Data Leakage Protection, preventing loss of data, What is Data Loss Prevention and where does it fit in your Cyber Security strategy?
The term I have become accustomed with is Data Leakage Prevention as what we in Cyber security are trying to achieve is the minimisation of the wrong data leaving the organisation because as I have written before the majority of ‘Cyber’ breaches are in fact accidental “leakage” of information.
As this relates to the KickSec glossary we will refer to only electronic data, though within an organisation there are many physical sources of data as well, though electronic data is much more easily moved around and therefore more at risk.
Introduction Data Leakage Prevention
Data Loss Prevention (DLP) is the science of preventing data being given to an unauthorised citizen/s, either by accidental means (staff member accident) or removed from the organisation by unauthorised means (hacker exfiltrating data).
A Data Loss Prevention solution will commonly be used in one of two ways, or a combination of both;
1. To inspect traffic leaving the organisation; checking whether that data meets all the rules for its classification. This classification may trigger an alert or a blocking rule; or
2. Inspecting Files on Workstations, Servers and Laptops and determining whether that data falls within any configured “allow” or “deny” rulesets in regards to its use, location, classifications etc.
Data is typically classified into two categories to start, that is Structured and unstructured:
Structured is the word docs, templates, data that is stored for a purpose. it is probably stored on a file System of CMS in folders with Classifications.
Data Leakage Prevention = Not Easy!
Unstructured is the data that people generate using email, messaging apps, social media etc. This data is complicated because unstructured data does not conform with the standards of the organisation.
Not Easy! Unstructured data may be related to many different aspects of the business, for example an email discussing multiple topics, with attachments that are related to different departments again.
The Unstructured data is often the data that an organisation needs to get control over, as this is the method that an employee is most likely to use to send data externally.
Ironically it is this data that is most often the problem for Data Breaches and it is this data that a DLP solution is not going to handle effectively without staff doing the classifications at source via a Microsoft Outlook plugin prior to sending out an email.
Any Organisation looking at Data Loss Prevention needs to consider several factors in the evaluation of a solution and the value that will be derived vs the cost of managing the DLP implementation.
- Who owns the Data? does the business expect SecOps or IT to manage? (Hint: very often “yes”)
- Where is the budget for managing the DLP solution coming from after implementation?
- Is the business going to accept the inconvenience of DLP rules “upsetting” their daily workflows”
- Will the business get sufficient value from the ongoing investment
- What Data needs “Loss Prevention”, is there a better way to do DLP, because maybe the business only needs to protect accidental emails etc (Hint: often yes)
Classifying data is difficult, really, really difficult….. A DLP solution who uses AI DOES not make it any easier.
This is what Gartner Says:
The market for enterprise data loss prevention (EDLP) comprises offerings that provide visibility into data usage across an organization for a broad set of use cases and the dynamic application of policies based on the content and context at the time of an operation. EDLP seeks to address data related threats including the risks of inadvertent or accidental data loss, and the exposure of sensitive data using monitoring, filtering, blocking and other remediation features.Gartner – https://www.gartner.com/reviews/market/enterprise-data-loss-prevention
You can read about Gartners opinions here.
Data leakage protection equals Data Loss Prevention and is a huge topic that can not ever hope to be covered in a blog post but I hope that I can give you some ideas of where to start.
Data loss prevention – Relationship with the ASD Essential 8
The Australian Signals Directorate Essential 8 does not provide a lot of guidance on protecting data but expect this to change as organisations start to mature their cyber resilience strategies.
Please contact us here if we can assist in anyway.