In this post, we will discuss the top ten reasons many Data Loss Prevention (DLP) Programs fail and how organizations can address those issues to ensure Data Loss Prevention Systems can be leveraged to build a solid foundation for an Information Security program. Doing so will position an organization to build more advanced information protection capabilities like Data Protection in the cloud, and rights management and encryption strategies to protect information throughout its life cycle.
What is Information Security? Information Security as a term is often conflated with the term cybersecurity. In my view, cybersecurity refers to the overall program an organization develops in order to protect from the broad spectrum of cyber threats an organization may face. Information Security is a discipline inside cybersecurity which focuses on protecting specific information that an organization has whose inappropriate access or disclosure can cause irreparable harm to an organization. Those informational assets, which I refer to as Critical Data Assets, must be afforded additional levels of protection from commodity data in order for an organization to prioritize security initiatives to protect what matters most.
In that context, the foundational element of any effective Information Security program is the ability to distinguish critical information from commodity information. That foundational element is facilitated by content analytics, which is most often accomplished through a technology known as Data Loss Prevention.
Data Loss Prevention is not a new technology, it has been around for 15 years. However, despite the fact that Data Loss Prevention has been available for quite some time, it remains one of the more difficult technologies to deploy and leverage effectively as it is fundamentally different than other cybersecurity tools. DLP requires business alignment in a way that many other tools like firewalls, endpoint security, and Intrusion Prevention Systems do not.
Failing to Involve Business Stakeholders
Data Loss Prevention programs are different and must be established differently than other cybersecurity products. Data Loss Prevention is not a traditional security tool. It is a business tool facilitated by technology. Consequently, it is important to involve business stakeholders early in the process.
Information is not all of equal value, nor should it be protected in the same way. Information derives its value based on the business impact it may have. For example, if Intellectual Property is lost or improperly disclosed, there will be an impact on the profit and loss statement of at least one business unit. Therefore, in order to quantify the risk to a Critical Data Asset, the business unit that would be most affected by that loss must help define what impact that loss would mean.
At its core, security is the reduction of the impact of something bad happening or the likelihood that a negative event would have on an organization. Therefore, defining the risks for Critical Data Assets is critical to determining the appropriate level of security spending to secure that asset. As the saying goes, you shouldn’t spend a dollar to protect a nickel, but spending a nickel to protect a dollar has a favorable Return on Investment. Many Information Security programs are ineffective because equal spending is applied to all assets. Involving business stakeholders is critical to ensure security priorities are aligned to business priorities.
Further, in order for Critical Data Assets to be leveraged to their full business potential, they must be stored, used, and often shared. Ensuring they are stored properly, used in the proper manner by the proper people, and only shared with appropriate internal and external parties, requires business stakeholders to define the authorized business processes with respect to those assets.
Many Information Security programs are doomed from their inception because the program does not involve business stakeholders in defining the program. If you do not define what is authorized and what should be done in the event of unauthorized activity, how can you possibly protect those assets?
Failure to Define Governance and Working Group Structure
Business unit involvement in Data Loss Prevention programs must not end with the definition of the program. Business units are best positioned to define authorized and unauthorized behavior. Those behaviors do not remain static and continued business unit involvement is imperative to building and maintaining an effective program. Business unit involvement is divided into two separate functions which often involve two distinct groups of people: Governance and Working Groups.
Governance Groups are responsible for the strategic direction of the program and generally made up of business unit leaders. They generally meet quarterly and define the business objectives of the program and milestones for specific compliance or risk reduction initiatives.
Working Groups are responsible for the daily activities necessary for the ongoing support and maintenance of the program. These groups generally consists of security professionals responsible for the operation of the program along with select delegates from the Governance Group. The group is responsible for day to day Incident Response with respect to events that have potential business impact.
These groups generally work together on a day to day basis and have a standing meeting on a weekly or bi-weekly cadence to discuss the operations of the program including activities such as tuning the system.
Failure to Identify Critical Information
Many organizations that do not involve business stakeholders often fail to define what Critical Information is. As a result, programs only protect information that is regulated. This may or may not be appropriate based on the nature of the operations of the organization. Failure to define what is critical to an organization results in programs that spend too much to protect commodity information while failing to appropriately protect what is most critical to the organization.
No Information Security program can be effective if it is not focused on protecting the most important information. This seems like a relatively simple statement, but many programs fail to put forth the appropriate level of effort to define their assets.
Failure to Set Long-Term Objectives With Respect to Data Assets
Identifying Critical Data Assets is not enough. In order to transition from Data Loss Monitoring to Data Loss Prevention an organization must define the actions necessary to protect information once its identified. These protection initiatives fall into two categories: Systematic Protection and Incident Response.
Systematic Protection is leveraging technical responses such as blocking, user notification and confirmation, and quarantining, among other capabilities. Systematic protections have a low tolerance for False Positives as inappropriate actions can have a detrimental business impact that should be avoided at all reasonable cost.
Incident Response Protection is the ability to discover potential issues and respond manually, but quickly enough to prevent harm from coming to the business. Incident Response protections have a higher tolerance for False Positives and are often appropriate for Critical Data Assets that have a lower tolerance for False Negatives or have a likelihood to be intentionally compromised. Systematic responses to information being intentionally compromised often serve to tip off the attacker to the fact their activities are being monitored.
The reason it is important to determine the long term objectives with respect to each Critical Data Asset is that these decisions will impact strategic and tactical operations with respect to the program. Tuning activities and accuracy goals with respect to both False Positives and False Negatives are dictated by the intended response in the event of an incident involving the asset.
