Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

5 Myths About Data Loss Prevention

Data Loss Prevention technologies are needed to protect data coming into and leaving the organization. There are a number of problems and challenges with the many vendors supplying DLP technology. This presenation reviews some of the Myths around Data Loss Prevention.

  • Login to see the comments

  • Be the first to like this

5 Myths About Data Loss Prevention

  2. 2. What is the DLP Risk? <ul><li>Survey Says </li></ul><ul><li>Many companies have lost confidential data through removable media </li></ul><ul><li>Organizations rely mainly on paper-based controls (policies, NDAs, goodwill, paper cuts) </li></ul><ul><li>Intellectual property, customer data and company financials - the top three concerns </li></ul><ul><li>Data loss via USB drives and other removable media is the top concern </li></ul><ul><li>Trojans, spyware and other hacker threats are secondary </li></ul><ul><li>Confidential data stored on desktops and laptops are a major concern </li></ul><ul><li>Mobile phones have a lot of confidential information, Blackberry, Iphone, Windows Mobile phones, etc </li></ul><ul><li>No controls over audit, monitoring and logging of data into and out of the network </li></ul>
  3. 3. What is Data Loss? <ul><li>Typical data loss scenarios are email, Usb key, burning a CD/DVD </li></ul><ul><li>Other options are Instant Messaging, paper, FTP, fax, phone conversations, mind melds </li></ul><ul><li>Data at rest (stored on file servers, harddrives) </li></ul><ul><li>Data in motion (being sent across the network somehow) </li></ul><ul><li>Data destruction (lack of destroying data in unprotected environments) </li></ul><ul><li>Endpoint security has moved beyond the home user </li></ul>
  4. 4. Obligatory Chart
  5. 5. Top 5 Myths about DLP Solutions <ul><li>Myth 1 – We are too small for a DLP solution </li></ul><ul><li>Myth 2 – I have to purchase an expensive third party DLP solution </li></ul><ul><li>Myth 3 - We cannot track and classify our data </li></ul><ul><li>Myth 4 – The IT Department will handle data loss prevention with technology </li></ul><ul><li>Myth 5 – My company isn’t really exposed to the Internet </li></ul>
  6. 6. Myth 1- Too Small for a DLP suite <ul><li>Example, small/medium sized law firm, 100 lawyers,, 30 staff, a couple offices, confidential data, a website, 50 gigs of data storage </li></ul><ul><li>A DLP suite is too complex and time consuming </li></ul><ul><li>We have legal controls in place </li></ul><ul><li>We have an “IT Guy” who handles everything </li></ul><ul><li>Our lawyers know not to send out emails to anyone that should not receive it </li></ul><ul><li>We have firewall, antivirus and malware protection in place </li></ul>
  7. 7. Myth 1- Too Small for a DLP Suite <ul><li>Any SMB company that has confidential data is at risk. What can the small law firm do about it? </li></ul><ul><li>The hype generated by the big companies (McAfee, Symantec etc) should not scare you away from smaller, focused solutions. Many tactical solutions are available that are not too complex </li></ul><ul><li>Technological controls have to complement legal controls, to protect employees from themselves as well as from outside evil-doers </li></ul><ul><li>IT staff are rarely the same as Security Staff, augment with either outsourced security staff or with robust technology controls </li></ul><ul><li>Do not rely on employees actually understanding what security means, technology controls are needed to offset “stupid” mistakes </li></ul><ul><li>DLP is evolved far beyond simple security controls, looking at actual data is the key to implement technology correctly </li></ul>
  8. 8. Myth 2 – Expensive Third Party Solution <ul><li>For the small law firm, implementing a $100,000 Symantec or McAfee solution is impossible </li></ul><ul><li>We cant afford the consulting and software costs </li></ul><ul><li>Our IT staff are not experts in these DLP solutions and we cannot hire any new staff </li></ul><ul><li>We have already invested in a lot of security technology, no approval for more enterprise suites </li></ul>
  9. 9. Myth 2 – Expensive Third Party Solution <ul><li>Tactical solutions available vs a full enterprise suite, a number of freeware tools are available </li></ul><ul><li>Smaller tools do not require intensive training in security or the products </li></ul><ul><li>You do not have to replace security technology you already have in place, augment your security DLP gaps </li></ul>
