Monday, March 23, 2009

Fun Views on DLP

For quite some time, I was meaning to write another post about “data leakage/loss prevention/protection” (DLP) – and this weekend presented a perfect opportunity. This post is also mildly inspired Richard’s Data Leakage Protection Thoughts from February 2009 as well as “lively” discussion that ensued.  Also, I would like to bring the method I used in PCI DSS and Data Breaches: Perception and Reality, namely, contrast perceptions and reality of what is considered to be “DLP” today.

So, personally, I have seen/heard the following views on DLP:

  1. DLP  is worse than useless; it is actually harmful due to false sense of security it provides [e.g. in comments here it is called “an expensive, distracting failure”]
  2. DLP is completely, 100% useless.
  3. DLP is useless against anybody, but a certifiable, clinical idiot [BTW, this says nothing about its overall usefulness – there are plenty of idiots who are after your organization…]
  4. DLP is great, as long as you monitor and not block.
  5. DLP is great, as long as you block and not monitor.
  6. DLP is not perfect! [some then quickly to jump to “…and thus useless”]
  7. DLP is perfectly workable as long as a) you know what you want, b) the task is actually technically feasible and c) DLP is capable of doing that task.
  8. DLP IS “That Silver Bullet” (tm).
  9. DLP is everything: backup, encryption, access control – it cannot be good or bad, since it is EVERYTHING.

I wouldn’t spend much time talking about extreme views such as #1, #2 as well as #8, #9; as usual, there is usually little truth in extreme views. Additionally, a piece of technology seen as “truly useless” by some can be a “God-send” for others, depending upon what’s on their network and what’s on their minds. I will also not touch #6 as self-evident. Richard does a good job explaining #4 and #5 is his post, specifically leaning towards #5 (even though I suspect he underestimates the data discovery and classification angle of DLP a bit…). To top it off, it is also quite hard to perform such level of analysis while talking about technology “in general,” not any particular box.

So, what do we have left? These two:

  • DLP is useless against anybody, but a certifiable, clinical idiot
  • DLP is perfectly workable as long as a) you know what you want, b) the task is actually technically feasible and c) DLP is capable of doing that task.

    The first one is an interesting one; it is typically tossed by people who are technically advanced and who know that THEY will never be blocked by an early 21st century DLP system. However, the jury is still out on the overall harm brought by so-called “IT idiots.” I think if some DLP vendor will market a near-100% effective (eh… effective vs subjects highlighted in the solution name, that is) “IdiotDefense DLP 2.0,” it will sell pretty darn well as a lot of real, hard $$ are burned due to stupid behavior. Also, Kevin’s comment (here) rings very true: "The threat surface is actually quite complex and not so simple as "stupid-employee" vs. "evil genius hacker". So, “Idiot+ Defense DLP” has a pretty real use case.

    The second point is my favorite and I covered it in my previous posts on the subject, specifically in the “So, CAN We Have DLP?” That point was trivial and deep at the same time: it – hopefully correctly! – states that there are enough people who need what DLP offers; thus it is clearly useful for them. And just as was typing this, I saw this Forrester report with this amazing statistic: “About 38% of enterprise customers have DLP implemented already. Another 21% are planning to implement it this year.” I am sure this is biased towards the higher side, but still.

  • The report further goes one and says “These two issues -- increased toxicity of customer data, and mandates designed to protect that toxic data -- are the primary reason DLP is taking off. About 80% of the time, enterprises evaluating DLP are doing it because of toxic data problem [A.C. – and NOT due to intellectual property protection yet - “toxic data” use case seems to be easier to grasp and to start off with compared to IP protection].” 

    Another worthwhile read related to this is A Response to Bejtlich on DLP which highlight another – sadly common! – case where DLP will be useful: “… DLP has potential to allow an organisation with an immature security posture, to fairly quickly put controls around high risk data, start working out where their high risk data is stored and where their biggest leaks are.”  Finally, here is also a fun report about nexTier, a DLP vendor that lists me on the Advisory Board.

    Possibly related posts:

    Dr Anton Chuvakin