You are on page 1of 11

darkreading.

com
JUNE 2014
DLP
Curb The Leak Insanity
Previous Next
Previous Next
Download Download
Register Register
Subscribe Subscribe
Previous Next
Previous Next
PLUS Data classification is users responsibility >>
Data-leak prevention software is only one piece of your defense, but it can keep
insider leaks from causing havoc. Heres a deployment road map. >>
By Ericka Chickowski
DOWNLOAD PDF
COVER STORY
DLP: Curb The Leak Insanity
Data-leak prevention software can go a long way
to preventing sensitive data from being exposed
where it shouldnt. p4
DARK DOMINION
Data Classication Is Users Responsibility
Each user plays a part to keep sensitive data
from leaking. p3
CONTACTS
Editorial and Business Contacts p11
Stay Up To Date On Cloud Security
Click here to get the latest news, reports,
commentary, and whitepapers on cloud
security technology.
Strategic Security Survey
Seventy-five percent of 536 respondents say their
orgs are as or more vulnerable to malicious code
attacks and security breaches compared with a
year ago. Where do we go from here?
Black Hat USA
Each year, the brightest minds in security come
together for Black Hat six days of learning, net-
working, and high-intensity skills building. Back for
its 17th year, Black Hat USA will take place Aug. 2 to
7 at Mandalay Bay in Las Vegas.
PREVIOUS ISSUE
Stop Targeted Attacks
All cyber-attackers arent
equal. Focus more atten-
tion on exploits made
just for you. Also in this
issue: Experts speak on
targeted attacks.
FOLLOW US ON TWITTER AND FACEBOOK
@DarkReading darkreading.com/facebook
darkreading.com
Previous Next
Previous Next
Download Download
Register Register
Subscribe Subscribe
Previous Next
Previous Next
June 2014 2
CONTENTS
June 2014 Issue 16 More From Dark Reading
The other night, I was observing my daugh-
ters, 11 and 13, as I tasked them with clean-
ing our basement, where they both play.
The job wasnt very far along when the argu-
ments began.
Thats not my mess, they said to each
other. I didnt make it, so I shouldnt have to
clean it up. Not surprisingly, their old man
ended up doing a lot of the cleaning.
Suddenly I was reminded of the enterprise
data classification problem.
OK, maybe it wasnt sudden. But the anal-
ogy isnt far off. Every day, employees create
sensitive documents sometimes on home
computers or mobile devices without
any thought to tagging them as sensitive.
Those documents are passed around and
copied without regard for their classification,
and sooner or later, many of them escape
the security of the office. And then a data
breach happens.
For IT organizations, securing unclassified
data is a bit like cleaning my basement. The
users who created the sensitive documents
those who make a mess by leaving sen-
sitive data unclassified say theyre not
responsible for data security and shouldnt
have to classify their content. So, like the dad
in the basement, a lot of IT organizations
end up doing data classification and doc-
ument-level security across the enterprise,
even though they had nothing to do with
the creation of the content.
True, there are tools that help IT with this
problem. Data-leak prevention (DLP) tools,
the subject of this digital issue, were devel-
oped to help identify sensitive data, wher-
ever it resides, so that it can be protected.
As youll see in our cover story, a good DLP
deployment can stop leaks such as those
committed by former NSA contractor Ed-
ward Snowden by detecting outbound sen-
sitive data and warning enterprises before it
goes too far.
But I cant help wondering, would DLP be
so important if all users classified their docu-
ments as they create them? The US gov-
ernment has been doing this for decades.
All newly created documents are ranked
as public, classified, or top secret. This
simple ranking system makes it easier to
track sensitive documents as theyre passed
around, and it allows for simple policies for
extra protection, such as encryption.
Data classification systems and policies
put the onus on the documents creator to
flag new content that may be sensitive or
potentially leakable. Granted, not all end us-
ers make the right choices, and data could
still be at risk because of human error. But
with the right set of policies, it would be
much easier to identify sensitive data before
it starts moving around the network, rather
than after its out of the barn.
