The forms of attack are changing day by day. While the concept of security was limited to physical methods in 1980s, it has begun to be correlated with the network security in the 2000s. Nowadays, the concept is transforming to the Cyber Security, meaning Information Security.
Classic network security measures which are security products such as Antivirus, Antispam, URL Filtering, IPS, DDoS, Firewall protect our systems and databases against external attacks. However, the threats that could come from inside until the end of the 2000s were not taken into account by companies.
Information has become more valuable with the transition from labor-intensive business models to knowledge-intensive business models after the 2000s. Thus, critical confidential information of companies is targeted. From this point on, companies have focused on internal attacks rather than external attacks and developed solutions for this threat. DLP is a concept that has emerged as a result of this motivation.
The motivation to differentiate DLP from other security products and make it more valuable; it is the uncontrolled movement of our vital information and documents within the company and preventing the loss.
Researches show that 95% of the valuable information of a company is lost due to the unconscious behavior of the employees, and only the remaining 5% is actually lost or stolen due to deliberate attacks. Actually, what is meant to be done with DLP is to determine which data and documents are protected, logged and followed, and to prevent data loss by increasing the awareness of which data and documents should be kept by employees, how and in which way data and documents will be managed within the company within the framework of certain rules.
DLP is a difficult process to set up and manage. I say it is an ongoing process because after DLP is established, it cannot be left to its fate. The DLP needs to be updated and followed live and continuously. When you install DLP and leave it alone, the level of protection would be 95% at day zero. When it is not touched and updated at all, the protection will decrease to 80% after 6 months, then to 60% at the end of 1 year and at the end of 2 years it will provide a protection of less than 40% and then it will become dysfunctional.
It is the GDPR (General Data Protection Regulation) regulation that makes DLP compulsory, which has become mandatory in Europe along with the protection of the company’s information and resources and entered into force on 25 May 2018. With this regulation, the protection of personal data is guaranteed. More than 50% of the solution set pointed out by GDPR can be provided by DLP.
The DLP system technically keeps both the network and the clients under control. The DLP setup should be started at the same time with the classification. A classification should be done on the criticality level of the data stored in the file system and databases, SharePoint etc.
Each department within the company should determine the criticality level for the data they hold, and then these critical data should be introduced to the DLP system.
DLP cannot tell if a data is critical unless you tell DLP whether a data is critical or not.
Critical data are introduced to DLP in several ways.
1. Keywords can be introduced to DLP.
2. Words you want to check can be added, such as salary, payroll, top secret, strategy document, etc. The information which employee posts the documents containing these words or creates these correspondences appears immediately on the screen of the DLP management.
3. Regex: Especially product numbers, credit card numbers, ID number are information that has a logic in their structures. Although many DLP systems have pre-written regex, a space has been allocated for the user to write their own Regex. Especially by defining the logic of the product codes into the regex in the manufacturing factories, the product numbers leaking can be detected.
4. There is another indicator, which can analyze drawing documents, database files, zipped, and encrypted documents that leaked with File Type based control.
The basic logic of the DLP system is fingerprint technology. DLP, which accesses the directory structure with the admin right, opens each document one by one, analyzes the text data in it, ignores a number of words such as conjunctions that it deems unnecessary in grammar, and eliminates the gaps between words, and starts to get the hash of the document according to a serious mathematical algorithm. It should not be forgotten. The function in a fingerprint data is one-way. In other words, the hash of a fingerprint document cannot be returned to the original document.
If we try to leak the document whose hash has been taken and marked as critical, DLP Fingerprint will say this. “The data you are trying to leak is 70% similar to \\ 172.18.2.4 \ Administration \ strategy.pdf file on File Server before.” Thus, according to the policy we have written to DLP, this process will be canceled or done by asking the Manager for permission and the transaction will be logged.
Although the fingerprint technology seems perfect, the system will slow down as the amount of data grows. Therefore, the main goal in DLP systems is the protection of really critical data. If you try to protect every data, you may become inoperable due to your systems slowing down.
In DLP setup, top management in the company, namely the board of directors, must be the sponsor. Otherwise, complaints will start as there will be problems in accessing documents by the employees in a short time and DLP will become inoperable after a while.
Things to be done for the correct management of the DLP process;
1. Before DLP installation, the company requires to analyze in detail of what they do, their way of doing business, management systematics, keeping documents, databases, SharePoint and clients.
2. Absolute replicas must be analyzed for vulnerability and vulnerabilities to be determined.
3. Detailed analysis of the company’s WAN and security architecture should be done and the missing security vulnerabilities should be fixed before DLP is installed.
4. Before DLP, existing documents must first be classified and monitored after discovery. In addition, security levels should be determined.
5. The company should regulate the way of doing business, establish rules-policies, but not slowing down the company.
6. For DLP installation, it should be ensured that the entry and exit points of the data into the system are determined precisely and accordingly, DLP keeps every exit and entry point under control.
7. To determine and decide on DLP policies, absolutely; legal units, corporate control units, Information Technology units and Management units should be included.
8. A person who will be responsible for DLP and reporting should be determined and this person should be provided with detailed analysis at certain times of the year. This person should be inspected annually by control units.
9. After DLP installation, all users should be trained, and each person should be informed about what information they can and cannot access. Otherwise, a serious confusion will occur within the company.
10. Access to hardcopy information should be bound to certain rules, if necessary, these documents should be virtualized and classified with a keyword or number. Hardcopy documents, which are the biggest deficit of DLP, should be taken into the system.
The basic elements that should be in a good DLP are as follows.
1. DLP; Network (E-mail, WEB, FTP, IM, IPv6), Endpoint (Virtual Desktops, WEB Apps, Desktop E-mail, Removeable Storage), Cloud (Cloud Apps, O365 Exchange, G-mail, Box) and Storage (File servers, databases, Exchange, SharePoint, Nas filers).
2. If there are other devices included in the network, Mobile phone, Tablet etc, exit points should be kept under control by installing Mobile DLP or BYOD on these devices.
3. Since the most important feature of DLP nine is fingerprint technology, the most important factor to be considered in DLP selection is the capabilities of fingerprint technology and Machine Learning software.
4. OCR must be installed absolutely. With a good OCR, all data in image size can be controlled.
5. Performing DLP and Classification with the same agent increases the performance of the devices. For this reason, a single agent should be preferred if possible. DLP and Classification must be purchased from the same vendor. Also, Application Management should not be forgotten.
6. It is an important issue for international companies to have various language options. It must also support alphabets other than the Latin alphabet. Otherwise, it will not be possible to protect documents in other alphabets.
7. It must have a good reporting interface. It should be able to analyze in detail.
8. Policies that will definitely address the solution set pointed out by the GDPR must be in the DLP setup.
9. DLP must have watermark feature.
10. It should have a simple user interface and a fast technical support.
You can contact by mail for your questions.
Mail: tas.alich@gmail.com
Ali Tas
Biel / BERN / SWITZERLAND