  10. 10. Myth 3 – Data classification challenge <ul><li>Our example law firm probably has client confidential files labeled and not much else </li></ul><ul><li>Most companies, especially SMBs, have never classified all their data and have no plans to do this, its to difficult. We do not have the resources to go back and classify all old documents </li></ul><ul><li>We do not need classification standards other than Confidential </li></ul><ul><li>Our employees do not know enough to classify data and our managers are too busy to look at every document </li></ul>
  11. 11. Myth 3 – Data classification challenge <ul><li>To avoid the high and costly rate of false positives and negatives, use technology with accurate detection capabilities (structured, unstructured data) </li></ul><ul><li>A tiered classification standard such as Confidential, Private, Company Use and Public used with DLP will minimize false positives </li></ul><ul><li>With a process in place to educate employees and to force data classification on all newly created documents, a DLP solution can easily manage files based on classification in the future </li></ul>
  12. 12. Myth 4 – IT Department’s Responsibility <ul><li>Many companies, small and large think IT can provide all the security needs as well as understand all the business requirements </li></ul><ul><li>The majority of employees don't know their company's policies and are uneducated about security </li></ul><ul><li>IT cannot make rules to tell employees what data they can keep on laptops and desktops </li></ul><ul><li>IT cannot determine the value of business data </li></ul><ul><li>Business unit owners do not take ownership of data </li></ul><ul><li>Users rely on IT to stop them from doing “stupid” mistakes </li></ul><ul><li>Users never delete data, whether its in emails, on PCs/laptops or in personal network storage </li></ul>
  13. 13. Myth 4 – IT Department’s Responsibility <ul><li>User education, focus on data security, privacy and confidentiality </li></ul><ul><li>Look at Data at rest, where does sensitive data reside outside of secure databases and file servers, develop business rules for saving data to laptops/PCs </li></ul><ul><li>Become content aware, read through data looking for sensitive information </li></ul><ul><li>Business units must provide guidance on data value, and access rights to data, Centralized policy management </li></ul><ul><li>Protecting data in motion by monitoring, logging and auditing (typically email, web, FTP, USB), Perform some blocking, network based </li></ul><ul><li>Provide automated data destruction capabilities that IT does not have to “manage” </li></ul>
  14. 14. Myth 5 – What Internet? <ul><li>The example law firm may not do any processing or have interaction through their website so do not think Internet data transmission is a risk </li></ul><ul><li>We only send emails out and we have email security in place </li></ul><ul><li>Our staff encrypt data on their laptops so we do not worry </li></ul><ul><li>Our firewall protects us from attacks and data theft </li></ul><ul><li>We do not conduct business via our website </li></ul>
  15. 15. Myth 5 - What Internet? <ul><li>1 in 400 emails contains confidential information, in a law firm that will be a much higher percentage. Antivirus needs help for content checking software </li></ul><ul><li>4 out of 5 companies have lost confidential data when a laptop was lost, encrypted data is great but its usually transferred unencrypted, use technology to force encryption or other checks before sending out files </li></ul><ul><li>1 in 2 USB drives contains confidential information, a firewall will not stop data from Leaving. Insider attacks are more prevalent than external hacker attacks, protect data in the internal environment through blocking, monitoring and auditing access </li></ul><ul><li>Over 35 states have enacted security breach notification laws, you don’t have to do web based business to loose data via the Internet. Use DLP to meet regulatory requirements. </li></ul>
  16. 16. Some of the well known players <ul><li>Full Suite Solutions </li></ul><ul><li>EMC </li></ul><ul><li>Orchestria </li></ul><ul><li>Reconnex </li></ul><ul><li>Vontu </li></ul><ul><li>Vericept </li></ul><ul><li>Websense </li></ul><ul><li>Partial Suites </li></ul><ul><li>Code Green Networks </li></ul><ul><li>GTB Technologies </li></ul><ul><li>McAfee </li></ul><ul><li>Workshare </li></ul><ul><li>Lumension </li></ul><ul><li>Network Tools </li></ul><ul><li>Clearswift </li></ul><ul><li>Fidelis Security Systems </li></ul><ul><li>Palisade Systems </li></ul><ul><li>Proofpoint </li></ul><ul><li>SendMail </li></ul><ul><li>Endpoint Suites </li></ul><ul><li>NextSentry </li></ul><ul><li>TrendMicro </li></ul><ul><li>Verdasys </li></ul><ul><li>PGP </li></ul>
  17. 17. <ul><li>Gary Bahadur </li></ul><ul><li>CEO KRAA Security </li></ul><ul><li> </li></ul><ul><li>[email_address] </li></ul><ul><li> </li></ul><ul><li>Consulting Services | Managed Security Services </li></ul>