Every user must participate in information
security efforts. Data classification is one
way to make that happen and to make
sure each user takes some responsibility for
cleaning up his own mess.
Tim Wilson is the editor of DarkReading.com.Write to him
at timothy.wilson@ubm.com.
Previous Next
Previous Next
Download Download
Register Register
Subscribe Subscribe
Previous Next
Previous Next
June 2014 3 darkreading.com
DARK DOMINION
Data Classification Is Users Responsibility
TI M WI LSON
@darkreadingtim
Table of Contents
DOWNLOAD PDF
Previous Next
Previous Next
Download Download
Register Register
Subscribe Subscribe
Previous Next
Previous Next
Cutting-Edge Security
The top names in security come
together for Black Hat six days
of learning, networking, and
high-intensity skills building. Back
for its 17th year, Black Hat USA
will take place Aug. 2-7 at Manda-
lay Bay in Las Vegas. Click here for
more information.
June 2014 4
F
rom Wikileaks to the NSA Prism
surveillance scandal, organiza-
tions are seeing firsthand that
employees and contractors can
do real damage if they steal or
leak sensitive data.
Malicious data leaks are less common than
attacks by outside hackers, but an internal
leak can be much more damaging because
insiders know the systems theyre stealing
from and are less likely to be detected.
Data-leak prevention (DLP) software and
services are designed to help prevent such
leaks. These content-aware filtering technol-
ogies monitor content on the endpoint, in
the network, and within storage in an effort
to detect and block actions involving sensi-
COVER STORY
Table of Contents
Previous Next
Previous Next
Download Download
Register Register
Subscribe Subscribe
Previous Next
Previous Next
Data-leak prevention software is only one piece of your defense, but it can
keep insider leaks from causing havoc. Heres a deployment road map.
DLP: Curb The Leak Insanity
darkreading.com
By Ericka Chickowski @ErickaChick
DOWNLOAD PDF
June 2014 5
COVER STORY DATA-LEAK PREVENTION
Previous Next
Previous Next
Download Download
Register Register
Subscribe Subscribe
Previous Next
Previous Next
darkreading.com
tive data that might violate company data
use policies.
Based on advanced technology that in-
cludes content registration and filtering of
very sensitive data, as well as filtering based
on keywords, lexicon, metadata tags, and
machine-learning statistical analysis, DLP
can go a long way to preventing sensitive
data from being exposed where it shouldnt.
But many organizations are still struggling
to find the best way to implement DLP.
Many of the problems that prevent organi-
zations from getting value out of DLP tech-
nology are the same problems preventing
them from getting value out of other secu-
rity technologies. Namely, these companies
havent done the risk management home-
work around people and processes needed
to take advantage of DLPs features.
Its not about just blocking anymore,says
Todd Feinman, CEO of Identity Finder, a data
protection company. Its about discovery,
classification, remediation, monitoring on
an on-going basis, and then, of course, that
last piece of compliance. They need report-
ing to tell auditors theyre doing the things
theyre supposed to be doing.
DLP Pitfalls
Security consultants say that the No.
1 obstacle keeping organizations from
making DLP work the way its supposed
to is that they simply dont know where
all their data is. Not only that, but many
organizations rush headlong into DLP pur-
chases without defining what data they
want to protect most.
If you arent sure where sensitive data
lives, how can IT prevent critical data leaks?
says Kyle Kennedy, CTO of Stealthbits Tech-
nologies, a data access governance firm.
This lack of awareness about where criti-
cal data resides stems from an even more
deeply seated DLP mistake: most organiza-
tions fail to make a DLP deployment part
of an overall data governance and controls
program. Organizations need to start first
with a program and then worry about what
kind of technology to use and how to use
How ready I am for DLP is a question
of how well I understand the risks
that I want to use DLP to offset.
Otherwise youll end up with shelfware
really quick.
