GARY BAHADURKRAA SECURITY

WWW.KRAASECURITY.COM

5 Myths About Data Loss Prevention

1

What is the DLP Risk?

Survey Says Many companies have lost confidential data through

removable media Organizations rely mainly on paper-based controls

(policies, NDAs, goodwill, paper cuts) Intellectual property, customer data and company

financials - the top three concerns Data loss via USB drives and other removable media is the

top concern Trojans, spyware and other hacker threats are secondary Confidential data stored on desktops and laptops are a

major concern Mobile phones have a lot of confidential information,

Blackberry, Iphone, Windows Mobile phones, etc No controls over audit, monitoring and logging of data into

and out of the network

2

What is Data Loss?

Typical data loss scenarios are email, Usb key, burning a CD/DVD

Other options are Instant Messaging, paper, FTP, fax, phone conversations, mind melds

Data at rest (stored on file servers, harddrives)Data in motion (being sent across the network

somehow)Data destruction (lack of destroying data in

unprotected environments)Endpoint security has moved beyond the home

user

3

Obligatory Chart4

Top 5 Myths about DLP Solutions5

Myth 1 – We are too small for a DLP solutionMyth 2 – I have to purchase an expensive

third party DLP solutionMyth 3 - We cannot track and classify our

dataMyth 4 – The IT Department will handle data

loss prevention with technologyMyth 5– My company isn’t really exposed to

the Internet

Myth 1- Too Small for a DLP suite6

Example, small/medium sized law firm, 100 lawyers,, 30 staff, a couple offices, confidential data, a website, 50 gigs of data storage

A.A DLP suite is too complex and time consumingB.We have legal controls in placeC.We have an “IT Guy” who handles everythingD.Our lawyers know not to send out emails to

anyone that should not receive it E.We have firewall, antivirus and malware

protection in place

Myth 1- Too Small for a DLP Suite7

Any SMB company that has confidential data is at risk. What can the small law firm do about it?

A. The hype generated by the big companies (McAfee, Symantec etc) should not scare you away from smaller, focused solutions. Many tactical solutions are available that are not too complex

B.Technological controls have to complement legal controls, to protect employees from themselves as well as from outside evil-doers

C. IT staff are rarely the same as Security Staff, augment with either outsourced security staff or with robust technology controls

D.Do not rely on employees actually understanding what security means, technology controls are needed to offset “stupid” mistakes

E.DLP is evolved far beyond simple security controls, looking at actual data is the key to implement technology correctly

Myth 2 – Expensive Third Party Solution

8

For the small law firm, implementing a $100,000 Symantec or McAfee solution is impossible

A.We cant afford the consulting and software costs

B.Our IT staff are not experts in these DLP solutions and we cannot hire any new staff

C.We have already invested in a lot of security technology, no approval for more enterprise suites

Myth 2 – Expensive Third Party Solution

9

A. Tactical solutions available vs a full enterprise suite, a number of freeware tools are available

B. Smaller tools do not require intensive training in security or the products

C. You do not have to replace security technology you already have in place, augment your security DLP gaps

Myth 3 – Data classification challenge

10

Our example law firm probably has client confidential files labeled and not much else

A.Most companies, especially SMBs, have never classified all their data and have no plans to do this, its to difficult. We do not have the resources to go back and classify all old documents

B.We do not need classification standards other than Confidential

C.Our employees do not know enough to classify data and our managers are too busy to look at every document

Myth 3 – Data classification challenge11

A. To avoid the high and costly rate of false positives and negatives, use technology with accurate detection capabilities (structured, unstructured data)

B. A tiered classification standard such as Confidential, Private, Company Use and Public used with DLP will minimize false positives

C. With a process in place to educate employees and to force data classification on all newly created documents, a DLP solution can easily manage files based on classification in the future

Myth 4 – IT Department’s Responsibility

12

Many companies, small and large think IT can provide all the security needs as well as understand all the business requirements

A. The majority of employees don't know their company's policies and are uneducated about security

B. IT cannot make rules to tell employees what data they can keep on laptops and desktops

C. IT cannot determine the value of business dataD. Business unit owners do not take ownership of dataE. Users rely on IT to stop them from doing “stupid”

mistakesF. Users never delete data, whether its in emails, on

PCs/laptops or in personal network storage

Myth 4 – IT Department’s Responsibility

13

A. User education, focus on data security, privacy and confidentiality

B. Look at Data at rest, where does sensitive data reside outside of secure databases and file servers, develop business rules for saving data to laptops/PCs

C. Become content aware, read through data looking for sensitive information

D. Business units must provide guidance on data value, and access rights to data, Centralized policy management

E. Protecting data in motion by monitoring, logging and auditing (typically email, web, FTP, USB), Perform some blocking, network based

F. Provide automated data destruction capabilities that IT does not have to “manage”

Myth 5 – What Internet?14

The example law firm may not do any processing or have interaction through their website so do not think Internet data transmission is a risk

A.We only send emails out and we have email security in place

B.Our staff encrypt data on their laptops so we do not worry

C.Our firewall protects us from attacks and data theft

D.We do not conduct business via our website

Myth 5 - What Internet?15

A. 1 in 400 emails contains confidential information, in a law firm that will be a much higher percentage. Antivirus needs help for content checking software

B. 4 out of 5 companies have lost confidential data when a laptop was lost, encrypted data is great but its usually transferred unencrypted, use technology to force encryption or other checks before sending out files

C. 1 in 2 USB drives contains confidential information, a firewall will not stop data from Leaving. Insider attacks are more prevalent than external hacker attacks, protect data in the internal environment through blocking, monitoring and auditing access

D. Over 35 states have enacted security breach notification laws, you don’t have to do web based business to loose data via the Internet. Use DLP to meet regulatory requirements.

Some of the well known players16

Full Suite SolutionsEMCOrchestriaReconnexVontuVericeptWebsense

Partial SuitesCode Green NetworksGTB TechnologiesMcAfeeWorkshareLumension

Network ToolsClearswiftFidelis Security SystemsPalisade SystemsProofpointSendMail

Endpoint SuitesNextSentryTrendMicroVerdasysPGP

17

Gary BahadurCEO KRAA Security

www.kraasecurity.cominfo@kraasecurity.comBlog.kraasecurity.com

Consulting Services | Managed Security Services