May 13, 2020

Demystifying DLP

1. Introduction

a. Data leaks

Data leakage is nowadays one of the major risks against which every company should protect itself. The average cost of a data leakage can amount to several million euros (source IBM) regardless of the size of the organisation. It is therefore not superfluous to protect against this type of threat, regardless of the size of the organization. These leaks may be intentional (employee being laid off) or unintentional (configuration error).
The DLP (Data Loss Protection/Prevention) is a solution to protect against data leakage. As these leaks most often occur during the transit of data outside the organization, it is therefore necessary to monitor this type of flow.

b. What should be monitored?

It is important to work with the business to determine what data is sensitive for your organization. You will not be able to monitor all the data, as this would result in too many events to process. Some states may limit the use of such tools:
Type of data captured (GDPR)
Shelf life (Romania, Norway)
Location of data hosting (Switzerland, Luxembourg, Channel Islands)
It is therefore very important to study the feasibility of such a measure in your context and to obtain the appropriate validations (HR, CIO or CISO) before their implementation.

c. Symantec DLP

The leading DLP solution on the market is the one proposed by Symantec (Broadcom). It is very strongly established in the French banking and financial sector. Several of our consultants have had the opportunity to work on the maintenance in operational condition of a Bank’s group platform as well as on several deployment and version upgrade projects. At the time, this customer chose Symantec because they were the only ones to offer this type of solution with a certain maturity. This solution is currently being strongly challenged with the advent of the data protection solutions offered by Microsoft.

2. Architecture

In order to better understand the DLP, here is a diagram on which we will base ourselves:

a. Enforce Server

Whether functionally or technically, the architecture is divided into two dissociated parts, either for the architecture or for incident handling. The first one (Network) in charge of capturing network flows of different protocols and the second one (Endpoint) which captures the events of the workstation. The functions for creating and deploying policies differ between the two worlds.

b. Network

Usually, flow analysis involves interception and protocol breaking, but can also be carried out by copying the flows using specific equipment. This customer chose to analyze FTP, HTTP and SMTP protocols by copying their outgoing flows to the DLP Network monitor probes. The choice of the protocols to be analyzed is made during the configuration of the detection servers.

  • DLP Network monitor for web: this type of detection server analyses the FTP, HTTP or HTTPS protocols. Monitor means that the server will not be able to block the requests sent to it, but only to detect them.
  • DLP Network monitor for mail: the client has chosen to scan outgoing SMTP (e-mail) flows to external domains (not managed by the client). To do this he has installed TAP equipment to copy this type of requests to the probes for analysis.

c. Endpoint Server

The DLP Endpoint solution consists of an agent to be installed on the user’s terminal. It hosts the policies you want to deploy. All agents must be configured to connect to a primary DLP Endpoint server that will report incidents to the Enforce server and a secondary server that will take over only if the first one does not respond anymore.
The Enforce server must be interconnected to the entity directories to target only certain collaborators positioned in target groups or Organizational Units.

The Endpoint agent allows to control, among others, the following elements:

  • USB
  • CD/DVD
  • SMTP
  • FTP
  • HTTP(S)
  • Printing
  • Instant messaging
  • Shared directories

You will notice that some of these protocols can be found in both the network and endpoint sections. Always privilege the coverage of the flows via the network rather than the workstation. Indeed, the means of circumvention are much more numerous on the Endpoint agent, because it is accessible by a larger number of collaborators although it requires administration rights.

3. Policies

In order to define the data you want to protect, Symantec provides you with several features that will allow you to intercept and report alerts.

a. EDM

Exact Data Match (EDM) are indexes of CSV documents containing often sensitive data. You can specify different criteria such as the type of separators used, the encoding and how you want to index the documents (manually or automatically). You will then specify in the policy which EDM you want to use based on its name. It is also possible to index previously hashed files from the profile of an EDM allowing the DLP administrator to index items without knowing their content.

b. IDM

Indexed Data Matches (IDMs) are data indexed in documents grouped together in an archive for which you want to search for matches in events. A minimum match threshold must be set for event retrieval. Example: you want to check that documents with a specific formalism are not sent externally.

c. RegEx and Data Identifiers

It is possible to capture strings that follow a predefined format. If this format is specific to your organization, you can use the Regular Expressions interpretation module. For known identifiers, you can use the Data Identifiers module. Very useful for all GDPR type data (Social Security No., CNI, etc.) or even bank identifiers.

4. Difficulties

a. Policies

Be careful not to multiply the policies, too many will force you to increase the number of resources working on keeping them operational. Otherwise, you will end up with incidents that no longer meet your needs. In addition, some platforms limit the number of incidents stored in the database (1 million for Symantec).

b. Incidents

When an incident has been generated, you need to determine who caused it. The solution must be coupled with a repository (human resources directory or database) in order to complete the information related to the organization and the user: Entity, country, department, last name, first name, e-mail, etc.
Symantec offers a plug-in that allows this information to be completed automatically when the incident is generated. Unfortunately, these plug-ins often do not work correctly because of specific characters in the user’s language, the number of quotation marks, the size of the message or attachments.

c. Bugs and evolutions

The quality of development of these solutions sometimes leaves something to be desired. Do not underestimate the time required for technical and functional pre-qualification before upgrading your platform.
Symantec will often ask you to upgrade to fix bugs or to embed the changes you report.

d. Business relationship

Please note that Symantec has just been acquired by Broadcom, as their internal reorganization has not been finalized, you may have difficulty obtaining commitments from them on the delivery roadmaps for the next versions.

5. Constraints

a. Legal (GDPR)

French and more broadly European legislation authorizes employees to use the means of communication made available to them by the organization for their personal use. As such, they are likely to send documents externally via the channels monitored by the DLP solution. Legislation does not prohibit their detection, but only their analysis (reading). You should therefore take care to isolate this type of message (in the context of e-mails) if it is mentioned that these are “personal” exchanges. Of course, exceptions will be possible in the context of legal requisitions or with the consent of the employee if there is a strong suspicion that such analysis is being carried out.

b. Financial

The implementation of this type of solution has of course a significant cost. In addition to the cost of the technical infrastructure, there is also the cost of human resources for maintaining in operational conditions, processing DLP alerts and those who will be in charge of technical and functional developments. The editor can invoice you the licenses according to your architecture (broken or copied), the number of workstations and the number of monitored mailboxes to which will be added a maintenance cost per license (between 20 and 30% on average).

6. The future of DLP

One of the ongoing challenges of DLP is to follow the security strategy of organizations such as their transformation and migration of services in the Cloud.

How to intercept flows that no longer transit through the organization’s infrastructure?

Example: if your company has chosen to outsource its messaging service by choosing Exchange online, you probably know that Microsoft refuses and will no longer support the service if you choose to intercept the flows, decipher and analyze them before sending them back. You are therefore obliged to subscribe to the DLP solution from your email service provider. That’s why our test customer chose to build a “hybrid” architecture where all the flows pass through the internal infrastructure before being sent back to the Exchange Online servers.

Leave a Reply

Your email address will not be published. Required fields are marked *