John Rostern, Coalre Systems
Table of Contents
Click Here Click Here
Fend O Attacks
To help keep your business
safer, click here for the latest
news, commentary, reports,
and whitepapers on attacks
and breaches.
June 2014 6
it. Understanding what data the business most
needs to protect and what the most serious
risks are to that data are the first steps to devel-
oping a data governance program, with a DLP
program as a subset of that.
If you understand your entire risk picture,
you can understand better how DLP fits into
that overall controls environment, says John
Rostern, regional VP of IT governance, risk
management, and compliance consulting
firm Coalfire Systems. Otherwise youll end
up with shelfware really quick.
Take, for example, a manufacturing company
with trade secrets and engineering drawings
to protect. Executives would probably identify
those as the top assets to fingerprint for DLP
filtering and to track movement outside the
organization. But it shouldnt stop there.
They also might want to put complemen-
tary controls in place that say, I dont want
you to have those engineering drawings
on a laptop that goes out of the country,
Rostern says.
Developing a risk-based DLP program also
delivers another benefit, which may be the
most important: Limiting the scope of what
DLP protects. Such limits will drastically im-
prove the effectiveness of the technology
when deployed.
Try to protect too much, and the security
team will get a sea of data that contains a lot
of alarms and its hard to figure out which of
these are important, so eventually they end
up ignoring the alerts and missing something
important, or just turning the technology off,
says Dwayne Melancon, CTO of Tripwire, a risk
management software company.
Not only should organizations identify their
crown jewels, they should also define how
long they intend to protect those jewels. For
instance, if its R&D data, you put the DLP pro-
tection on the R&D until it becomes a product
and is discussed publicly in your whitepapers.
At that point, you can pull it out of the DLP
umbrella because youre expending resources
to protect information thats now public, says
Christopher Burgess, CEO of Prevendra, an Inter-
net security and risk management firm.
In order to limit the scope and understand
COVER STORY
Previous Next
Previous Next
Download Download
Register Register
Subscribe Subscribe
Previous Next
Previous Next
darkreading.com
DATA-LEAK PREVENTION
Table of Contents
Threats From Inside
Nontechnical employees with legitimate access to sensitive data and IT assets
Third-party contractors with legitimate access to your organizations network
IT administrators
Business partners, customers, suppliers, etc., with legitimate access to your organizations network
IT service providers with legitimate access to your organizations network for support purposes
Other IT employees
Executive management
Senior IT management
Data: Enterprise Strategy Group survey of 707 respondents, 2013
51%
48%
34%
24%
24%
17%
8%
5%
Which of the following types of insiders pose the biggest threat to your organization?
June 2014 7
where the crown jewels are, DLP projects need
rigorous data discovery and classification.
Key Components Of A DLP Program
With automated data discovery tools improv-
ing over the last few years, the discovery piece
has grown easier. But classification remains a
sticking point because it requires human analy-
sis to develop categories and policies around
those data categories. So the first step is to clas-
sify its data and put parameters and protocols
around what is worth protecting. Some orga-
nizations are even going so far as to institute
chief data officers responsible for classifying
data and acting as stewards of that data.
The odds for successful classification improve
greatly if the organization makes its classifica-
tion structure simple, says J.D. Sherry, VP at
security firm Trend Micro. Theres a reason why
the US government relies only on classified,
secret,and top secretas its information gov-
ernance categories, he notes.
When companies say they want to have
this data restricted just for the executives, I
suggest, Wouldnt it be easier if you just said
company confidential data and public data?
Sherry says. If its a company document, its
not shared with anybody not in the company
COVER STORY
Previous Next
Previous Next
Download Download
Register Register
Subscribe Subscribe
Previous Next
Previous Next
darkreading.com
Table of Contents
53%
Which of the following possible sources of breaches or espionage pose the greatest threat to your organization this year?
