How to deploy the right DLP products for the right jobs

Expert Bill Hayes maps specific data loss prevention products to three deployment scenarios to better help readers make their own purchase decisions.

Nation states, cybercriminals and unscrupulous competitors are all vying to steal sensitive information from vulnerable organizations. Data loss prevention (DLP) products help organizations protect sensitive information by keeping it secure. These DLP products examine data at rest on file servers or in the cloud, data in motion across networks and data in use on endpoint devices.

Data loss prevention tools are available either as part of standalone dedicated DLP suites for enterprise-wide coverage, or are integrated into other security products, such as endpoint security tools and network application gateways.

This article examines three DLP usage scenarios -- and the common issues associated with them -- to better help readers make the right decision when purchasing DLP products.

In these scenarios, the cybersecurity teams -- working with subject matter experts from departments that process sensitive information and company compliance specialists -- have identified the data paths, communications protocols and data formats of sensitive information. Designated business process managers and compliance specialists have classified this information according to the company's data classification policy, and the legal department and compliance staff worked together on E-discovery issues, preservation of evidence, and monitoring provider and business associate compliance.

The first scenario examines how a standalone DLP suite might be used; the second, how a DLP suite and security tools with integrated DLP features might be employed; and the final one, how multiple security tools with integrated DLP features might be used to achieve the same result.

The standalone DLP scenario

A regional medical center has a data center containing patients' personally identifiable information (PII) and protected health information (PHI), The PII and PHI is shared with health insurance providers and is accessible to healthcare professionals at workstations, mobile-data carts and tablets. Customer billing is handled by a third-party vendor.

The medical center currently uses Symantec Endpoint Protection with encryption support from Symantec Encryption for email encryption on Windows and Macintosh OSX hosts. The logs from the endpoint protection and DLP servers pass to the Splunk SIEM system.

The Symantec DLP Suite offers protection for data at use, data in transit and data in storage (key features to the success of any DLP product) and, importantly, integrates well with the deployed Symantec Encryption products. For instance, Symantec Endpoint Prevent analyzes data before it is transferred to removable media, and can automatically encrypt sensitive information as it is stored on the removable media.

Data in transit is addressed by Symantec Network Monitor with companion modules Symantec Network Prevent for Web and Symantec Network Prevent for Email.

Sensitive data on endpoints is covered by an agent containing both Endpoint Prevent for data in use, and Symantec Data Loss Prevention Endpoint Discover for data at rest. These modules are enabled by licensing. Endpoint Prevent is used to monitor and stop sensitive information from being copied to removable media like CD-R/DVD-R and USB devices. It is also configured to prevent data from being printed, faxed, or copied into memory to paste to another document. Sensitive data is prevented from leaving the endpoint via network protocols like FTP, SMTP and IM.

The medical center also created policies to stop data from being sent to cloud file-sharing sites and social media sites. The agent pop-up feature is enabled to inform the user of a DLP policy violation, and thus reinforce security awareness training. To address data at rest on endpoints, the Endpoint Discover module scans file storage on workstations and laptops. It is configured to both move unauthorized sensitive information to a safer network quarantine location, and generate a DLP incident alert for further action by the cybersecurity staff.

Data at rest for network-based data storage is handled by the licensed modules of Network Discover and Network Protect. The medical center has configured Network Discover to regularly scan file servers, network access storage and databases for sensitive information, and then (based on policy) uses Network Protect to automatically copy, relocate or quarantine exposed confidential data.

Mobile devices such as iPhones and iPads are addressed by Data Loss Prevention for Mobile. This product uses a virtual private network (VPN) connection called VPN on Demand through the medical center's mobile device management (MDM) product to contact its Symantec DLP servers, and thus enforce DLP policy. Mobile Prevent for Web is used to detect and block confidential data detected in HTML traffic. Symantec Mobile Email Monitor is configured to track confidential information when it is downloaded from the medical center's network to the native email client on supported Apple iOS devices.

