Implementing technology to monitor user and network activity can be an eye-opener.
At issue: Network DLP has been worthwhile, but it has shortcomings.
Action plan: Add endpoint DLP. It also has limitations, but the two work well together.
Our security incident and event management tool made us suddenly aware of the magnitude of infestation on our network. When we deployed incident-detection and incident-prevention systems on our firewall, we were amazed at the number of hacking attempts against our Internet-facing resources.
We had a similar revelation when we implemented network-based data loss prevention (DLP). Within a few days of lighting it up, we had discovered a wide variety of data leaking from the company and had even uncovered illegal activity (an employee conspiring with someone from outside of the company to commit a crime). So network DLP is another win, but it has its problems.
First, we can monitor network traffic only at locations where we've installed a network monitor. Our company has more than 60 offices worldwide, and until we re-architect the network, each office has its own Internet connection, which means that we would need to deploy 60 sensors and configure 60 switches. That's a logistical nightmare. Second, without complicated proxy configurations at each remote office, we can't monitor encrypted network traffic. And finally, we can't monitor the Internet traffic of employees who go off the network (by working remotely, say) unless they are connected via VPN.
To address all of this and more, we decided to run a pilot of endpoint DLP.
Endpoint DLP has some shortcomings. For example, unlike network DLP, it won't let you conduct complicated data index matching. With data index matching, you can identify to the DLP system the text of documents deemed to be sensitive. Then, if a user copies just a few lines from an identified document and pastes them into another document or email, the DLP system would detect that activity and block it or send an alert. That level of detection is not quite available with endpoint DLP.
Nonetheless, endpoint DLP does offer several advantages. For one, it gets around the problem of encrypted traffic, since it monitors activities before encryption takes place. It also stays on the job when a user is off the network. And it can spot when data is moved to external media, such as a USB flash drive.
Our pilot deployment of endpoint DLP involved about 200 IT personnel around the world. After some initial tuning, the results were almost immediate. Within hours, we observed a senior-level IT engineer copying a huge number of sensitive Active Directory configuration files and employee directories to an external USB drive. In all, he copied about 3GB of data, including 2GB of archived email.
That seemed suspicious enough, but the real payoff came from the way network DLP and endpoint DLP complement each other. The same IT engineer had been flagged by our network DLP, which sent an alert about him based on the "I'm leaving" rule, which instructs the system to look for any communications suggesting that someone is planning to leave the company. We wouldn't have paid attention to that notification if the endpoint DLP hadn't also alerted us to the fact that he was copying data. We talked to the engineer, he gave us the USB drive, and HR reminded him of the confidentiality agreement he had signed.
Naturally, we highlighted the case of the departing IT engineer in building our business case for a global deployment of endpoint DLP early next year.
If we get the green light, we'll do a lot of tuning to reduce the number of false positives and to make sure we don't monitor personal activity involving things such as finances and healthcare. But it looks like we're going to have our eyes opened again, this time by endpoint DLP.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.