Implementing technology to monitor user and network activity can be an eye-opener.
At issue: Network DLP has been worthwhile, but it has shortcomings.
Action plan: Add endpoint DLP. It also has limitations, but the two work well together.
Our security incident and event management tool made us suddenly aware of the magnitude of infestation on our network. When we deployed incident-detection and incident-prevention systems on our firewall, we were amazed at the number of hacking attempts against our Internet-facing resources.
We had a similar revelation when we implemented network-based data loss prevention (DLP). Within a few days of lighting it up, we had discovered a wide variety of data leaking from the company and had even uncovered illegal activity (an employee conspiring with someone from outside of the company to commit a crime). So network DLP is another win, but it has its problems.
First, we can monitor network traffic only at locations where we've installed a network monitor. Our company has more than 60 offices worldwide, and until we re-architect the network, each office has its own Internet connection, which means that we would need to deploy 60 sensors and configure 60 switches. That's a logistical nightmare. Second, without complicated proxy configurations at each remote office, we can't monitor encrypted network traffic. And finally, we can't monitor the Internet traffic of employees who go off the network (by working remotely, say) unless they are connected via VPN.
To address all of this and more, we decided to run a pilot of endpoint DLP.
Endpoint DLP has some shortcomings. For example, unlike network DLP, it won't let you conduct complicated data index matching. With data index matching, you can identify to the DLP system the text of documents deemed to be sensitive. Then, if a user copies just a few lines from an identified document and pastes them into another document or email, the DLP system would detect that activity and block it or send an alert. That level of detection is not quite available with endpoint DLP.
Nonetheless, endpoint DLP does offer several advantages. For one, it gets around the problem of encrypted traffic, since it monitors activities before encryption takes place. It also stays on the job when a user is off the network. And it can spot when data is moved to external media, such as a USB flash drive.
Our pilot deployment of endpoint DLP involved about 200 IT personnel around the world. After some initial tuning, the results were almost immediate. Within hours, we observed a senior-level IT engineer copying a huge number of sensitive Active Directory configuration files and employee directories to an external USB drive. In all, he copied about 3GB of data, including 2GB of archived email.
Sign up for CIO Asia eNewsletters.