Security Manager's Journal: Another step toward eliminating data loss
Combining existing network data loss prevention with endpoint DLP will reveal more hidden network recesses.
Computerworld - Implementing technology to monitor user and network activity can be an eye-opener.
Our security incident and event management tool made us suddenly aware of the magnitude of infestation on our network. When we deployed incident-detection and incident-prevention systems on our firewall, we were amazed at the number of hacking attempts against our Internet-facing resources.
We had a similar revelation when we implemented network-based data loss prevention (DLP). Within a few days of lighting it up, we had discovered a wide variety of data leaking from the company and had even uncovered illegal activity (an employee conspiring with someone from outside of the company to commit a crime). So network DLP is another win, but it has its problems.
First, we can monitor network traffic only at locations where we've installed a network monitor. Our company has more than 60 offices worldwide, and until we re-architect the network, each office has its own Internet connection, which means that we would need to deploy 60 sensors and configure 60 switches. That's a logistical nightmare. Second, without complicated proxy configurations at each remote office, we can't monitor encrypted network traffic. And finally, we can't monitor the Internet traffic of employees who go off the network (by working remotely, say) unless they are connected via VPN.
To address all of this and more, we decided to run a pilot of endpoint DLP.
Endpoint DLP has some shortcomings. For example, unlike network DLP, it won't let you conduct complicated data index matching. With data index matching, you can identify to the DLP system the text of documents deemed to be sensitive. Then, if a user copies just a few lines from an identified document and pastes them into another document or email, the DLP system would detect that activity and block it or send an alert. That level of detection is not quite available with endpoint DLP.
Nonetheless, endpoint DLP does offer several advantages. For one, it gets around the problem of encrypted traffic, since it monitors activities before encryption takes place. It also stays on the job when a user is off the network. And it can spot when data is moved to external media, such as a USB flash drive.
Our pilot deployment of endpoint DLP involved about 200 IT personnel around the world. After some initial tuning, the results were almost immediate. Within hours, we observed a senior-level IT engineer copying a huge number of sensitive Active Directory configuration files and employee directories to an external USB drive. In all, he copied about 3GB of data, including 2GB of archived email.
That seemed suspicious enough, but the real payoff came from the way network DLP and endpoint DLP complement each other. The same IT engineer had been flagged by our network DLP, which sent an alert about him based on the "I'm leaving" rule, which instructs the system to look for any communications suggesting that someone is planning to leave the company. We wouldn't have paid attention to that notification if the endpoint DLP hadn't also alerted us to the fact that he was copying data. We talked to the engineer, he gave us the USB drive, and HR reminded him of the confidentiality agreement he had signed.
Naturally, we highlighted the case of the departing IT engineer in building our business case for a global deployment of endpoint DLP early next year.
If we get the green light, we'll do a lot of tuning to reduce the number of false positives and to make sure we don't monitor personal activity involving things such as finances and healthcare. But it looks like we're going to have our eyes opened again, this time by endpoint DLP.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at email@example.com.
Join in the discussions about security!
More by Mathias Thurman
- Security Manager's Journal: Thousands of dollars in phone calls? Management hates that.
- Security Manager's Journal: Another step toward eliminating data loss
- Security Manager's Journal: Siccing MDM on personal mobile devices
- Security Manager's Journal: An admin surfing on a server? That's a big no-no
- Security Manager's Journal: Time to tweak the security policies
- Security Manager's Journal: Found: 30 unmanaged servers that shouldn't be
- Security Manager's Journal: The ins and outs of extending DLP
- Security Manager's Journal: Move to hosted email opens new vulnerabilities
- Security Manager's Journal: Two big goals for 2014 budget won't require a lot of money
- Security Manager's Journal: When data classifications meet the real world
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts