1 DLP Pitfalls — A discussion of lessons learned
Speaking With You Today
Dan Frank
Principal
Deloitte & Touche LLP
(312) 486-2541 (office)
(312) 401-0125 (cell)
Charles Keane
National Security Architect
Symantec
(617) 571-7170
2 DLP Pitfalls — A discussion of lessons learned
• Deloitte and Symantec Alliance Overview
• Top 10 DLP Challenges, Root Causes and Lessons Learned
• Summary
Agenda
As used in this document, "Deloitte" means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the
legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.
3 DLP Pitfalls — A discussion of lessons learned
Alliance Overview
Global leaders with a demonstrated track-record of achievements and leading practices
• Leading risk consulting
practice
• Client-specific, pragmatic
advisory services
• Ability to provide strategic
and technical responses to
core business challenges
Our alliance brings together two
of the leading security and
privacy software and professional
services organizations in the
world, helping organizations
solve constantly evolving
complex security and privacy
related business challenges.
• Leading security software
provider
• Global intelligence network
• Sophisticated and mature
enterprise security tools
and technologies
4 DLP Pitfalls — A discussion of lessons learned
# 10
Root Causes:
• Lack of understanding of current environment, data loss risks, and associated risk mitigation priorities
• A tendency to “boil the ocean” when approaching data loss initiatives makes the solution seem overwhelming
• Perception that DLP is a “one time” technical project instead of a “program”
The Challenge: Where do I start?
Lessons Learned:
• Understand your risks first
• Prioritize your deployment strategy based on riskiest areas (e.g. data types, business units, business functions, end points, repositories)
• Build a multi-year road-map for your DLP program that focuses on quick wins as well as incremental business value and advanced functionality.
DLP Challenges, Root Causes and Lessons Learned
5 DLP Pitfalls — A discussion of lessons learned
# 9
Root Causes:
• Failure to evaluate vendor marketing promises
• Misunderstanding of infrastructure costs and employee resource requirements
• Poor planning of level of effort associated with policy creation, workflow/remediation, and testing and tuning
The Challenge: Understanding the Total Cost of Ownership of a DLP Program
Lessons Learned:
• Conduct vendor evaluations and proof of concepts against specific business and technical requirements. Trust…but verify.
• Create a high-level solution architecture to assist with estimating infrastructure costs
• Estimate resource requirements for both initial deployment as well as on-going operations and maintenance
DLP Challenges, Root Causes and Lessons Learned
6 DLP Pitfalls — A discussion of lessons learned
# 8
Root Causes: • Concern with impeding legitimate business
processes
• Lack of understanding of the legitimate/illegitimate business use
• Un-defined processes for business use case analysis
• Policies defined based on content vs. contextual analysis
• Lack of sufficient testing and tuning of policies over time before full scale deployment
• Lack of workflow and associated roles and responsibilities, SLA’s, etc. to help the business recover information efficiently
The Challenge: Getting Past the Basics – Utilizing Advanced Features
(*Only 30-40% of Symantec’s DLP customers currently use advanced features)
Lessons Learned:
• A sound understanding of the business and associated use cases is critical to enabling advanced features
• Policies should be carefully configured based on business use case analysis and sufficiently tested and tuned prior to being enabled
• Operational procedures and workflow for recovery of blocked/quarantined/encrypted information much be established to help prevent prolonged business interruption
DLP Challenges, Root Causes and Lessons Learned
7 DLP Pitfalls — A discussion of lessons learned
# 7
Root Causes:
• Policies aren’t fully tested and tuned before DAR scans take place
• No ownership information or other metadata is present in files
• No formal workflow process in place to interface with end users
The Challenge: Inability to move from data at rest (“DAR”) identification to DAR remediation
Lessons Learned:
• DAR scans should not be your first priority, baselines should be established over time to develop mature policies
• Lead DAR scans with Data Insight (“DI”), allow the tool to collect several months of usage patterns to establish ownership information
• Use information found in DLP and DI scans to establish formal workflow
DLP Challenges, Root Causes and Lessons Learned
8 DLP Pitfalls — A discussion of lessons learned
# 6
Root Causes:
• Lack of a DLP strategy to provide a clear vision and direction for the solution
• Poorly defined requirements
• “Big Bang” implementation approach
The Challenge: Frustration with the speed at which the DLP solution becomes functional
Lessons Learned:
• Clearly and transparently articulate the DLP program’s vision and strategy to stakeholders
• Well defined requirements along with a phased implementation plan are important
• Utilize POCs, pilots, and phased implementation approaches
DLP Challenges, Root Causes and Lessons Learned
9 DLP Pitfalls — A discussion of lessons learned
# 5
Root Causes:
• Global privacy laws and labor unions can present varying, sometimes conflicting requirements which can restrict DLP monitoring
• Complaints as a result of DLP monitoring from end users arising from cultural differences
• Proper messaging and approvals not vetted beforehand
The Challenge: Deploying DLP Globally
Lessons Learned:
• Analyze and document legal and regulatory requirements related to employee monitoring (e.g. Germany, Netherlands)
• Create a regulatory/labor union communications and approval strategy and plan
• Allow ample time for socialization and approval of the solution with regulatory authorities/labor unions
