Data Loss Prevention - The People, Process & Technology Overlap

In Part 1 of this DLP blog series, I discussed how the overlap between people and technology is largely a function of situational awareness within the context of the organization’s goals. An organization will only benefit from the technology when the proper lens is applied. The organization must set realistic expectations on the product, establish proper clipping levels to avoid destabilizing the staff and place the proper administrative controls to measure sustainable progress in tightening the noose on data loss. This is accomplished by examining both content and context of a data transmission.

In Part 2 of the blog series, I explained why documentation—the overlap between people and process—is so critical for the organization. The function is more than simply stating what the organization has done. It is more valuable to capture the why something is done. Even outside of the context of DLP, I have heard clients explain that the reason why something is done is because it has always been done that way. If the organization takes the time to document the reason something is done, the less likely the solution will resemble a garbage collector that is not driving value on the current risks the organization faces.

In a recent engagement, I was tasked with providing recommendations on reducing false positive errors in a large DLP environment. To arrive at my recommendations, I performed a statistical analysis of the historical incidents at the client. When it was time to suggest the changes, the empirical data that was available supported the why and the what.

Finally, in Part 3, I discussed the importance of automation and folding the DLP solution into the general information security portfolio. While DLP is generally designed to be a somewhat autonomous technology, it does not mean it has to be. Consider the power of correlation between negative Human Resource events and data exfiltration as only one such example. Consider other indicators of compromise that can be detected by proper network flow data correlated to a baseline state. To consider that the only threat actors are external hackers and the well-intentioned insiders is a grave miscalculation.

Quite simply, there are likely a hundred different use cases for each of these pillars that I am not posting or aware of. Each organization is different, complete with unique needs and challenges. Therefore, in this final installment of this series, I would like to focus on the bull’s-eye of the Venn diagram—culture.

In the DLP engagements I have participated in, the central tendency is to approach DLP as a compliance-driven initiative. A typical use case is the organization that has a large client (or two) leaning on them to implement the appropriate controls to safeguard their customer’s data. Perhaps the organization is robbing Peter to pay Paul when it comes to internal resources. Those organizations that seem to be adequately staffed are prime candidates for getting bit by shortcuts and tacit decisions. It is simply human nature to take the path of least resistance. Unfortunately, many organizations end up suffering from the law of unintended consequences as a result of the lack of vision in their DLP engagement.

Content-aware DLP is a classic example of technology that can quickly spiral out of control towards obsolescence if left in incapable hands. As I have warned in prior posts, DLP is not a silver bullet technology. It is a complementing control as part of an overall security program and strategy.

If an organization views DLP as a compliance-first initiative, a greater likelihood exists that it will fail to meet expectations, as other solutions in the security portfolio will take precedence and receive more focus. When the organization suffers an embarrassing data loss incident, the organization will likely wish that they had a security-first approach to DLP, and of course that is too late to realize.

What are some of the tell-tale signs of a compliance-driven DLP approach? I feel that one of the biggest indicators is the timetable for the DLP initiative. If an organization is racing against a specific date, such as an audit or a customer-driven onboarding event, there is a possibility that efforts will be focused on operational milestones rather than the long-term, process-driven milestones.

Another potential indicator is the level of effort the organization invests to raise awareness of the solution, whom is involved in the awareness activities and at what phases of the project lifecycle the awareness activities occur. This is also where the culture of the DLP solution comes into play in determining success or failure. Ideally, an organization should partner with the stakeholders to ensure the best chance for acceptance and success. Stakeholders of the DLP solution include the end-user customer that may experience slight latency in the day-to-day transactions or simply see a strange icon in their system tray.

In summary, look at the overlaps between people, process and technology when assessing an organization’s DLP technology culture. While there may be opportunities to improve the pillars within the enterprise solution, the biggest opportunity often lies in the correct positioning for the organization’s culture.

As a security practitioner, I subscribe to the belief that if an organization is security-focused, they will also be compliant as a byproduct. However, if an organization is compliance-focused, there are no guarantees that they will be secure as a byproduct. Which approach does your organization tend to subscribe to? Which approach do the organizations that you do business with take?

At the end of the day, content-aware DLP technologies are simply the value of a parameter in this blog series. As the primary stakeholder in your information’s safety, any number of solutions within the information security function can be substituted and the general recommendations remain valid. So why do organizations continue to deploy solutions that are compliance-focused? Perhaps this will serve as an impetus to perform research, but that is a topic for another day.