The Untold Story of Data Leakage
By Mike Gentile, CISSP and CISOHandbook.com team
"Data Leakage this and Data Leakage that," everywhere you look these days it is difficult to avoid security professionals trying to demonstrate what is leaking. Most of the time, we would just classify the Data Leakage phenomenon as another marketing hype effort, similar to previous items such as “Automated Risk Management”, or “Intrusion Prevention”, designed to sell the newest security widgets to an overworked security community. But Data Leakage is different. Though there can be benefits to many of the data leakage solutions that are available, there are just as many potential disadvantages that should also be considered. In our experience thus far, unfortunately, many of these disadvantages are often being completely overlooked during the selection process. This article will discuss some quick tips for creating a balanced approach for this type of solution.
Before we get going on this brief article here are a couple quick points (or rants) to set the mood:
1. "Data Leakage" is a dumb name for any term. When my wife came home the other day and saw an article on my desk with the term "Data Leakage" on it, she laughed for at least ten minutes. "You guys really are complete nerds," she muttered as she walked away. So point #1, our profession needs to get better with our terms. Though this might seem humorous, the perception this creates when we empower terms such as "phishing", "pharming", etc really turn off those that are not in security. This has a dramatic impact on our credibility, which is not very funny.
2. We want to reiterate that the concept of "Data Leakage" does have merit. There are many benefits that can be achieved with this type of solution that can add value for many organizations. So please don’t think we are against the technology, solely the manner in which most people are implementing it.
With those two items out of the way, here are some quick tips to help ensure you being in the right data leakage solution for your organization.
Tip #1: Just because it is "free" does not mean you need it: Do not bring in a “Data Leakage” vendor to run an assessment or provide a tester box simply because it is free. Many vendors are offering these free teasers and though they may seem appealing, they often carry with them substantial unforeseen dangers. The first risk is that the assessment finds all kinds of problems, which is generally the case, and it then consumes the entire security effort for months if not years. The second risk comes from the manner in which vendors often then take all these newly identified problems and use them to sell based on fear to management. Selling on fear is a risky proposition and often has very unpredictable results. We have yet to see a time when fear based selling has lead to long term success for a security program.
Tip #2: Ensure that this type of technology maps squarely to a business need: Yes, chances are strong that sensitive data is leaving your organization, or "leaking". But is this the reason that is driving your intention for getting this type of solution? Most of the time, we see people getting these solutions for 1 of 2 reasons.
- It is an easy sell to management because it preys on fear during the sales process.
- It provides the security program something tangible to do. We have seen countless security officers bring in these solutions and then sit in their offices all day looking for violations on the console of the selected technology. Generally, all they are missing is the badge and the night stick; a true big brother is born.
Before implementing one of these solutions, ensure that you understand your true intentions before making a purchase. A good litmus test is to measure how this solution will help support your ability to meet the overall mission of your security program. If it does align with the security program goals you are ready to move forward with a solution, if not, this solution is probably not right for your organization.
Tip #3: Ensure you recognize how a “Data Leakage” solution impacts your program perception: These solutions monitor end-user behavior. As a result, they will always create a perception of "Big Brother" to some degree by those outside of security. So though you may be catching a couple of bad guys, you may at the same time be creating a negative perception that causes the rest of the organization to try and avoid your security program at all costs. Most of the time, it is not worth alienating your security program solely to catch a couple of folks who sent out a company spreadsheet to their personal email accounts. Before purchasing one of these solutions, ensure you measure the impacts on the perception of your security program against the perceived benefits that will be provided by the solution.
Tip #4 Measure the impact on end users of every configuration setting within the solution: Within any Data Leakage solution, take special care on settings that directly impact the end user. For example, items such as how you notify users of violations or the manner in which users are warned after violating a specific configuration rule. Though these configuration items are generally easy to configure, they can have major impacts on the perception they generate in end users. It is also generally wise to support any type of solution like this with a strong user training campaign that educates users on "Why" you are implementing the solution in the first place.
Any solution that impacts user behavior will always be more complex then they may appear at first glance. Ensure that you match any type of "Data Leakage" implementation in your environment against a solid business need, and then be careful to balance the benefits against the risks. Finally, if you are the next person to come up with a new fad in our security industry, please come up with a cooler title than something like “Data Leakage”.
Please post any feedback you may have on this article here