The Data Loss Prevention Data Insight Enterprise product provides the medical center with file usage and ownership analysis that can be used by various departmental teams responsible for safeguarding sensitive information. Information from Data Insight is shared via a self-service portal with additional information provided by custom Splunk dashboards that are created by the medical center's cybersecurity team.

The blended DLP scenario

A health insurance company has a central office with regional sales offices and outlying field offices. Insurance applicants' PII and PHI are collected by insurance agents at the outlying offices and sent to the home office to determine coverage eligibility. Insurance agent PII, such as employment records and evaluations, are handled at the regional sales office and stored on the home office file servers.

The home office processes customer payments and reimburses health providers for customer healthcare claims. In addition, it compiles agent commission reports, investigates customer claim fraud, handles employee personnel issues, and addresses customer grievances. The legal department handles lawsuits, by former customers and former agents; customer billing is handled by a third-party vendor.

The company began using several McAfee products administered by McAfee ePolicy Orchestrator (ePO). These included VirusScan Enterprise, Device Control and Complete Data Protection for data encryption. Threat log data from ePO is currently exported to the company's SIEM product, Enterprise Security Manager.

The company uses ePO to manage policies for and to distribute McAfee DLP Endpoint to its Windows and Mac hosts. It opted to build upon integrated DLP features found in its endpoint security suite's McAfee Device Control for portable data devices. Using the experience gained from this product, it chose to add licenses for McAfee DLP Endpoint for desktop and mobile devices.

This DLP product addresses sensitive data in use through application control and monitoring data flow to portable storage media and portable storage devices. The DLP endpoint agents, meanwhile, are used to monitor and quarantine data in use throughout the enterprise. Working with Complete Data Protection, the agents are able to encrypt sensitive information when it is copied to portable storage media.

Data loss prevention tools are available either as part of standalone dedicated DLP suites for enterprise-wide coverage, or are integrated into other security products, such as endpoint security tools and network application gateways.

The company uses DLP Monitor, a standalone DLP product to monitor data in transit over the company's internal networks. Sensitive data passing to external networks is filtered by McAfee DLP Prevent, an inline DLP product intended to block sensitive information from leaving the company over a variety of protocols such as FTP, IM, SMTP and HTTP/HTTPS.

McAfee's DLP Discover file scanners address data at rest. They are used at the home office to monitor and quarantine sensitive data at its data center. All events are correlated and interesting events are reviewed at least daily by the cybersecurity team. Periodic reports are prepared for the data owners, so business processes can be monitored and adjusted as necessary.

Using the DLP Manager, custom detection and correlation rules help the company protect its intellectual property, manufacturing operations and comply with trade regulations. The cybersecurity and compliance specialist monitors events reported by Enterprise Security Manager's SIEM alerts. Periodic reports from the SIEM and DLP Manager are prepared for the data owners so business processes can be monitored and adjusted as necessary.

DLP Manager, DLP Monitor, DLP Discover and DLP Prevent are used by the company on the McAfee DLP 5500 appliance and in virtual machine configurations.

Meanwhile, integrated DLP features in Sophos' UTM and next-gen firewall appliances, along with the McAfee DLP endpoint agents, are in use at the regional and outlying offices to monitor and quarantine files and communications that do not meet compliance guidelines. Outbound webmail and cloud-based file-sharing services are blocked at all perimeters.

Company mobile devices are controlled through McAfee Enterprise Mobility Management. File sharing with authorized parties is done through a secure file sharing product located at the home office. Insurance agents use terminal server-based applications to process insurance applications and service existing customers from company-supplied tablets. The company is investigating virtual desktop environments and embedded operating systems hosts to replace conventional PCs whose hard drives may unintentionally contain PII or PHI in temporary files.

The blended integrated DLP scenario

A small but growing technology company has developed a number of innovative products utilizing both physical and firmware components. It maintains a headquarters, a modest manufacturing facility specializing in just-in-time manufacturing, a research and development campus, and offices located in the Far East for negotiation with various electronic suppliers. Rather than having a central campus, the dispersed nature of the company presents some communications and collaboration challenges.

