1

Scenario:

I'm administrating my company's network all alone. I'm the only IT guy around and can not spend too much time with anything special as some people would start freaking out.
I have to implement some DLP(Data Leaking/Loss Prevention) system and I have to decide whether to focus on monitoring or preventing it.

Monitoring:
PROS: No false positives.
CONS: Lack of time will cause data being leaked and me realising a two days later.

Peventing:
PROS: No data leaked (if properly configured)
CONS: False positives and configuration and reconfiguration of filters

So far, I'm in favour of Monitoring as the other option would lead in false positives = mad people

Anyone could throw some light in here? What should I do regarding my scenario?

Community
  • 1
sysfiend
  • 2,364
  • 4
  • 14
  • 22
  • @Matthew I'd like to get an answer for my specific scenario + the answer to that question is 100% subjective (doesn't mean I don't agree with him) and would like to read some objective posts. – sysfiend Dec 02 '16 at 16:14
  • As it stands, your question invites debate and discussion, which doesn't really fit the Q&A format of this site. The specific decision would depend on your company requirements - if you have regulatory requirements to prevent data loss, you might not have a choice. For commercial systems, the difference may be an option within the software itself. – Matthew Dec 02 '16 at 16:21
  • 1
    @Matthew I think it's good question and I think there's suitable answer, pls see and comment below – Aria Dec 02 '16 at 16:26
  • @Matthew the scenario I presented is what matters here, no restrictions from my company or anything similar. I just "need" the answer for theoretical reasons – sysfiend Dec 02 '16 at 16:30
  • if you don't want burgled, do you never leave the house, or do you invest in preventing break-ins? – dandavis Dec 02 '16 at 21:47
  • It will probably depend on the amount of risk your organization can accept. I agree with @Matthew, it's too broad... – Ijustpressbuttons Dec 03 '16 at 00:15

1 Answers1

1

You should focus on both, but not only, monitoring and preventing is part of single system where there are also established procedures on what to do if the data is leaked or lost.

  1. Monitoring (e.g. data availability, data leaks via audits)
  2. Taking action (procedures) in case of breach or data loss
    • Sending notifications to interested parties
    • Restoring from backups
    • Failing over to another node
    • Failing over to another location
    • Etc
  3. Preventing
    • managing access (granting users appropriate permissions)
    • ensuring policy (including backups and access policy, e.g. group policy)

Hope this helps.

Aria
  • 2,706
  • 11
  • 19