Data Loss Prevention: Insider Threats Demand Holistic Strategies
In preparation for my data loss prevention (DLP) talk at Cisco Live next week, I’ve been doing some reading and I thought I’d share my thoughts on some of the things I found.Several recent surveys have demonstrated the frightening prospect of insider security threats. Baseline Magazine cited an industry survey showing a marked increase in the number of IT pros that are willing to steal company information if they lost their jobs. PC World cited a similar survey showing that almost two-thirds of employees steal data when they leave the company. And Cisco’s own global data loss survey showed that nearly one in ten current employees have either stolen company equipment or data for profit or know someone at work who has. These cases only describe malicious insiders and not the far greater number of users who inadvertently, through carelessness or negligence, allow protected data to escape the organization’s control.Insider threats don’t always involve employees, either. If external attackers should penetrate an organization’s network they become “insiders” themselves, with the ability to search for and access sensitive data. Two recent high-profile data loss incidents at credit card processing companies involved not malicious insiders, but technical exploitation from outside the organization. In the case of CardSystems Solutions, hackers used an initial SQL injection attack to access the network and install tools that facilitated further penetration and data theft. In the Heartland Payment Systems breach, the initial culprit was a keystroke logger, which led to the installation of a sniffer that facilitated the theft of data.Information-centric risks such as the loss or disclosure of data that is protected by law, convention, or company policy have driven the rapid growth of the data loss prevention market and the security industry’s response. But let’s face it — DLP can be confusing. Having achieved buzzword status in the security industry, DLP as a term is general enough to apply to almost any activity designed to protect corporate information. Data loss prevention, however, is a more specific capability that involves techniques for analyzing data (whether at rest, in motion, or in use) for protected or proscribed content. The analysis of content is a technology function, but without effective information governance as a business function a DLP product can only do so much. Just as a firewall wouldn’t be deployed without a business understanding of the assets it is intended to protect, DLP technology shouldn’t be deployed in a business process vacuum.DLP technologies leverage a number of different techniques for content analysis. These techniques range from straightforward pattern or expression matching against standard data types like social security or credit card numbers to more advanced and complex linguistic analyses used to identify unstructured “concepts” situated in everyday language. In-between are commonly found techniques built around subject-specific content dictionaries and hashing or fingerprinting strategies for data repositories (for a good description of DLP techniques of varying complexity, see the white paper produced jointly by SANS Institute and Securosis, L.L.C.)As the earlier examples of insider threats and security breaches show, DLP risks are not monolithic. Catching a credit card number or medical data accidentally included in an email is one thing, while catching a thief determined to extrude corporate research data is something else. Technology can help but it must be situated within the context of business requirements. This means organizations must know what data they are required to protect and must implement policy and process infrastructures that enable the DLP technology products that they deploy. Implementing a sophisticated DLP technology without a thorough understanding of one’s data loss posture, perhaps against a single use case such as the fear of social security numbers being sent over email, is something like building fortifications before knowing from what direction an attack is coming. At best, it is an inefficient strategy. At worst, it can be a disaster.Not all insider threats are deliberate and malicious. Indeed, most DLP technologies today are focused on the negligent and the careless rather than the unscrupulous and the dishonest. The latter are much harder to stop with technology alone. For this reason, organizations looking to adopt DLP are wise to consider it holistically, as part of an aligned business-technology initiative that addresses people and process, as well as technology. By way of example, in the Cisco survey cited above, research showed that some employees knew others were stealing but seemingly did nothing to stop the theft. This is a breakdown at the level of organizational culture that technology will never address completely, but that can be mitigated by technology in the context of business strategy.