At the outset I would like to inform that I am a DLP vendor.

I found it surprising that the term DLP needs explanation. It means “Data Loss Prevention”. Others call it “Data Leak Prevention”. The key to this term is the ability to PREVENT data loss from the Network. As such, one has to focus on the data’s destination. It is conceivable that the data may be in Motion to the Internet or to Removable Media (through copy, save, save as, etc.) or to a Printer. DLP vendors call it Network, Endpoint and Printing. Some vendors also offer a Discovery piece; which is like a search engine for sensitive data anywhere on the Network.

Prevention requires that some outbound transmissions (outbound to the Internet or to Removable Media) be BLOCKED to prevent data loss. Monitoring outbound transmissions only means that you get a report on what security breaches have occurred. This is what is provided by most DLP vendors. This is because they originally built systems to monitor key-words in emails. Subsequently, they all had to improve the detection engines and to support other protocols. Nevertheless, the essence of their technology is traced back to providing Content Inspection; not Data Loss Prevention. So for the most part, they are still in the DLD business. They either cannot Block transmissions in real-time, or they only support a few outbound channels on a few ports. Some banks including the information security officer at the National Bank of Kuwait, Imran Minhas, seem to be happy with monitoring just Webmail and SMTP. Mr. Minhas overlooks the fact that there are hundreds of Internet Protocols on about 65,000 different ports through which he can suffer a severe data breach. How come is he not worried about HTTP Server traffic, or HTTP Tunnel traffic? Such traffic is the outbound streams generated from a Web server after an Internet users’ request. How many times do we hear about a breach originating from the Web Server?

The greatest secret of the industry lies in the accuracy of the detection engines. I submit to you that if a vendor has any degree of False Positives in detecting data, then you will never enforce Blocking Policies. You will only Monitor transmissions. In that case, you would be buying a Data Loss Detection System and you will need to be satisfied, like Mr. Imran, merely to get reports on what security breaches have occurred.

I believe many analysts have been following what vendors are defining as DLP. Some of them simply summarize vendors’ marketing materials. None of them are talking about accuracy of detection; which is paramount to any DLP system. After-all, it is only recently that Gartner has changed the name of the segment from Outbound Content Monitoring and Filtering, to DLP. When you are focused on Monitoring or Filtering, you are typically not concerned with breadth of Protocol support or with detection accuracy.

The market is still in its nascent stage. Most companies are looking to protect Personal Identifiable Information such as CCN, SSN, Telephone, email, etc.; mainly for compliance reasons. The situation is currently being aggravated by regulators. We now hear that Nevada and Connecticut introduced a regulation which requires companies to Encrypt PII. Encryption is a system which protects the “Hacker”. If users are able to encrypt emails, then Administrators will never be able to find out what was sent in such emails. The same can be said for encrypting files. Was this not in essence the case in the Heartland breach; where data left encrypted and 100 million credit card numbers were lost? The question that DLP answers is not whether the data left securely, but rather, whether the data should be allowed to leave the Network to begin with. Therefore, it makes sense for the DLP system to enforce encryption of data that require it and/or Block transmissions of high severity levels. In this way, administrators will be able to trace whatever data leaves the Network; even though encrypted.

As a CSO who has been in receipt of many, many calls and email messages from vendors over the past year+ touting they can "solve our DLP problems" I am in complete agreement with Mogull and Brenner on this. I am glad to see others say that DLP is an undefined and meaningless term. Is is a complete turn off to hear this over and over again.

I realize that to get business you need a good hook and pitch, and I am sympathetic to many companies trying to keep their head above water in the current economy but "DLP" doesn't sell me at all; it's over used and over marketed. Tell me what you do in the information security space and how that differentiates you from the competition. Be up front and clear about the technology you offer, the specific problem(s) or risk(s) you may help mitigate, how it integrates with other platforms, and don't try to hide who your direct competitors are. Unquestionably, I will not take a call or return a message that touts a vendor or service that is a "DLP" provider and if the complete picture is not clear, I am not considering it or buying it.

As an early adopter of Reconnex, which had a skin-tone analysis feature, I defined DLP as Downloading Less Pornography.

DLP IS A PROCESS! Management is a process. Security, compliance and IT are all management subsets. Technology alone will not make network secure and compliant!

Any DLP solution, regardless whichever vendor's overly-complex and Uber-expensive solution you choose, will NOT KEEP YOU SECURE. SECURITY, a subset of which is DLP, IS A PROCESS.

There are control elements. There are monitoring elements. There are policy elements. There are reporting elements. There are management elements. The notion that a single piece of technology, central or distributed, can identify, respond and build defenses around data in motion or at-rest is PURE BS.

A single determined individual can thwart the best laid plans or even an accident can create a leak. AGAIN, MANAGEMENT IS A PROCESS. There's a technology element, a process element and management input/decision element. Possible responses are: policy enforcement, user education, internal change control and, lastly, potentially adding additional controls to the system. Once implemented, start at the beginning again.

Too often, failure is a result of myopia and stubbornness. You pay a lot of cash for a piece of technology and, by golly, it should work as advertised! There's too much focus on the "techno-toss", pure technology aspects of solving problems. Never do you read about the additional FTEs required to manage and maintain a new technology implementation. It's just about what new features it has to merit inclusion in their vendor ranking' slight-of-hand square or oscillation chart.

Process and procedure are the untouchable red-headed step children (Sorry for the crude analogy. I do find red heads to be quite appealing)...plus, analysts can't make any money pimping process because nobody is willing to pay them for it :-)

We aren't a DLP company. Our reporting software just helps you ensure that everything (technology, process and people) is working together as desired.

Scott W Smith
www.congruitytech.com

Not sure if its "DLP" or not, but as a small business owner, I am looking for a hands-on tool for quick protection. Currently testing Flexcrypt and it seems to do the job for a very small penny.
/A

Really appreciate the comments of Uzi Yair and Scott Smith. The comments almost serve as part 2 and part 3 of the article.

Uzi Yair of GTB Technologies should be interviewed

We had a similar problem for data loss prevention, we tried dataresolve's uhook usb disk security and devicewall. Both are equally good and does both blocking as well as monitoring. You can actually differentiate between monitoring software and real dlp softwares by looking into the policy settings. If the product doesn't have a policy for blocking or kind of resource access, you might be fooled for buying a monitoring application rather than a dlp product.