avoiding data loss prevention (dlp) pitfalls a discussion...

Avoiding Data Loss Prevention (DLP) Pitfalls A Discussion of Lessons Learned

April 2013

1 DLP Pitfalls — A discussion of lessons learned

Speaking With You Today

Dan Frank

Principal

Deloitte & Touche LLP

[email protected]

(312) 486-2541 (office)

(312) 401-0125 (cell)

Charles Keane

National Security Architect

Symantec

[email protected]

(617) 571-7170

mailto:[email protected]

mailto:[email protected]


• Deloitte and Symantec Alliance Overview

• Top 10 DLP Challenges, Root Causes and Lessons Learned

• Summary

Agenda

As used in this document, "Deloitte" means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the

legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

http://www.deloitte.com/us/about


Alliance Overview

Global leaders with a demonstrated track-record of achievements and leading practices

• Leading risk consulting

practice

• Client-specific, pragmatic

advisory services

• Ability to provide strategic

and technical responses to

core business challenges

Our alliance brings together two

of the leading security and

privacy software and professional

services organizations in the

world, helping organizations

solve constantly evolving

complex security and privacy

related business challenges.

• Leading security software

provider

• Global intelligence network

• Sophisticated and mature

enterprise security tools

and technologies


# 10

Root Causes:

• Lack of understanding of current environment, data loss risks, and associated risk mitigation priorities

• A tendency to “boil the ocean” when approaching data loss initiatives makes the solution seem overwhelming

• Perception that DLP is a “one time” technical project instead of a “program”

The Challenge: Where do I start?

Lessons Learned:

• Understand your risks first

• Prioritize your deployment strategy based on riskiest areas (e.g. data types, business units, business functions, end points, repositories)

• Build a multi-year road-map for your DLP program that focuses on quick wins as well as incremental business value and advanced functionality.

DLP Challenges, Root Causes and Lessons Learned


# 9

Root Causes:

• Failure to evaluate vendor marketing promises

• Misunderstanding of infrastructure costs and employee resource requirements

• Poor planning of level of effort associated with policy creation, workflow/remediation, and testing and tuning

The Challenge: Understanding the Total Cost of Ownership of a DLP Program

Lessons Learned:

• Conduct vendor evaluations and proof of concepts against specific business and technical requirements. Trust…but verify.

• Create a high-level solution architecture to assist with estimating infrastructure costs

• Estimate resource requirements for both initial deployment as well as on-going operations and maintenance



# 8

Root Causes: • Concern with impeding legitimate business

processes

• Lack of understanding of the legitimate/illegitimate business use

• Un-defined processes for business use case analysis

• Policies defined based on content vs. contextual analysis

• Lack of sufficient testing and tuning of policies over time before full scale deployment

• Lack of workflow and associated roles and responsibilities, SLA’s, etc. to help the business recover information efficiently

The Challenge: Getting Past the Basics – Utilizing Advanced Features

(*Only 30-40% of Symantec’s DLP customers currently use advanced features)

Lessons Learned:

• A sound understanding of the business and associated use cases is critical to enabling advanced features

• Policies should be carefully configured based on business use case analysis and sufficiently tested and tuned prior to being enabled

• Operational procedures and workflow for recovery of blocked/quarantined/encrypted information much be established to help prevent prolonged business interruption



# 7

Root Causes:

• Policies aren’t fully tested and tuned before DAR scans take place

• No ownership information or other metadata is present in files

• No formal workflow process in place to interface with end users

The Challenge: Inability to move from data at rest (“DAR”) identification to DAR remediation

Lessons Learned:

• DAR scans should not be your first priority, baselines should be established over time to develop mature policies

• Lead DAR scans with Data Insight (“DI”), allow the tool to collect several months of usage patterns to establish ownership information

• Use information found in DLP and DI scans to establish formal workflow



# 6

Root Causes:

• Lack of a DLP strategy to provide a clear vision and direction for the solution

• Poorly defined requirements

• “Big Bang” implementation approach

The Challenge: Frustration with the speed at which the DLP solution becomes functional

Lessons Learned:

• Clearly and transparently articulate the DLP program’s vision and strategy to stakeholders

• Well defined requirements along with a phased implementation plan are important

• Utilize POCs, pilots, and phased implementation approaches



# 5

Root Causes:

• Global privacy laws and labor unions can present varying, sometimes conflicting requirements which can restrict DLP monitoring

• Complaints as a result of DLP monitoring from end users arising from cultural differences

• Proper messaging and approvals not vetted beforehand

The Challenge: Deploying DLP Globally

Lessons Learned:

• Analyze and document legal and regulatory requirements related to employee monitoring (e.g. Germany, Netherlands)

• Create a regulatory/labor union communications and approval strategy and plan

• Allow ample time for socialization and approval of the solution with regulatory authorities/labor unions



# 4

Root Causes:

• Poorly or un-defined DLP metrics and effectiveness criteria

• Lack of operational processes to collect and report DLP metrics

• Stakeholder expectation gaps related to functionality and timelines

The Challenge: Stakeholders may not understand the value that the solution is offering

Lessons Learned:

• It is important to define metrics and effectiveness criteria, along with an initial baseline from which you can measure future progress

• Establish operational processes to periodically collect and report on DLP metrics to stakeholders

• Involve stakeholders early on and remain as transparent as possible throughout




# 3

Root Causes:

• Lack of operational processes and resources to perform business process re-engineering

• Lack of organizational policies and associated training and on-going communications to establish and reinforce expectations

• Poorly or undefined disciplinary measures and enforcement

• Lack of secure alternatives (e.g. secure e-mail, secure FTP, secure storage locations)

The Challenge: Same old…Same Old – Business Behavior Doesn’t Change

Lessons Learned:

• Establish operational processes and a team to work with the business on secure alternatives for their business process

• Establish organizational security policies and reinforce the policies with training and on-going awareness campaigns

• Establish disciplinary processes and integrate data protection goals into employee performance evaluations/appraisals

• Provide users secure alternatives to accomplish their activities, otherwise unsecure workarounds will be developed


# 2

Root Causes: • Poorly or un-defined incident severity levels and

response workflows/ procedures

• Policies defined too broadly and without knowledge off legitimate business use

• Lack of sufficient testing and tuning of policies over time before full scale deployment

• Lack of a phased approach

• Insufficient resource allocation for incident response and remediation

• Lack of training of incident response team

The Challenge: Unmanageable Incident Queues

Lessons Learned: • Define criteria for categorizing incidents by

severity so that resources can be allocated based on business risk

• Formally document incident response procedures

• Spend the time required to understand your business so that policies can ignore legitimate business transactions/use

• Spend the time required to test and tune policies before fully deploying

• Don’t boil the ocean - start out slow with a small number of polices

• Allocate requisite resources and conduct formal training




# 1

Root Causes:

• Lack of policies to clearly set employee expectations

• Lack of communication related to solution/program

• Lack of business involvement in requirements and scope definition

• Lack of secure alternatives (e.g. secure e-mail, secure storage locations, etc.)

• Lack of operational processes to reduce business interruption time

The Challenge: Business Community / End User Outcry

Lessons Learned:

• Set expectations through policy

• Reinforce expectations through training and awareness mechanisms

• Engage the business in solution requirements and scope

• Establish secure alternatives to enable people to “do the right thing”

• Establish operational processes and resources to respond to events efficiently to limit business interruption time


In our joint experience an effective DLP solution/program should be approached broadly, focusing not just on the

technology, but also upon the people and processes needed to support and interface with the DLP solution.

A Holistic DLP Program

I. Governance

• DLP strategy

• DLP requirements

• Organizational structure

• Policies and procedures

• Training and awareness

• Metrics, monitoring, and reporting

II. Process

• Business process analysis

• Incident response workflows

• Incident response plan

• Tuning and adjustment

• Policy change management

• Help desk procedures

• Business process re-engineering

III. Security Integration

• Integration with enterprise

security tools and systems

IV. System Implementation

• Hardware and software

• Egress points

• Storage repositories

• End points

• Policy configuration

• Access configuration

• Top down

• Integrates people,

process, and

technology

• Aligns DLP

solution with

business drivers

and value

Business Analytics

Customer Portal

Production Data

Data warehouse

Staging

File Server

DR

Back up disk

Back up tape

IAM DLP SEM GRC

WAN

WAN

Disk storage

Applications Files Storage Network

Infrastructure

Outsourced Development

Enterprise e - mail

WWW

VPN


Benefits of Our

Joint Approach

Considerations Toward an

Effective DLP Program

Well defined requirements aligned with

business goals

A well thought out and defined

strategy and road-map/plan

Allocating resources to supporting processes

Achieving and building upon

quick wins

Tight coordination

and integration with the business

Transparent communication

with stakeholders and business community

In Summary

Helps prevent costly re-work

Demonstrates business value through “quick wins”

Helps to prevent business community and

end-user outcry

Enables the use of advanced system

capabilities

Maintains stakeholder support

Improves incident response capabilities

This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.

Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.

Member of Deloitte Touche Tohmatsu Limited

avoiding data loss prevention (dlp) pitfalls a discussion...

Documents