Three usage scenarios for deploying data loss prevention products

Management console

Standalone DLP products include a centralized management console that's used to deploy DLP agents to endpoints, configure and schedule scans of file servers where sensitive information might be found, and configure the data-in-motion sensor. The management console also serves as the interface to the policy engine used to configure rules for detecting sensitive data.

Event database

DLP systems employ a database to record events. For many systems, this is usually some sort of SQL database rather than a proprietary database. For Windows shops this is usually MSSQL.

Policy/rules engine

A policy/rules engine is the heart of a DLP product. These usually come with canned rules to detect credit card numbers, Social Security numbers and some forms of protected health information (PHI). The rules engine deserves a great deal of study because this is where an organization crafts the detection rules for its unique forms of sensitive data. Canned rules simply serve as tutorials for writing better detection rules. The best rules are written with the help of an organization's domain expert for each type of sensitive information and may include custom REGEX expressions.

Data-at-rest scanner

Sensitive data can be found throughout an enterprise, in databases, end-user files and temporary files created by enterprise applications. A data-at-rest scanner parses files looking for sensitive information based on detection rules. It can be something of a challenge to schedule these scans so as to not steal network bandwidth for other off-hours processes, such as batch jobs, backups, on-demand antivirus scans and vulnerability management scans -- to name a few. Organizations frequently use more than one data-at-rest scanner, with at least one scanner situated at each site or data center.

Data-in-use agent (endpoint)

Sensitive data is most often accessed by endpoint devices like desktops, laptops, tablets and smartphones. The data-in-use agent can be a separate program or can be part of an endpoint security suite. It monitors data as it is accessed, processed and distributed to peripheral devices, including network cards and USB ports. And it is usually protocol-sensitive and aware of attached peripherals, such as mobile storage devices and printers. A copy of the endpoint detection policies are usually written to the endpoint devices to hasten detection by the data-in-use agent rather than slowing endpoint data processing by accessing the central policy engine at every interesting event.

Data-in-motion sensor

Sensitive data is tracked through an organization's network by a data-in-motion sensor. These sensors are very similar to intrusion detection systems/intrusion prevention systems (IDS/IPS). DLP sensors can act as a report-only device by monitoring spanned traffic, or they can be deployed in line to block and optionally quarantine sensitive data before it leaves the organization's control. A data-in-motion sensor able to detect sensitive data in a variety of protocols may be used to cover each wired and wireless network egress point.

Standalone DLP vs. integrated DLP

Standalone DLP products have a number of advantages. They have one management and reporting interface, excellent event correlation and a single policy engine for all DLP tools in the solution with the same rules language for all tools.

Integrated DLP tools, on the other hand, can be combined to achieve similar results as a standalone DLP product. A integrated product mix product can make use of existing products with DLP features. For instance, in-house cybersecurity software like Trend Micro's integrated DLP plug-in, ProofPoint's email gateway appliances, Fortinet firewalls, and the Nessus vulnerability scanner, all have DLP features that can be augmented with specialized DLP tools to provide wider coverage.

Such an approach is perceived to be cheaper, but it engenders some challenges. These include correlating DLP detections, event reporting and alerting, and ensuring all products detect data-loss events in the same manner. Using a log correlation tool and security information and event management (SIEM) system can go a long way in tying together disparate tools, but on the down side, these additional tools measurably add to the cost of a DLP project.

A standalone DLP scenario

A regional medical center has a data center containing patient personally identifiable information (PII) used in billing, and PHI in patient records and employee records. Additionally, PII and PHI information is shared with health insurance providers. PHI is also available to healthcare professionals at permanently installed workstations, mobile data carts and tablets. Customer billing is handled by a third-party vendor.

In this scenario, the cybersecurity team working with experts from departments that process Health Insurance Portability and Accountability Act and HITECH Act compliant information and company compliance specialists have identified the data paths, communications protocols and data formats of sensitive information. Designated data owners and compliance specialists have classified this information according to the company's data classification policy. The legal and compliance departments, meanwhile, work together on E-discovery issues, preservation of evidence, and monitoring provider and business associate compliance.

The medical center has opted for a standalone DLP suite with network monitoring of data in transit on wired and wireless networks. Terminal services and virtual desktop environments are used to compartmentalize data and prevent its unauthorized use.

Data is encrypted on mobile storage media and at the data center. DLP endpoint agents are used to monitor and quarantine data in use on static and mobile devices throughout the medical center. And DLP file scanners are used at the medical center to monitor and quarantine sensitive data at rest in its data center.

