Table of Contents
Data Loss Prevention | Trenovision
Data loss prevention (DLP) is a strategy for making sure that end users do not send sensitive or critical information outside the corporate network. The term is also used to describe software products that help a network administrator control what data end users can transfer.
DLP software products use business rules to classify and protect confidential and critical information so that unauthorized end users cannot accidentally or maliciously share data whose disclosure could put the organization at risk. For example, if an employee tried to forward a business email outside the corporate domain or upload a corporate file to a consumer cloud storage service like Dropbox, the employee would be denied permission.
Adoption of DLP is being driven by insider threats and by more rigorous state privacy laws, many of which have stringent data protection or access components. In addition to being able to monitor and control endpoint activities, some DLP tools can also be used to filter data streams on the corporate network and protect data in motion.
What does DLP do and what protection it provides?
To start with let’s see endpoint protection. Endpoint protection has antivirus, anti spyware, network threat protection (host based firewall and host based intrusion prevention) and proactive threat protection which protects based on behavior of a program. But, it doesn’t warn or stops user from copying something which is sensitive on CD/DVD or USB drive, say for example, thousands of customer sensitive information being written on USB drive.
Similarly, perimeter security also does not stop a user from sending sensitive information over email or over HTTP/HTTPS or FTP. There is no way endpoint or perimeter or network security identifies that which data is sensitive.
Therefore, DLP technology came into picture where security is built around data itself. So, once DLP is in place, data loss through endpoints (CD/DVD or USB drive or floppy drive), and data loss through network (email, HTTP/HTTPS or FTP or any TCP/IP protocol for that matter) can be prevented. So, we can say DLP fits around data itself.
Sensitive information can be defined by writing ‘rule’ in DLP. DLP primarily focuses on the following channels for preventing data loss:
1. Endpoints (desktop/laptop)
2. Network (email, HTTP/HTTPS or FTP)—also called as data in motion
3. Data residing at file server, NAS, hard drive of server – also called as Data at rest.
For endpoints there is an agent which is installed on the endpoints. That agent monitors all data going outside that endpoint against the ‘rule’ which is defined centrally. Rule is very critical and important aspect of DLP. Endpoint agent communicates with DLP server located centrally whenever user connects on network. It generates an incident whenever DLP rule is violated. Depending on how DLP is configured, endpoint agent can monitor or even prevent the data copy to external drive. Now question arises here is- desktop admin can always uninstall the DLP endpoint agent once he comes to know about it? Answer is no, uninstalling the DLP endpoint agent requires uninstallation password. Also, we are assuming that user may not have admin rights on his laptop/desktop. There are many advanced control in latest version of DLP (ver 11.x.x) to hide and protect DLP agent on endpoints from damage.
Network DLP requires DLP network component to be present inline (or like a sniffer) with email traffic (corporate email) and/or web traffic (proxy servers)
Data at rest component scans for target mentioned, for any sensitive information. Once found, it can generate incident and/or move the data to safer location and leave a mark there, stating that this data is moved to safer location. It can also provide the contact information of the person, in case user wants to retrieve the data.
In the heart of all three channels resides the ‘rule’. Defining the rule is very critical and should be done very carefully. Defining the rule is a huge subject in itself. Symantec, however, helps with many templates across different kind of industries- viz- Pharma, Banking and finance etc. Organizations mature in years in terms of defining the rule to block the traffic. Rules are required to be fine-tuned over a period of time to reduce false positives.
DLP has the following components:
1. DLP Enforce where policy can be defined and administration can be done. Incidents can also be viewed.
2. Database Server– DLP uses Oracle as database to store incidents and other information.
3. Endpoint Servers– These are used to manage endpoint agents.
4. Network Prevent / Web Prevent Servers for protection with respect to email/web.
5. Discover Server used for identifying sensitive data on various storage like NAS, HDD, file server etc.
I hope this article has at least given the very basic understanding of how DLP works. DLP is very vast solution in itself and can be configured to achieve many objectives. It is a must for organizations who wants to protect their information from leaking/theft. Data loss/theft is mostly done from an insider, knowingly or unknowingly.
Let’s start with the different component of DLP and where they can be placed in an organization’s network.
1. Enforce Platform:In most of the scenario, Enforce server and database server are placed in organizations’ LAN. Enforce server is admin/user console. All admin and user related activity is performed on Enforce console. Administrator sets policy through Enforce admin console. So, Enforce can be used for the following:
Policy Workflow, incidents Reporting Administration
2. Database for Symantec DLP: Database server in Symantec DLP is Oracle. DLP uses Oracle as database to store incidents and other information. If the organization have DBA (DB admin) team, then it is advisable to handover the database admin to them. Symantec support quite often ask to contact DBA for Oracle DB related issue. In most of the scenario, DB is also placed in organizations’ LAN.
3. Endpoint Servers and Endpoint Agents: Endpoint servers are used for managing endpoint agents. Endpoint agents are installed on desktop / laptops (or even tablets now). Endpoint servers are also in organizations’ LAN. Even laptop or desktop are out of network and not able to connect to endpoint servers, it keeps all incidents (if any) to itself and sends to endpoint servers as soon as it connects to the network. I have explained in ‘What Protection Does Symantec DLP Provide? A Note for Beginners’ that it’s quite robust, and it’s very difficult to compromise with endpoint agents. Endpoints can be used for the following:
Discover / relocate data USB / CD / DVD Email / web / FTP / Instant messenger (IM) Print / Fax Network shares Application file access Copy paste
Question arises here that, if network prevent for email and network prevent for email takes care of data leak through email, web, then why do we require such functionality in endpoint agents? Answer is- what if user is not using corporate proxy or corporate email system? User is using Internet through local Internet connection and using email through web, such as Yahoo mail, Rediffmail etc. Data leak of such kind can be prevented through endpoint agents.
