Avoiding Data Loss Prevention (DLP) Pitfalls A Discussion of Lessons Learned April 2013
Speaking With You Today Dan Frank Principal Deloitte & Touche LLP danfrank@deloitte.com (312) 486-2541 (office) (312) 401-0125 (cell) Charles Keane National Security Architect Symantec Charles_Keane@symantec.com (617) 571-7170 1 DLP Pitfalls A discussion of lessons learned
Agenda Deloitte and Symantec Alliance Overview Top 10 DLP Challenges, Root Causes Summary As used in this document, "Deloitte" means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting. 2 DLP Pitfalls A discussion of lessons learned
Alliance Overview Global leaders with a demonstrated track-record of achievements and leading practices Leading risk consulting practice Client-specific, pragmatic advisory services Ability to provide strategic and technical responses to core business challenges Leading security software provider Global intelligence network Sophisticated and mature enterprise security tools and technologies Our alliance brings together two of the leading security and privacy software and professional services organizations in the world, helping organizations solve constantly evolving complex security and privacy related business challenges. 3 DLP Pitfalls A discussion of lessons learned
# 10 Where do I start? Lack of understanding of current environment, data loss risks, and associated risk mitigation priorities A tendency to boil the ocean when approaching data loss initiatives makes the solution seem overwhelming Perception that DLP is a one time technical project instead of a program Understand your risks first Prioritize your deployment strategy based on riskiest areas (e.g. data types, business units, business functions, end points, repositories) Build a multi-year road-map for your DLP program that focuses on quick wins as well as incremental business value and advanced functionality. 4 DLP Pitfalls A discussion of lessons learned
# 9 Understanding the Total Cost of Ownership of a DLP Program Failure to evaluate vendor marketing promises Misunderstanding of infrastructure costs and employee resource requirements Poor planning of level of effort associated with policy creation, workflow/remediation, and testing and tuning Conduct vendor evaluations and proof of concepts against specific business and technical requirements. Trust but verify. Create a high-level solution architecture to assist with estimating infrastructure costs Estimate resource requirements for both initial deployment as well as ongoing operations and maintenance 5 DLP Pitfalls A discussion of lessons learned
# 8 Getting Past the Basics Utilizing Advanced Features (*Only 30-40% of Symantec s DLP customers currently use advanced features) Concern with impeding legitimate business processes Lack of understanding of the legitimate/illegitimate business use Un-defined processes for business use case analysis Policies defined based on content vs. contextual analysis Lack of sufficient testing and tuning of policies over time before full scale deployment Lack of workflow and associated roles and responsibilities, SLA s, etc. to help the business recover information efficiently A sound understanding of the business and associated use cases is critical to enabling advanced features Policies should be carefully configured based on business use case analysis and sufficiently tested and tuned prior to being enabled Operational procedures and workflow for recovery of blocked/quarantined/encrypted information much be established to help prevent prolonged business interruption 6 DLP Pitfalls A discussion of lessons learned
# 7 Inability to move from data at rest ( DAR ) identification to DAR remediation Policies aren t fully tested and tuned before DAR scans take place No ownership information or other metadata is present in files No formal workflow process in place to interface with end users DAR scans should not be your first priority, baselines should be established over time to develop mature policies Lead DAR scans with Data Insight ( DI ), allow the tool to collect several months of usage patterns to establish ownership information Use information found in DLP and DI scans to establish formal workflow 7 DLP Pitfalls A discussion of lessons learned
# 6 Frustration with the speed at which the DLP solution becomes functional Lack of a DLP strategy to provide a clear vision and direction for the solution Poorly defined requirements Big Bang implementation approach Clearly and transparently articulate the DLP program s vision and strategy to stakeholders Well defined requirements along with a phased implementation plan are important Utilize POCs, pilots, and phased implementation approaches 8 DLP Pitfalls A discussion of lessons learned
# 5 Deploying DLP Globally Global privacy laws and labor unions can present varying, sometimes conflicting requirements which can restrict DLP monitoring Complaints as a result of DLP monitoring from end users arising from cultural differences Proper messaging and approvals not vetted beforehand Analyze and document legal and regulatory requirements related to employee monitoring (e.g. Germany, Netherlands) Create a regulatory/labor union communications and approval strategy and plan Allow ample time for socialization and approval of the solution with regulatory