Many programs fail because they do not define response actions and policy tuning efforts are paralyzed by a desire to have very few false positives and absolutely zero false negatives. These are competing priorities and it’s impossible to meet both objectives. Successful programs balance these priorities by setting thresholds for systematic actions or creating two policies. One policy will be tuned to have very few false positives for the purpose of systematic actions. The other will be tuned to allow for very few false negatives in order to catch events that do not meet the more strict criteria to enable a system to take action in an automated fashion, which will be addressed through incident response actions.
Failure to Quantify Risk Against Critical Data Assets
Many organizations struggle to define Return on Investment for Information Security programs. You can quantify such a return, but in order to do so you must first quantify the risk against your critical data assets. The benefit side of the cost/benefit equation is determined by breaking down the risk treatment of an asset into acceptance, avoidance, and transference and then comparing the costs of executing those three strategies against that of mitigating any incidents to determine ROI. The organization can then analyze the amount of capital being spent on the mitigation strategy in order to define the Return on Investment.
Failure to Properly Staff the Program
Information Security talent is difficult to find. It is even more difficult to find security talent that is familiar with the specific discipline of Data Protection. As a result, organizations often understaff their programs and have poorly tuned policies as a result. This becomes a self-reinforcing problem as poorly tuned policies yield many more events than policies that are properly tuned and require more effort to sift through the False Positives to get to the incidents that matter. As a result, many failing programs are characterized by hundreds of thousands of events that are not triaged, missing real business issues that should be addressed.
Many successful programs are turning towards Managed Security Services Providers (MSSPs),like InteliSecure, who focus on Information Security programs to assist in the operation of a program to ensure all events are triaged in a timely manner in order to enable incidents to be responded to properly.
Failure to Tune Properly
Improper policy tuning in Data Loss Prevention programs is often a result of the failure to set long term objectives with respect to Critical Data Assets. However, even when those goals are properly set, organizations can struggle with the ability to tune DLP policies because the skill sets required to do so are relatively unique. Data Loss Prevention policy tuning is equal parts art and science, and the people performing the tuning must have the business acumen to interface with business stakeholders in order to ensure accurate tuning. The people I have just described are roughly as rare as a unicorn, and in today’s market for cybersecurity talent, if you could find a single person with all of these attributes, they would likely be prohibitively expensive to hire. More often, there are several people involved in policy tuning efforts, which also significantly drives up costs for internal staffing programs. This is another reason why many successful Data Loss Prevention programs leverage Managed Security Services Providers.
Failure to Review the Program on a Frequency
Information Security programs are as much about business as they are about security or technology. Since businesses evolve and change at an ever-increasing rate, the program must be built and operated in order to evolve with the business. In order to ensure the Information Security program remains aligned with the business, the program should be reviewed regularly. I generally recommend the governance group review the program and make changes as necessary on a quarterly cadence, and that the Critical Data Assets be re-evaluated on an annual basis.
Failure to Deploy Controls Across the Information Life Cycle
Many solutions are deployed as “Integrated DLP”, which is DLP as a feature of a different product. Common examples are integrated DLP as part of Microsoft Office 365, Integrated DLP as part of a Cloud Access Security Broker (CASB) technology, or Integrated DLP as part of a web gateway or firewall. The Integrated DLP approach generally means there are separate solutions and inconsistent rule sets, as well as responses across different channels such as email, network, web, CASB, endpoint, and Data at Rest (Storage). This inconsistency, or resultant programmatic gaps, often result in poor data protection and an exponentially higher cost of operating a program.
The ironic thing is that many organizations embark on the Integrated DLP journey in order to save money up front, but the increased cost of supporting several consoles for DLP and the time associated with manual correlation between systems quickly outpaces any up-front savings. Since the savings are one time and the increased costs continue in perpetuity, it quickly becomes a far more expensive solution that is far less effective. It is very similar to me saying that I will give you $400 today in exchange for you paying me $100 every month until you die. If you plan on living more than a few months, it really isn’t a good idea.
The reasons these systems are not effective is that the information needed to perform an investigation exists in several different databases without a credible way to correlate the information to establish patterns and risk profiles. As a result, many of the high impact incidents, which have a tendency to occur across multiple channels over a period of time, are missed and the overall value of the program is minimal.
Undefined or Inconsistent Incident Response
Many organizations are blissfully unaware of just how exposed they are before they put a Data Loss Prevention program in place. As a result, many don’t expect to find anything egregious and therefore do not invest the proper amount of time building a clear and consistent Incident Response process. I always hope that nothing egregious is going on, but in security we all must hope for the best while preparing for the worst. Failure to prepare for the potential of a major incident leads to an ineffective response.
Further, if the proper process isn’t well defined, incidents are often handled based more on relationships, politics, and power dynamics than they are based on the actual facts of the incident. Inconsistent response can lead to organizational risk exposure in a few ways. First, if incidents are improperly swept under the rug, the obvious risk is the organization may fail to respond to an impactful incident. Second, if incidents are not responded to consistently and action is taken on one user and not another, the organization may be exposed to litigation. It is far better to maintain and execute a clear and objective process from the outset of a program.
Many of the points mentioned above will also doom information security programs for firewalls, endpoints and intrusion prevention. For DLP, the failures mentioned highlight what I mentioned in my introduction; that DLP requires business alignment. Without this alignment, organizations will miss protecting the data that really matters – the critical data that significantly impacts their bottom line.