Had an excellent discussion this evening with ISACA Scotland around data loss prevention. There are technical tools out there from such luminaries as Checkpoint, MacAfee, Cisco, Symantec etc, but all have cost implications, scale limitations and implementation issues.
If you use a DLP solution or are planning to use one, what factors did you look at in order to make a business case?
As described by this talk at Confidence'09, There are some arguments against the deployment of certain DLP solutions (I realise that this is a contentious issue but these concerns should at least be evaluated).
In essence many of these solutions are in fact nothing more than legitimate rootkits. The research behind the linked talk found that one of the DLP solutions investigated was actually a modified version of a well known rootkit found on rootkit.com! This could potentially been seen as a problem for a number of reasons. One of which is that if as described by the research none of the rootkit detection solutions successfully detected any of the DLP solutions, isn’t it possible (likely?) that AV vendors (intentionally) may not detect their own (or others?) DLP solutions with their rootkit detection kits? Would it therefore be possible to modify these allowed/legitimate DLP rootkits to produce a highly covert rootkit with very little chance of detection?
There could also be room for concern over the overall security of these solutions. By collecting and distributing reams of potentially sensitive information and providing ring 0 (system) control over every end user system on the corporate environment to a management server, you're placing a hell of a lot of trust in the security of the DLP solution itself. Wouldn't an attacker go straight for the DLP solution? That is one serious single point of total failure!
It's a subjective point I know, but what about the wider implications of spying on users to this degree? I know many who would seriously resent a company taking these actions. Doesn't it eliminate any notion of trust between the individual and company? I am a pragmatist at heart and so do see the benefits of these solutions (and indeed can empathise with a CISO attempting to protect corporate interests) but for an industry that invests such energy into the promotion of privacy doesn't something just plain feel wrong about engineering solutions which so completely destroy this for the individual in the workplace?
Some answers from the group:
A very important point raised - the people aspect. Whatever technical controls are in place, people will be the ones to break it (see data loss articles on Her Majesty's Revenue and Customs, pretty much any bank, Wikileaks etc) - so the following controls:
Update:
I was pointed at this October 2010 paper by Rich Mogull at Securosis on Understanding and Selecting DLP. Excellent set of areas to look at!
As indicated by Rory's answer, much like almost all of our problems, you have both the business process and the technical aspects to deal with.
From a technical perspective when investigating DLP (as a product) we focused on 3 major aspects:
That looks like a fairly standard list, however I feel as though the rational is an important consideration. Outside of corporate environments, and even inside them sometimes, the end-user buy in for security projects is very tricksome. As referenced in this question, a security professional is often seen as one who should either be ignored because they do nothing but make my life harder than it needs to be, or viewed askance because "they're out to get me". As such, it often falls on the Security Office to work around the prevailing culture and convince the end-user that any extra work on their part is actually worthwhile.
Keeping those considerations in mind, things like desktop agents quickly become a very contentious item, even if they are extremely effective. So the question becomes how much interference can we get away with? If you are in a strong "corporate style" environment with tight control on systems, or strong policies in place governing sensitive data, or strong buy-in from the management chain of the end-users, etc., then you can probably get away with a lot. On the other end of the spectrum a strictly network based solution may be your best bet. Something that acts more like an IDS and will only detect data transmissions, but not work to prevent them.
While most DLP solutions will have pre-built signatures for common items such as SSN, Driver's License, watermarks indicating confidential data, etc., sometimes the information that is most concerning is that which is unique to your environment. In my opinion, any DLP solution worth purchasing must be extensible. I must be able to add the regexp that matches my universities PID (Person IDentification) number, or the HR internal employee IDs. I also want to be able to look for items that specific departments find important. That is, if the Fine Arts dean's office decides that a specific research paper is important, I should be allowed a method by which to watch for it (see goodwill v. buy-in graphs relevant to previous point).
Finally, Ease of Use. In many, if not most, organizations worker resources are at a premium. The system itself must be relatively easy to maintain and run. Whenever an alert fires it should be relatively painless to act on. The specifics depend entirely on your internal procedures, as well as what other systems you use for security monitoring/response.
