Chapter 3: Configuring Your Data Loss Prevention Solution
At this point, any trepidation you might have felt earlier is history, and you’re feeling like a pro—because you are. The planning and deployment phases of your DLP implementation are behind you, and now you’re ready to tackle configuration and policy setup for monitoring and enforcement. In the third part of the multichapter white paper, Implementing and Managing a Data Loss Prevention Solution, Rich Mogull, analyst and CEO of independent research firm Securosis, guides through this process. Chapter 3, Configuring Your Data Loss Prevention Solution, defines the four high-level phases of the DLP cycle:
- Determining the data you want to discover, monitor, and protect.
- Discovering where your content resides and where it is moving around on your network.
- Monitoring policy violations that generate incidents and setting a baseline.
- Protecting to set in motion enforcement that’s automated and occurs in real time.
Before you jump into configuration, you’ll want to decide what types of reports you want your DLP system to create. Generally speaking, these reports should demonstrate value, show process, and enable communication with stakeholders. You will likely want to consider reports that:
- Demonstrate compliance—a basic necessity that will reduce the time and effort dedicated to PCI assessments.
- Indicate policy violation to help management align data security controls and education initiatives.
- Display incidents by business unit to identify trouble spots.
- Show trends that enable you to determine the efficacy of your DLP solution with respect to overall risk management.
Start from Ground Zero—Quick Wins
Unless you’ve done a previous DLP deployment at your organization, you’ll probably want to begin with a “Quick Wins” approach, which will help you gain an understanding of how data is used. Choose from an approach that focuses only on a single data type, especially useful when the emphasis in on compliance. Or, you can go for an information usage approach, which takes into account various flavors of data and identifies patterns of use and abuse. Initiate your Quick Wins deployment by following these important steps:
- Choose your deployment architecture: For a Quick Wins DLP deployment, rather than attempting to implement all of your data channels, you may want to start with your network, which will provide you with the most immediate information with the least investment of effort and time.
- Define policies: Configure your policies to fit your approach—single data type or information usage. There’s no need to be concerned about tuning policies. That happens later.
- Monitor: It’s time to turn on your DLP tool and gather results to get the big picture of where your data lives, where it’s going, and who is using it on your network—in your storage servers, and on your endpoints.
- Analyze: Once you’re collected all that information, it’s time to analyze it and determine whether there are any patterns or big issues.
At some point after a Quick Wins deployment, you’ll want to engage in a full deployment. This is the time to get more granular about defining your policies. Here’s a basic roadmap:
- Select a certain category of data and define policy: For example, you may want to start with credit card numbers, corporate financial records, or customer account numbers—and then apply appropriate content analysis techniques. Next, deploy the policies to a specified subset of your infrastructure components so that you can test and adjust your policies. For example, if you’re looking at endpoints, rather than pinpointing USB drives, copy and paste, and local storage in one fell swoop, focus on just one of these.
- Analyze: Turn on the DLP tool and review the results. At this stage you’ll want to check for false positives, refine policies so you can apply them to certain groups, and decide on the best rules (for example, pattern matching might work better in certain instances than database fingerprinting).
- Handle incidents: Now you’ll be generating alerts that users can see when they violate policy, and you’ll want to work with business units to start educating users and changing bad habits. You’ll also have the opportunity to adapt policies to meet the requirements of the business units.
- Automate and protect: At this point, you’ll probably have fewer incidents to deal with. It’s a good time to start turning on automated preventative functions, such as blocking and network filtering. Give yourself ample time to handle support calls, and make sure your automated controls are working as they should.
- Add coverage to other components: You’ve completed all the steps for full deployment and established reliable policies that are appropriate for your business units. You are ready to branch out and extend DLP protection to other components of your infrastructure, such as endpoints and directory servers.
You can see the light glowing at the end of the tunnel, so get ready for the last leg of the journey—reporting and management. Come back and find out how easy that is. The next blog in this series addresses Chapter 4: Managing Your Data Loss Prevention Solution.