Friday, June 20, 2008

So, CAN We Have DLP?

Can we have DLP - data leak prevention?

Well, can we have IDS? How about IPS? Can we really "prevent intrusions?" Can we really "control access to our networks?"

The answer to "can we have DLP?" is actually pretty simple: if you think "DLP = box that prevents all data leaks" (and you also think that deploying IPS will "prevent intrusions"), then we can't. Forget it.

But blame the idiots who called it "leak prevention" - if you think that "DLP will prevent all leaks" - sorry, but you are one of them! :-) If you treat "L" not as "leak" but as "loss" and hope that "DLP will prevent all data loss, whether intentional or not," you are an even BIGGER one.

So rambling about "Can DLP Really Stop All Leaks" is pretty silly. No, it can't. Pondering "Is DLP Possible"  is just as silly. No, complete prevention of all leaks is impossible, with OR without DLP technology. Go read Mike R instead :-)

Why seemingly smart people behave in such childish manner? I dunno. Scratch all that. Instead ask:

Is today's cutting-edge DLP technologies USEFUL?

And the answer is "Hell yeah!"

If you see how much "fun" sensitive content goes over email (corp and personal web-based), gets uploaded to forums, channeled over IM file transfers, FTP'ed somewhere, you'd scream for one of these boxes. Accidental leaks, email address typos, non-malicious leaks, blatant disregard of security policy for the sake of "productivity", even phishing, "wholesale data theft" and amateur "employee hackers" probably account for 10x (100x?)  more damage (in direct losses, brand damage, embarrassment and - yes! - non-compliance fines AND loss frequency) than "uber-hackers" (who might indeed go thru your DLP box like hot knife thru butter.) And if an advanced DLP box does one day stop some determined insider theft, that's just icing on the cake.

That is why smart people don't call it "DLP" - they call it "content monitoring and filtering." This sounds much less sexy, but much more useful. The boxes that will show up on your doorstep will still have "DLP" labels, but what they will do for you is really content monitoring and filtering.  And even though it will not stop all data theft, DLP box will likely prove useful more than once...

Finally, all rants about any preventative AND monitoring technologies should really end the same: go refresh your incident response plans.

Possibly related posts:


Dr Anton Chuvakin