authorities/labor unions 9 DLP Pitfalls A discussion of lessons learned
# 4 Stakeholders may not understand the value that the solution is offering Poorly or un-defined DLP metrics and effectiveness criteria Lack of operational processes to collect and report DLP metrics Stakeholder expectation gaps related to functionality and timelines It is important to define metrics and effectiveness criteria, along with an initial baseline from which you can measure future progress Establish operational processes to periodically collect and report on DLP metrics to stakeholders Involve stakeholders early on and remain as transparent as possible throughout 10 DLP Pitfalls A discussion of lessons learned
# 3 Same old Same Old Business Behavior Doesn t Change Lack of operational processes and resources to perform business process re-engineering Lack of organizational policies and associated training and on-going communications to establish and reinforce expectations Poorly or undefined disciplinary measures and enforcement Lack of secure alternatives (e.g. secure e-mail, secure FTP, secure storage locations) Establish operational processes and a team to work with the business on secure alternatives for their business process Establish organizational security policies and reinforce the policies with training and on-going awareness campaigns Establish disciplinary processes and integrate data protection goals into employee performance evaluations/appraisals Provide users secure alternatives to accomplish their activities, otherwise unsecure workarounds will be developed 11 DLP Pitfalls A discussion of lessons learned
# 2 Unmanageable Incident Queues Poorly or un-defined incident severity levels and response workflows/ procedures Policies defined too broadly and without knowledge off legitimate business use Lack of sufficient testing and tuning of policies over time before full scale deployment Lack of a phased approach Insufficient resource allocation for incident response and remediation Lack of training of incident response team Define criteria for categorizing incidents by severity so that resources can be allocated based on business risk Formally document incident response procedures Spend the time required to understand your business so that policies can ignore legitimate business transactions/use Spend the time required to test and tune policies before fully deploying Don t boil the ocean - start out slow with a small number of polices Allocate requisite resources and conduct formal training 12 DLP Pitfalls A discussion of lessons learned
# 1 Business Community / End User Outcry Lack of policies to clearly set employee expectations Lack of communication related to solution/program Lack of business involvement in requirements and scope definition Lack of secure alternatives (e.g. secure e- mail, secure storage locations, etc.) Lack of operational processes to reduce business interruption time Set expectations through policy Reinforce expectations through training and awareness mechanisms Engage the business in solution requirements and scope Establish secure alternatives to enable people to do the right thing Establish operational processes and resources to respond to events efficiently to limit business interruption time 13 DLP Pitfalls A discussion of lessons learned
A Holistic DLP Program In our joint experience an effective DLP solution/program should be approached broadly, focusing not just on the technology, but also upon the people and processes needed to support and interface with the DLP solution. I. Governance DLP strategy DLP requirements Organizational structure Policies and procedures Training and awareness Metrics, monitoring, and reporting II. Process Business process analysis Incident response workflows Incident response plan Tuning and adjustment Policy change management Help desk procedures Business process re-engineering III. Security Integration Integration with enterprise security tools and systems IAM SEM DLP GRC Infrastructure Top down Integrates people, process, and technology Aligns DLP solution with business drivers and value IV. System Implementation Hardware and software Egress points Storage repositories End points Policy configuration Access configuration WAN WWW WAN VPN Network DR Data warehouse Business Analytics Customer Portal Outsourced Development Enterprise e - mail Disk storage Production Data Staging File Server Back up tape Back up disk Applications Files Storage 14 DLP Pitfalls A discussion of lessons learned
In Summary Transparent communication with stakeholders and business community Tight coordination and integration with the business Well defined requirements aligned with business goals Considerations Toward an Effective DLP Program A well thought out and defined strategy and road-map/plan Allocating resources to supporting processes Benefits of Our Joint Approach Helps prevent costly re-work Demonstrates business value through quick wins Helps to prevent business community and end-user outcry Enables the use of advanced system capabilities Achieving and building upon quick wins Maintains stakeholder support Improves incident response capabilities 15 DLP Pitfalls A discussion of lessons learned
This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation. Member of Deloitte Touche Tohmatsu Limited