Testing and evaluating a data leak prevention product

This tip is part of the SearchFinancialSecurity.com Security School lesson, Preventing data leaks. Visit the lesson page for additional learning resources.

Although information security professionals intuitively understand that sensitive information is constantly transported throughout every organization, it is not always clear whether there is a way to manage that flow. Today data leak protection (DLP) tools are being deployed in many types of enterprises, including financial services firms, to avoid the problems that occur when data travels beyond its intended boundaries.

As is often the case with any emerging product category, there is significant industry skepticism of DLP, with plenty of questions that need answers:

Fortunately, most (if not all) DLP vendors recognize the need to "try before you buy," and will provide proof-of-concept tools to deploy in your environment. In this tip, we'll explore best practices for testing and evaluating DLP products.

The audition
Find a high-utilization network pipe where most of the activity crosses zone boundaries. This way, it's fairly easy to discern when a sensitive operation is occurring. Typically, you can use one of your hopefully-fewer-than-a-dozen main Internet connections (if you have more than that, then pick one with email).

Put the device on a span port or network tap that provides passive monitoring capabilities to ensure that there is no need to worry about performance degradation or availability issues. And then, just watch.

The results
It is possible that there won't be much to see. But with users being users, and information wan

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Data leak prevention: Controlling financial services threats Preventing data leaks Data Protection Essentials By addressing data privacy, companies avoid public scrutiny Lessons learned: The LendingTree case Lessons learned: The Countrywide Financial breach The Societe Generale fraud story: Keith White on fraud Institutionalizing risk management for ongoing management support Risk assessments: Internal vs. external Putting risk analysis into words Lessons learned: The Texas Insurance Claims Services case Lessons learned: The Montgomery Ward breach Lessons learned: The Citibank ATM breach Data breaches and prevention strategies Podcast: Fraud investigations Financial security pros expect improved funding in second half of 2009 Download presentations from Financial Information Security Decisions 2009 Banks using Twitter need to proceed with caution, experts say ATM malware used in Russia lets attackers control machines Aetna notifies 65,000 of job website breach Heartland breach cost $12.6 million, CEO says Data governance and classification Former Federal Reserve Bank employee arrested Data encryption: Lessons learned from implementation

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Governance, Risk and Compliance  (SearchFinancialSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

ting to be "set free," you are much more likely to see plenty of activity -- much of it legitimate. Personally identifiable information (PII), communications with clients, "boomerang" work (that comes back to you at your home PC) and sales and marketing plans are all likely to surface.

When you see the results, take a step back and remind yourself that the use of sensitive data is one of the benefits that IT provides to your organization. Then take a look at the information flow happening in your environment. Highly distributed and/or decentralized environments will have the toughest time distinguishing the appropriate from the inappropriate.

Throughout the DLP product-testing process, keep the following points in mind:

There are no huge hurdles to overcome technically or architecturally with DLP. In general, the tools are passive; just plug them in to your tap or span port. The products themselves are maturing quickly; at this stage, it is simple to identify PII and credit card numbers, as well as universal "acceptable use" issues. The more sensitive, enterprise-specific content will take some tuning. From a risk perspective, it is beneficial for organizations to know about how data flows throughout the enterprise so proper protective measures can be put in place.

About the author:
Pete Lindstrom is senior analyst with Midvale, Utah-based research firm Burton Group. His areas of expertise include security metrics, risk management, Web 2.0 and SOA security and safeguards for other emerging technologies. Previously he helmed his own research group, Spire Security, and also worked as an auditor and security architect.