Top Security Threats
Data: InformationWeek Strategic Security Survey of 536 business technology and security professionals at organizations with 100 or more employees
in April 2014 and 1,029 in March 2013
2014 2013
Cyber-criminals
Authorized users or employees
Application vulnerabilities
Public interest groups or hacktivists
External users
Contracted service providers, consultants, or auditors
Foreign governments
Competitors
Customers
Our own government
56%
49%
51%
40%
42%
23%
21%
19%
20%
17%
20%
13%
16%
13%
13%
6%
15%
12%
NA
DATA-LEAK PREVENTION
and then you can create some exceptions.
With that level of simplicity, the organi-
zation can immediately remove any pub-
lic data from the DLP inspection process.
From there its a matter of tuning your ma-
chine to account for those exceptions and
other policies, says Burgess, of Prevendra.
Granted, not all businesses can adopt this
level of simplicity in classification, but its
the right goal to think about as an organiza-
tion ramps into a DLP program.
Along with classifying data, organiza-
tions should consider data elimination
before implementing DLP, says Feinman.
Many data types dont need to be stored
long term, and should be eligible for digi-
tal shredding.
Thats not always an option, of course,
and some data may need to be main-
tained but can be partially redacted. In
the case of medical records, maybe you
need the persons name and address but
you dont need their Social Security num-
ber, says Feinman. So you would redact
the sensitive information but leave every-
thing else intact.
Whats left is sensitive information, such
as intellectual property and unstructured
data, where neither deleting or redacting
is an option. By going through the clas-
sification and elimination steps, an orga-
nization will, at the very least, understand
where these trickier pieces of information
are. If they can be encrypted, then they
should be. If not, then theyre at least
identified, assigned with a risk score, and
protected with DLP.
The Third-Party Question
Another concern that a DLP program
must address is third-party data flow and
control. Organizations will have a hard
time getting contractors and partners to
swallow the requirements for DLP instal-
lations such as including intensive
content filters within their systems if it
wasnt a prenegotiated stipulation, says
Rostern.
For example, say your organization is
working with an accounting firm that
needs access to some parts of your net-
work and data to get their work done.
Previous Next
Previous Next
Download Download
Register Register
Subscribe Subscribe
Previous Next
Previous Next
darkreading.com June 2014 8
DLP is the thing thats supposed to
catch the mistake after you thought
youd done everything right.
Todd Feinman, CEO, Indentity Finder
Table of Contents
COVER STORY DATA-LEAK PREVENTION
Your company wants to make sure that
the accounting firm only gets access to
specific data, and not sensitive data. In
that case, your company would ask the
accounting firm to work within the limits
of your DLP technology but the ac-
counting firm will likely say no thanks
unless theres a contract in place.
If you have weak contractual terms or
none at all, it could be very difficult to say,
Now were going to put this technology in
place that will tell you that you cant access
this or never move that,Rostern says.
I n contractor or partner situations
where the partner is administering a sys-
tem for you with super-user access, plan-
ning for DLP as a monitoring tool can be
very useful, Rostern says. DLP can be used
for blocking and monitoring or monitor-
ing alone.
Regardless of the situation, compa-
nies should tightly control and segment
access to its data by contractors and
partners. They should be thought of as
public but with exceptions for certain
private data.
Third parties are an exception thats
documented, says Rostern. The third-
party risks are identified, and you monitor
what data theyre touching. As opposed to:
Heres your logon, knock yourself out.
Evaluating And Deploying DLP
Organizations that start with a DLP pro-
gram that limits the scope of the data and
eliminates sensitive data from the get-go
are better prepared to find the right DLP
technology.
Are they getting DLP to ensure theyre
meeting regulatory mandate require-
ments or is it because theyre more con-
cerned about intellectual property being
exfiltrated? says Jeff Debrosse, director of
security research for Websense Security
Labs. Or are they just really concerned
about customer and employee privacy?
Knowing that will help you better shop
for a solution and speak to vendors.
One of the gotchas that organizations
should look for is whether the technology
can be tuned to handle what Burgess calls
the noise factor, where documents and
content may look sensitive and be flagged
and blocked by monitoring tools but are
actually not valuable pieces of data.
