Configuring DLP system

02.09.2019

The installation of a DLP system can be managed even by a novice system administrator. However, its fine-tuning requires some skills and experience.

The basis for the stable operation of DLP products is laid during the integration phase which involves:

• Identification of critical information to be protected
• Development of a confidentiality policy
• Set up of business processes for addressing information security issues.

Such tasks require a narrow specialization and in-depth study of a DLP system.

Risk and compliance managers, information security analysts, internal control officers and auditors, and human resources officers - all of them have their share of security objectives, and can control corporate data usage and perform correct assessment within their tasks.

Classification of security systems

The choice of a DLP system depends on the tasks to be addressed in a particular company. The tasks are usually divided into several groups, including the control of confidential information in motion, control of employee actions during the day, control of network (gateway analysis), and complex control (networks and endpoints).

An integrated DLP solution will be a perfect choice for most companies. Host systems will be suitable for small and medium-sized enterprises. Host DLP systems have a sufficient number of functions and are cost-effective. Low performance, scalability, failure persistence can be described as disadvantages.

Network DLP systems do not have these disadvantages. They are easily integrated and interact with the solutions from other vendors. This is an important aspect since a DLP must work with the products already installed on the corporate network. The compatibility of a DLP system with databases and software is equally important.

When choosing a DLP system, the data channels that are used in the company and need protection are taken into account. Most often, these are email protocols, IP telephony, HTTP, wireless networks, Bluetooth, removable media, printing on network or off-line printers.

The monitoring and analysis functions are important for proper operation of a DLP. The minimum requirements for analytical tools are morphological and linguistic analysis, the ability to compare controlled data with dictionaries or saved sample files.

From a technical point of view, modern DLP solutions are similar. The system performance depends on the competent automation of search algorithms. Thus, the advantage of the product will be a simple and intuitive DLP setup process which does not require regular consultations with the vendor's technical experts.

Approaches to integration and configuration

The DLP installation is usually performed according to one of the two scenarios or approaches.

Classical approach means that the customer company independently draws up a list of data that needs protection, features of data processing and transfer, while the system controls the data flow.

Analytical approach means that the system first analyzes the data flows in order to select critical information, which is followed by a fine-tuning to ensure stringent monitoring and protection of information flows.

DLP operational issues

Experience has shown that most operational problems are not technical, but arise due to inflated expectations of users. Thus, analytical approach, which is also called consulting approach, works much better. Companies, well-versed in the data security issues, which have already dealt with protection tools and know what and how to better protect, increase your chances to build a well-functioning effective DLP based security system.

Common errors during DLP configuration

• Application of reference rules

Often, the IS Department acts as a service department for other companies. It provides "clients" with protection from information leaks. For effective work, IS experts need thorough knowledge on the company's operational activities in order to adjust a DLP system to individual business processes.

• Coverage of fewer than all possible data leakage channels

The control of email and HTTP protocols with DLP systems while leaving FTP or USB ports uncontrolled will hardly provide reliable protection of confidential data. In such a situation, it is possible to detect employees who send corporate documents to personal mail to work from home, or idlers, who spend working hours on dating sites or social networks. However, such a scheme is useless against the deliberate data leakage.

• False incidents that an IS administrator fails to process manually

Default configuration in practice leads to an avalanche of false alerts. For example, while searching for bank details, an IS expert can be swamped by information about all company transactions, including payment bills for office supplies and water delivery. The system cannot handle a large number of false alarms, so you have to disable some rules which weakens the protection and increases the risk to miss an incident.

• Incapability to prevent data leakage

Default DLP settings allow you to identify employees who are engaged in personal activities in the workplace. Fine-tuning is required to ensure that the system compares events and detects suspicious activity.

• Low DLP efficiency due to information flows around the system

It is necessary to set up information security system according to business processes and accepted regulations regarding confidential information, and not to adjust the company's activities to DLP capabilities.

How to solve issues?

To make the protection system run smoothly, you need to go through all the stages of DLP integration and configuration without exception: planning, integration, verification and adjustment.

• Planning

Planning involves choosing a data protection program. Not every customer can answer to a seemingly simple question: "What should we protect?" Checklist with answers to more detailed questions will help to develop a plan:

→ Who will use a DLP system?

→ Who will administer the data?

→ The future of the program for three years?

→ What objectives does the management follow by implementing a DLP system?

→ What are the atypical requirements for preventing data leakage in the company?

An important part is to specify the object of protection, or in other words, the information assets transferred by certain employees. Specification includes the categorization and maintenance of corporate data. The task is usually separated as a standalone project on data protection.

The next step is to determine possible channels of information leakage. Usually it is a part of the information security audit. If a DLP complex does not cover potentially dangerous channels, it is necessary to adopt additional technical protection measures or select a more comprehensive DLP solution. It is important to understand that DLP systems cannot replace all modern data protection tools, even being an effective proven way to prevent leakage.

• Implementation

Adjustment of the program to individual requests of a particular company is based on the control of confidential information:

• In accordance with the specific documentation adopted by the company
• In accordance with the standard documentation common to all industry organizations
• In accordance with the rules aimed at identifying incidents (atypical actions of employees).

The three-step control helps to detect intentional theft and unauthorized transfer of information.

• Verification

DLP is a part of the company’s IS system, and it does not replace it. The effectiveness of a DLP solution depends on the proper functioning of each element. Thus, it is better to conduct a detailed monitoring and analysis before changing the "factory" configuration for private company needs. At this stage, it is convenient to calculate human resources necessary to ensure the stable operation of a DLP solution.

• Adjustment

The analysis of the information obtained during the test operation is followed by the reconfiguration of the resource. This step includes the refinement of the existing rules and development of new ones; change of the tactics to ensure security of information processes; staffing for working with DLP, technical enhancement of the program (often with the involvement of the developer).

Modern DLP complex suites solve a wide range of tasks. However, the potential of DLP is fully realized only based on a cyclic process which involves the adjustment of DLP settings following the analysis of the system performance.

DLP Risk assessment Investigation