value X, the required quality of one intercepted page Y – based on these inputs we calculated the disk space.
2) 15 years ago, DLP was installed and settings were made to intercept everything. Since it was one of the Ministries during the period of submitting large reports and scanning a large (really large) number of documents, the storage system was filled up in a week.
Errors in calculating server capacities can reduce the efficiency of DLP to a minimum (the server is designed for only 20 users, or the disk space is only enough for 2 months).
2
What is the scheme for installing DLP?
1) Which scheme do you choose?
There are two main ones:
A) installation of agents.
B) connection to the mirroring port.
A combination of schemes is possible.
2) If you have selected agents, then which of the three classic modes do you choose (visible, blocked for deletion, hidden from processes).
3) Do you want to monitor and manage the resources of the endpoint workstation where the agent is installed?
As an option, monitor the load in Zabbix.
1) Connecting to a mirroring port increases the load on the switching equipment on which mirroring is configured. There were cases when the central switches could not cope.
2) At the testing stages, the details of the settings are often not thought through, which leads to negativity among employees.
Issues that need to be discussed before implementing and even testing any DLP system for the success of the project.
3
Approach to working with employees and documenting the process.
This is a common stage for disputes.
1) Notify employees and, accordingly, prepare a package of operational search activities.
2) Do not notify.
More in practice:
1) They don’t notify.
2) Prepare a package of operational research activities that indirectly speaks about the systems.
3) A minimal number of companies report such systems, while the quality and quantity of information received does not decrease.
Reputational and legal.
4
Under what accounts is the installation performed?
1) An important question you need to answer is the accounts for installation.
I recommend a separate account. In the case of AD, a separate domain account with local administrator rights.
In practice, it often happened that one UZ (account) was used for everything.
For example, the administrator left it as a “crutch” to set up a network folder for an employee, but somehow mimikatz we will find out this saved password.
Business Continuity Risks
General information security risks.
5
Stages, order and licensing.
1) Select groups to install based on your resources. First 5, then 5 more.
2) Maybe this will be your way of control. Installing one by one, not all at once.
3) Think about what might be needed to get the effect of DLP or to understand that you are not ready for this tool, a pilot stage will be enough.
In practice, companies achieved the effect at the pilot stage.
Especially small companies that had specific local goals.
Business continuity risks.
6
Common mistakes.
1) Think through all the settings, even at the testing stage.
2) Study the specifics of the work of the business processes of the employees on whom you place agents.
3) Separately select users (programs) for work that require non-replaceable certificates (ES).
4) Monitor resources and user requests (at least for the first 2 weeks) on the workstations where agents were assigned.
5) Understand the most important thing that any DLP without thinking through clear policies (rules of operation) has no effect. These policies must be constantly updated, reviewed, and work on the policy operations.
Please note that non-replaceable certificates are required.
In the case where you have set up interception of encrypted traffic, the DLP system will try to replace the EP certificate, which will lead to an error.
Thus, processes such as procurement with electronic signature, bank-client, etc. will be paralyzed.
Similar to points 0-5.