The key to implementation, he adds, is to
have the DLP looking at both inbound and
outbound data flows. Depending on the
Previous Next
Previous Next
Download Download
Register Register
Subscribe Subscribe
Previous Next
Previous Next
darkreading.com June 2014 9
Table of Contents
COVER STORY DATA-LEAK PREVENTION
DLP vendor, it can be configured to do both.
This approach is better because you can
look for clues for potential breaches, particu-
larly if hackers are using remotely controlled
machines in outsider attacks. Theres a lot of
traffic that goes from the outside hackers
command-and-control machines inbound to
those internal machines they control.
But the power of DLP processing can be
a double-edged sword. If not used prop-
erly, DLP can cause business disruption,
warns Ashok Devata, senior manager of
product marketing at RSA. Blocking all
personally identifiable information might
break HR and finance processes. You need
to involve all stakeholders, and audit-only
mode is recommended before enforcing
any controls such as blocking.
One mistake enterprises often make is de-
ploying DLP too quickly, without monitoring.
Because the filtering is powerful, it requires
time to tune and observe organizational be-
haviors in monitor-only mode before turning
on blocking. If not, companies risk intrusive
false positives. Also, fully featured DLP has a
lot of components at the gateway and across
endpoints. A smaller deployment can get a
quick win before going full scale.
Additionally, organizations should think
about more than just exterior data flows,
and have DLP pointed at data flows inside
the company employee to employee.
Burgess points to the case of United Tech-
nologies, which was fined $75 million in
2012 by the US Department of Justice in a
case where it allowed military designs for a
helicopter to enter its Chinese office and
the designs were subsequently seized by
the Chinese government. DLP would have
never caught that if they had installed it
and were only looking externally, he says.
As organizations plan for improved data
protection, perhaps the most important
piece of advice about DLP is that although
its a strong information security manage-
ment program, companies still need other
elements such as network access controls,
server hardening, and web application
security improvements, which all play key
roles in preventing data loss.
DLP should also be a technology of last re-
sort. The biggest misconception about DLP is
that its your first line of defense, when really
its the last step. Says Feinman, Its the thing
thats supposed to catch the mistake after
you thought youd done everything right.
Write to us at editors@darkreading.com.
Table of Contents
Previous Next
Previous Next
Download Download
Register Register
Subscribe Subscribe
Previous Next
Previous Next
darkreading.com June 2014 10
COVER STORY DATA-LEAK PREVENTION
June 2014 11 darkreading.com
Table of Contents
Previous Next
Previous Next
Download Download
Register Register
Subscribe Subscribe
Previous Next
Previous Next
Online, Newsletters, Events, Research
READER SERVICES
DarkReading.com The destination for the
latest news on IT security threats, technology,
and best practices
Electronic Newsletters Subscribe to Dark
Readings daily newsletter and other newsletters
at darkreading.com/newsletters/subscribe
Events Get the latest on our live events and Net
events at informationweek.com/events
Reports reports.informationweek.com
for original research and strategic advice
Howto Contact Us
darkreading.com/aboutus/editorial
Editorial Calendar createyournextcustomer.
techweb.com/2014-editorial-calendars
Back Issues
E-mail: customerservice@informationweek.com
Phone: 888-664-3332 (U.S.)
847-763-9588 (Outside U.S.)
Reprints Wrights Media, 1-877-652-5295
Web: wrightsmedia.com/reprints/?magid=2196
E-mail: ubmreprints@wrightsmedia.com
List Rentals Merit Direct
E-mail: svigliotti@meritdirect.com
Phone: 914-368-1088
Media Kits and Advertising Contacts
createyournextcustomer.com/contact-us
Letters to the Editor E-mail
editors@darkreading.com. Include name, title,
company, city, and daytime phone number.
Subscriptions
E-mail: customerservice@informationweek.com
Phone: 888-664-3332 (U.S.)
847-763-9588 (Outside U.S.)