All events are correlated and interesting events are reviewed at least daily by the cybersecurity team. Periodic reports are prepared for the data owners so business processes and medical systems can be monitored and adjusted as necessary.

An integrated DLP scenario

A small but growing technology company has developed a number of innovative products utilizing physical and firmware components. The company maintains a headquarters, a modest manufacturing facility specializing in just-in-time manufacturing, a research and development campus and offices located in the Far East for negotiation with various electronic suppliers. Rather than having a central campus, the dispersed nature of the company presents some communications and collaboration challenges.

The company's data crown jewels include its intellectual property in the form of engineering documents, diagrams, specifications, firmware source code and product assembly instructions. Supporting documents include supplier lists, parts inventories, contractual agreements, software versioning, research databases and notes. Collaboration is routinely done through Web conferencing. The company's strategic plans and new product documentation would be of particular interest to its competitors.

In this scenario, the cybersecurity specialists -- working with experts in the subject matter from teams that access and create sensitive information and the company compliance specialist -- have identified the data paths, communications protocols and data formats of sensitive information. The data owners and compliance specialist have classified this information according to the company's data classification policy. And the company's compliance specialist works with the company lawyers on International Traffic in Arms Regulations, Export Administration Regulations issues, and monitoring third-party contractor and supplier compliance.

The company has opted to build upon integrated DLP features found in its endpoint security software for desktop and mobile devices to address data in use, and in the integrated DLP features of its IDS/IPS, email gateway and HTTP proxy software to cover data in transit. DLP file scanners are present at the company headquarters and the research databases to address data at rest. Data correlation is addressed through log consolidation and the company's SIEM.

Custom detection and correlation rules help the company protect its intellectual property and manufacturing operations, and help it to comply with trade regulations. The cybersecurity and compliance specialist monitor events reported by SIEM alerts. Periodic reports from the SIEM are prepared for the data owners so business processes can be monitored and adjusted as necessary.

The blended DLP scenario

A health insurance company has a central office with regional sales offices and outlying field offices. Insurance applicant PII and PHI are collected by agents at the outlying offices and sent to the home office to determine coverage eligibility. Insurance agent PII, such as employment records and evaluations, are handled at the regional sales office and stored on the home office file servers.

The home office processes customer payments and reimburses health providers for customer healthcare claims. In addition, it compiles agent commission reports, investigates customer claim fraud, handles employee personnel issues and addresses customer grievances. The legal department handles lawsuits by former customers and former agents. And customer billing is handled by a third-party vendor.

In this scenario, the cybersecurity team -- working with company compliance specialists and domain experts from departments that process sensitive information -- have identified the data paths, communications protocols and data formats of sensitive information. The data owners and compliance specialists have classified this information according to the company's data classification policy. And the legal and compliance department work together on e-discovery issues, preservation of evidence, and monitoring third-party contractor compliance.

The company has opted for a standalone DLP product with network monitoring of data in transit. DLP endpoint agents are used to monitor and quarantine data in use throughout the enterprise. DLP file scanners are used at the home office to monitor and quarantine sensitive data at rest at its data center. All events are correlated and interesting events are reviewed at least daily by the cybersecurity team. Periodic reports are prepared for the data owners so business processes can be monitored and adjusted as necessary.

Meanwhile, integrated DLP features in unified threat management-equipped firewalls, along with DLP endpoint agents are in use at the regional and outlying offices to monitor and quarantine files and communications that do not meet compliance guidelines. Outbound Web mail and cloud-based file sharing services are blocked at all perimeters and DLP tools are present on all company mobile devices. File sharing with authorized parties is done through a secure file sharing product located at the home office. Insurance agents use terminal server-based applications to process insurance applications and service existing customers from company supplied tablets. And the company is investigating virtual desktop environments and embedded operating systems hosts to replace conventional PCs with hard drives that may unintentionally contain PII or PHI in temporary files.

Conclusion

The comprehensive nature of providing dynamic DLP for sensitive information at rest, in motion and in use calls for a variety of monitoring tools governed by detection policies tailored to the organization. Selecting a standalone DLP suite, an integrated DLP integrated product mix solution, or a hybrid of the two depend on a variety of factors, such as company organization, endpoint platforms and business processes. The three scenarios we developed highlight the choices real world organizations might make given available resources and business needs.