The company's data crown jewels include its intellectual property in the form of engineering documents, diagrams, specifications, firmware source code and product assembly instructions. Supporting documents include supplier lists, parts inventories, contractual agreements, software versioning, research databases and notes. Collaboration is routinely done through Web conferencing.

Its strategic plans and new product documentation would be of particular interest to competitors.

In this scenario, the cybersecurity specialists and business-process experts have done their homework, with additional work performed by the company's compliance specialist and its lawyers on International Traffic in Arms Regulations, Export Administration Regulations issues, and monitoring third-party contractor and supplier compliance.

It has opted to build upon integrated DLP features found in its Trend Micro Inc.'s endpoint security software for desktops and AirWatch Enterprise Mobile Device Management to address data in use and in transit on company and employee BYOD mobile devices. Its cybersecurity staff has also created custom DLP rules for its Sourcefire IDS/IPS sensors located at the headquarters, R&D campus and manufacturing plant. Proofpoint email gateway and its DLP protection features have been expanded to the Enterprise Privacy suite to block or encrypt email with sensitive information at the perimeters of the main sites.

Websense TRITON products for the HTTP security gateway and mobile Web protection are used to cover Web traffic for data in transit at the perimeters and on mobile devices. Websense TRITON Mobile Security is used to protect mobile device Web sessions and ensure company Web filtering is applied consistently across all platforms.

Code Green Networks CI-Appliance DLP file scanners are present at the company headquarters, R&D campus and manufacturing plant to address data at rest found in SAN installations, administrative file servers, Web servers, databases, SharePoint servers, research wikis and cloud resources. The companion Code Green Content Inspection Agent examines endpoints at remote sites as directed by the CI-Appliance.

Custom detection and correlation rules in the LogRhythm SIEM help protect its intellectual property, manufacturing operations and comply with trade regulations. The cybersecurity and compliance specialist monitor events reported by LogRhythm SIEM alerts. Periodic reports from the SIEM are prepared for the data owners so business processes can be monitored and adjusted as necessary.

The company uses Trend Micro AV products with licenses for Integrated Data Loss Prevention. All Trend Micro products are centrally managed using Trend Micro Control Manager. Data at rest on company Windows and Mac desktops and laptops are addressed using OfficeScan. The integrated DLP features in ScanMail Suite help to identify sensitive information in the Exchange mail store, and control incoming and outgoing email, thus addressing insider collaboration scenarios.

Airwatch by VMware addresses the organization's MDM needs and provides a flexible DLP management strategy, using mobile app security options and container options for securing company resources and providing employee privacy on employee-supplied mobile devices. Containers and data in transit are encrypted using FIPS-compliant AES-256 encryption. Airwatch application whitelists and blacklists ensure mobile devices are not being used to bypass company DLP policies. While Airwatch Secure Content Collaboration ensures documents cleared for business partners can be securely shared from mobile devices without exposing additional information.

Which DLP products are right for you?

The preceding scenarios illustrated how DLP products might be employed, first using a DLP enterprise product, then a DLP enterprise solution augmented by security products with integrated features, and finally a totally integrated solution capitalizing on security products that could either be adapted to a DLP role, or which already have DLP features.

In all scenarios, we considered mobile devices as well as stationary computing infrastructures. We even built in the natural tendency to rely on existing DLP product lines well known to an organization. Our selection of DLP products do not constitute endorsements but merely show how they -- and similar DLP products --could be utilized in given scenarios.

Next Steps

Part 1 of this series explores the basics of data loss prevention products in the enterprise

Part 2 of this series looks at the business case for data loss prevention products

Part 3 of this series examines usage scenarios for data loss prevention products

Part 4 of this series looks at the purchasing criteria for data loss prevention products

This was last published in September 2015

Dig Deeper on Data security and privacy

Enterprise Desktop
Cloud Computing