Tim Wilson Dark Reading Site Editor
timothy.wilson@ubm.com 703-262-0680
Kelly Jackson-Higgins Dark Reading Senior Editor
kelly.jackson.higgins@ubm.com 434-960-9899
IT TARGET: INFORMATIONWEEK, DARK
READING, NETWORK COMPUTING
Western US (Pacific and Mountain states), Central/
Midwest
VP & National Co-Chair, Business Technology
Media Sales, Sandra Kupiec
415-947-6922, sandra.kupiec@ubm.com
N.M., Ariz. Senior Strategic Account Director,
Gregory Montgomery
516-562-5006 gregory.montgomery@ubm.com
Wash., Ore., Mont., Wyo., Idaho, Nev., and So. Calif.
Account Director, MatthewCohen-Meyer
415-947-6214, matthew.meyer@ubm.com
No. Calif., Utah, Colo. Account Director, Vesna Beso
415-947-6104, vesna.beso@ubm.com
Texas Strategic Accounts Director, Michele
Hurabiell
415-378-3540, michele.hurabiell@ubm.com
Central/Midwest Account Director, Peter Hernandez
847-852-4577, peter.hernandez@ubm.com
Account Executive, Silas Chu
415-947-6105, silas.chu@ubm.com
South, Northeast US; Canada and International
VP&National Co-Chair, Business Technology
Media Sales, Mary Hyland
516-562-5120, mary.hyland@ubm.com
Eastern Regional Sales Director, Michael Greenhut
516-562-5044, michael.greenhut@ubm.com
Southeast District Manager, Jenny Hanna
516-562-5116, jenny.hanna@ubm.com
Northeast, Eastern Canada Account Director,
Lesley Meyerson
212-600-3092, lesley.meyerson@ubm.com
Mid-Atlantic, R.I. Account Director, Matt Payne
415-489-6307, matt.payne@ubm.com
Jr. NewBusiness Developer, MatthewKuruvilla
212-600-3387, matthew.kuruvilla@ubm.com
Strategic Accounts
Strategic Account Director, Vanessa Willett
805-252-4357, vanessa.willett@ubm.com
Strategic Account Director, Jennifer Gambino
516-562-7169, jennifer.gambino@ubm.com
Strategic Account Director, Amanda Oliveri
212-600-3106, amanda.oliveri@ubm.com
SALES CONTACTSCREATE
MARKETING SERVICES
Director of Client Marketing Strategy,
Jonathan Vlock
212-600-3019, jonathan.vlock@ubm.com
Senior Manager, Client Marketing Strategy,
Blake Cohlan
415-947-6379, blake.cohlan@ubm.com




SALES CONTACTSEVENTS
VP, Events, Robyn Duda
212-600-3046, robyn.duda@ubm.com
MARKETING
VP, Marketing, Winnie Ng-Schuchman
631-406-6507, winnie.ng@ubm.com
Director of Marketing, Monique Luttrell
415-947-6958, monique.luttrell@ubm.com
Marketing Specialist, Hilary Jansen
415-947-6205, hilary.jansen@ubm.com
UBM TECH
Paul Miller CEO
Marco Pardi President, Events
Kelley Damore Chief Community Officer
TomSpaeth CFO
David Michael CIO
Simon Carless Exec. VP, Game & App Development
and Black Hat
Lenny Heymann Exec. VP, New Markets
Angela Scalpello Sr. VP, People & Culture
Copyright 2014 UBMLLC. All rights reserved.
Rob Preston VP and Editor In Chief
rob.preston@ubm.com 516-562-5692
Jim Donahue Managing Editor
james.donahue@ubm.com 516-562-7980
Chris Murphy Editor
chris.murphy@ubm.com 414-906-5331
Shane ONeill Managing Editor
shane.oneill@ubm.com 617-202-3710
Lorna Garey Content Director, Reports
lorna.garey@ubm.com 978-694-1681
Debee Rommel Senior Art Director
debee.rommel@ubm.com
Business Contacts