Data Loss Prevention Best Practices

Data loss prevention (DLP) helps organizations address the risk of malicious or accidental data leaks. This piece explains how spending time understanding business drivers and the process behind the tools can help deliver more value from these solutions. 

DLP Program Basics 

Successful DLP programs start with a lot of upfront planning. DLP can introduce some friction for business users, so your strategy should be to engage stakeholders right from the beginning to ensure everyone understands and supports the objectives of the program and that expectations are set appropriately – especially with senior executives and business leaders. While there are numerous considerations when preparing for a DLP deployment, it is important not to overlook the following areas:

• Why are you deploying DLP at all? The primary driver for DLP is protecting critical business data, but other drivers may include compliance (e.g., with the EU’s General Data Protection Regulation), audit and regulatory pressures, user education (e.g., to encourage usage of an encrypted email gateway) and finding insider threats.
• What data are you protecting? Many deployments start with obvious problems, like cleartext credit card and Social Security numbers (SSNs). But DLP’s real business value comes from looking at much harder to define data, such as mergers and acquisitions (M&A) data or other intellectual property (IP). These data types are much more difficult to capture in a DLP rule without having direct involvement from business representatives.
• What communications channels are in scope? A good rule of thumb is that if you are looking to protect compliance-related material (e.g., credit card numbers or SSNs) from leaving the firm, then network DLP might be sufficient for your needs. Anything more complex, like looking for insider threats, will likely require a DLP endpoint solution with an agent installed on every desktop. Many firms use a combination of both network and endpoint DLP.
• How will you handle encrypted traffic? A good portion of your network traffic might be encrypted. Estimates indicate that nearly 80% of network traffic is encrypted. Methods for forwarding encrypted traffic via proxies, application delivery controllers or dedicated SSL decryption solutions should be a consideration for your DLP appliances. Otherwise, you will need to focus on endpoint solutions.

DLP Strategies and Processes 

DLP tools generate many alerts that need attention. It helps to plan your response strategy well in advance of deploying software. Many organizations assume the security team will respond to all events. But an email event that triggers from a rule looking for credit card numbers might indicate theft of data just as easily as it might be a legitimate business transaction over an insecure communications channel. Engaging privacy, compliance or even employee managers is a best practice for distinguishing between poor business practices and malicious intent.

We also recommend visiting all software-based response options and automating them wherever possible. Most DLP tools can either block, force encryption, alert or quarantine sensitive data. Think about which scenarios will require human intervention and which ones could be automated. DLP as a managed service (offered by Digital Guardian and others) could also be an attractive option for resource-constrained organizations.

DLP Solutions 

DLP solutions generally take one of two approaches:

• Enterprise DLP technologies are purpose-built solutions that cover traditional data loss vectors such as data at rest, data in motion and data in use. Some of the most common and well-known traditional standalone DLP vendors, include:
  • Digital Guardian
  • Forcepoint
  • McAfee
  • Symantec Broadcom
• Integrated DLP tools typically address other security issues, like email or network security, and have basic DLP functionality embedded. Examples of integrated solutions include Zscaler and Netskope.

Choosing the right solution depends on your company’s requirements and what products might already be in place. For example, if your needs are relatively simple and McAfee is your desktop anti-malware solution, it wouldn’t make sense to deploy Symantec Broadcom just for its DLP capabilities.

If you are primarily in the cloud, DLP is typically addressed with a cloud access security broker (CASB). Some key DLP vendors in this space include:

• Forcepoint
• Netskope
• Proofpoint
• Microsoft

Understanding your requirements up-front will make product selection much easier. If you already have Microsoft E5 licensing and your needs are relatively straightforward, the Microsoft Information Protection toolset could be sufficient.

Successful DLP Deployment

We recommend taking a phased approach with DLP deployments. Start with some simple objectives to prove the tools and the processes. For example, create an alert that triggers on a certain threshold of instances of credit card data in North America or select a single business unit to monitor. The objective is to make sure the team responding to DLP alerts can handle the event volume and there are not too many false positives.

DLP Process Pitfalls 

• Not enabling “free” DLP controls first: Companies looking to get started with a general data protection program can start by making sure basic security controls are already in place. For example, disabling USB storage can generally be accomplished through Active Directory group policy and doesn’t require special software to be deployed. Ensuring least privilege access controls, encrypting hard drives and implementing network segmentation can also reduce the risk of data loss without deploying a formal DLP product.
• Not engaging stakeholders: We recommend creating a DLP steering committee that includes stakeholders from legal, privacy, compliance, human resources and business representatives at a minimum. This will help ensure everyone is on the same page with what events are being triggered and the response.
• Big bang deployments: We recommend a phased approach for enterprise DLP deployments. The more focused the initial deployment is, the more likely it will be successful. Start small and grow from there.
• Not tuning the DLP system: Generating too many alerts cannot only overwhelm responders, but it can raise audit and regulatory issues if alerts are left unaddressed. DLP systems generally require tuning to reduce false positives. This is an iterative process, so plan to revisit and adjust alert quality frequently.

DLP Program Guidance 

DLP programs take some time to add real value beyond basic blocking. Putting time into understanding business requirements and event response processes will ensure you’re getting the most value out of your investment. Remember:

• Be clear why you’re deploying DLP in the first place: Understanding your business drivers and the complexity of your needs will help drive the right product or solution for your organization. The best DLP deployments capture not only compliance-driven data, but data that has business value.
• Engage stakeholders early: If you plan on disciplining employees who mishandle confidential information, make sure your process is vetted well beyond the security group. HR, legal and potentially physical security should all be aware of your DLP program if your events could result in employee termination.
• Don’t go it alone: The biggest challenges with DLP deployments happen when the security group works in isolation and then tries to respond to every event alone and without any business context. Engage your stakeholders and have them help guide your program.

When it comes to DLP deployments, start small, engage stakeholders and plan your processes in detail. Don’t just focus on products.

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.