4. Network Prevent / Web Prevent Servers:
Depending on requirement, these can be placed in LAN or DMZ. Network DLP requires DLP network component to be present in-line (or like a sniffer) with email traffic (corporate email) and/or web traffic (proxy servers). Data leak of the data in motion can be monitored and prevented using these. All TCP protocol is supported. E.g. HTTP/HTTPS, FTP, SMTP, IM and any TCP based. Starting from Symantec DLP version 11.5, support for third party proxy is also included. E.g. now Websense remote filtering can be integrated with Symantec DLP for checking data leak through proxy servers.
5. Discover Server: This is used for identifying sensitive data on various storage like NAS, HDD, file server etc. Following can be used:
File servers Databases Collaboration platforms such as
Lotus Notes/Domino Websites Laptops / desktops
This component is not only used for discovering sensitive information but also to relocate it on safer location and leaving a mark at original location so that users are informed.
Now, how these components are integrated with each other?
Enforce is the center of all components. Database communicates with Enforce. All others (endpoint server, network prevent, web prevent, discover) are integrated with Enforce. And lastly, endpoint agents communicate with endpoint servers.
Software or Appliance: Upto version 11.1.1, Symantec DLP is software which can run on Windows or Linux servers. Endpoint agents are designed for Windows only.
Following are the servers platforms where DLP can run:
•Windows 2003 Enterprise Edition (32-bit) •Windows Server2008 Enterprise Edition R2 (64-bit)
•Red Hat Enterprise Linux 5 Update 2or higher(32-bit and64-bit) Following are the platform for endpoint agents:
•Windows XP Pro SP2 or SP3 (32-bit) •Windows Vista Enterpriseor Business SP 1 or SP2 (32-bit) •Windows 7 Enterprise, Pro, or Ultimate (32and 64-bit)
•Windows Server 2003 SP2 or R2 (32-bit)
Hardware specifications are average with 16 to 32 GB of RAM. Disc space requirement is dependent on the ‘rule’ and generosity of rule.
Key Benefits of DLP
Security executives trust Symantec DLP to:
Improve visibility into their enterprise’s data loss risk, deliver measurable risk reduction, and stay ahead of emerging threats and new technologies.
Educate and protect well-meaning employees and third parties from accidentally leaking or losing confidential data.
Prevent malicious insiders and outsiders from stealing valuable intellectual property.
Comply with global data privacy regulations such as the U.S. Health Insurance Portability and Accountability Act (HIPAA) and European Union Data Protection Directive.
Key Features
Symantec Data Loss Prevention (DLP) is comprehensive data security solution that discovers, monitors, protects and manages information wherever it is stored or used.
Discover confidential data wherever it is stored and identifies data owners to make data cleanup easy.
Monitor how confidential data is being used and where it is going to provide visibility into broken business process and high-risk users.
Protect confidential data by automatically enforcing data loss policies; educating users about data security; securing exposed data; and stopping data leaks.
Manage data loss policies, incident remediation, and risk reporting from a single, web-based management console.
Data Loss Prevention Data Insight
Monitors file usage and access patterns on network-attached storage (NAS) filers, Windows servers, and SharePoint libraries.
Identifies the data owners of exposed files and folders; alerts security teams to anomalous activity or outlier users; and facilitates secure collaboration with access visualization and analytics.
Data Loss Prevention IT Analytics
Provides advanced, multidimensional reporting capabilities so you can easily slice and dice data; create ad-hoc reports for executives and auditors; and measure data loss risk across your organization.
IT Analytics is available at no additional cost with the Symantec DLP Suite.
Data Loss Prevention for Mobile
Monitors email downloaded to mobile devices over ActiveSync.
Monitors and protects network communications sent from iPads and iPhones over ActiveSync, HTTP/HTTPS, and iOS apps like Dropbox and Facebook.
Advantages of DLP
Protect your company’s most valuable asset: intellectual property.
Organizations are looking to Data Loss Prevention to protect their highest value data. A study by Symantec and the Ponemon Institute found that everyday employees’ attitudes and beliefs about intellectual property theft are at odds with the vast majority of company policies.
Stay on top of compliance.
Let Symantec Data Loss Prevention give you increased visibility into your business processes as proof that you’re staying compliant. Ensure compliance with regulations such as PCI, GLBA, HIPAA, SOX, etc. by protecting your sensitive data and having data controls in place in case of an audit.
Discover how easy it is to get started with Symantec Data Loss Prevention.
Visibility: The first step is to understand where your data is stored and how it is being used across your enterprise.
Remediation: Once you’ve identified broken business processes and high-risk users, then you can start fixing incidents and cleaning up data spills.
Notification: Next, turn on automated email and onscreen pop-up notifications to educate users about data loss policies — this dramatically cuts down repeat offenses.
Prevention: And lastly, stop users from accidentally or maliciously leaking information by quarantining, encrypting and blocking outbound communications.