DLP Challenges, Root Causes and Lessons Learned
10 DLP Pitfalls — A discussion of lessons learned
# 4
Root Causes:
• Poorly or un-defined DLP metrics and effectiveness criteria
• Lack of operational processes to collect and report DLP metrics
• Stakeholder expectation gaps related to functionality and timelines
The Challenge: Stakeholders may not understand the value that the solution is offering
Lessons Learned:
• It is important to define metrics and effectiveness criteria, along with an initial baseline from which you can measure future progress
• Establish operational processes to periodically collect and report on DLP metrics to stakeholders
• Involve stakeholders early on and remain as transparent as possible throughout
DLP Challenges, Root Causes and Lessons Learned
11 DLP Pitfalls — A discussion of lessons learned
DLP Challenges, Root Causes and Lessons Learned
# 3
Root Causes:
• Lack of operational processes and resources to perform business process re-engineering
• Lack of organizational policies and associated training and on-going communications to establish and reinforce expectations
• Poorly or undefined disciplinary measures and enforcement
• Lack of secure alternatives (e.g. secure e-mail, secure FTP, secure storage locations)
The Challenge: Same old…Same Old – Business Behavior Doesn’t Change
Lessons Learned:
• Establish operational processes and a team to work with the business on secure alternatives for their business process
• Establish organizational security policies and reinforce the policies with training and on-going awareness campaigns
• Establish disciplinary processes and integrate data protection goals into employee performance evaluations/appraisals
• Provide users secure alternatives to accomplish their activities, otherwise unsecure workarounds will be developed
12 DLP Pitfalls — A discussion of lessons learned
# 2
Root Causes: • Poorly or un-defined incident severity levels and
response workflows/ procedures
• Policies defined too broadly and without knowledge off legitimate business use
• Lack of sufficient testing and tuning of policies over time before full scale deployment
• Lack of a phased approach
• Insufficient resource allocation for incident response and remediation
• Lack of training of incident response team
The Challenge: Unmanageable Incident Queues
Lessons Learned: • Define criteria for categorizing incidents by
severity so that resources can be allocated based on business risk
• Formally document incident response procedures
• Spend the time required to understand your business so that policies can ignore legitimate business transactions/use
• Spend the time required to test and tune policies before fully deploying
• Don’t boil the ocean - start out slow with a small number of polices
• Allocate requisite resources and conduct formal training
DLP Challenges, Root Causes and Lessons Learned
13 DLP Pitfalls — A discussion of lessons learned
DLP Challenges, Root Causes and Lessons Learned
# 1
Root Causes:
• Lack of policies to clearly set employee expectations
• Lack of communication related to solution/program
• Lack of business involvement in requirements and scope definition
• Lack of secure alternatives (e.g. secure e-mail, secure storage locations, etc.)
• Lack of operational processes to reduce business interruption time
The Challenge: Business Community / End User Outcry
Lessons Learned:
• Set expectations through policy
• Reinforce expectations through training and awareness mechanisms
• Engage the business in solution requirements and scope
• Establish secure alternatives to enable people to “do the right thing”
• Establish operational processes and resources to respond to events efficiently to limit business interruption time
14 DLP Pitfalls — A discussion of lessons learned
In our joint experience an effective DLP solution/program should be approached broadly, focusing not just on the
technology, but also upon the people and processes needed to support and interface with the DLP solution.
A Holistic DLP Program
I. Governance
• DLP strategy
• DLP requirements
• Organizational structure
• Policies and procedures
• Training and awareness
• Metrics, monitoring, and reporting
II. Process
• Business process analysis
• Incident response workflows
• Incident response plan
• Tuning and adjustment
• Policy change management
• Help desk procedures
• Business process re-engineering
III. Security Integration
• Integration with enterprise
security tools and systems
IV. System Implementation
• Hardware and software
• Egress points
• Storage repositories
• End points
• Policy configuration
• Access configuration
• Top down
• Integrates people,
process, and
technology
• Aligns DLP
solution with
business drivers
and value
Business Analytics
Customer Portal
Production Data
Data warehouse
Staging
File Server
DR
Back up disk
Back up tape
IAM DLP SEM GRC
WAN
WAN
Disk storage
Applications Files Storage Network
Infrastructure
Outsourced Development
Enterprise e - mail
WWW
VPN
15 DLP Pitfalls — A discussion of lessons learned
Benefits of Our
Joint Approach
Considerations Toward an
Effective DLP Program
Well defined requirements aligned with
business goals
A well thought out and defined
strategy and road-map/plan
Allocating resources to supporting processes
Achieving and building upon
quick wins
Tight coordination
and integration with the business
Transparent communication
with stakeholders and business community
In Summary
Helps prevent costly re-work
Demonstrates business value through “quick wins”
Helps to prevent business community and
end-user outcry
Enables the use of advanced system
capabilities
Maintains stakeholder support
Improves incident response capabilities
This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.
Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.
Member of Deloitte Touche Tohmatsu Limited
Top Related