Just last week it was reported in The Guardian that “Computer hackers have managed to breach some of the top secret systems within the [UK] Ministry of Defence.” If the department charged with protecting the country can’t protect its own secrets then what chance does your organization have?

This is just the latest (at the time I’m writing this) in a seemingly ever escalating number of security breaches, data thefts and data losses. So much so, in fact, that Data Loss Prevention (DLP – also called Data Leak Prevention) is the fastest growing segment of the Security, Identity and Access Management (SIAM) market. Multiple press releases cross my desk every week touting the latest and greatest apps and services to protect your sensitive, privileged, and proprietary data as well as the Personally Identifiable Information (PII) of your employees, customers, vendors and partners – the data that begins the path to so-called Identity Theft.

So with so much DLP software available, why is there still a problem with data loss/leakage – and why are organizations seemingly so surprised when it occurs?

To me, one telling point is that almost all DLP packages include audit modules. The main purpose of these audit modules (other than to satisfy some compliance directive from government (e.g., HIPAA) or other organization (e. g., PCI)) is to let you know that a data loss/leak has occurred! It’s like having a sensor outside the barn that emails you with the message “By the way, the horses just got out through that unlocked barn door.”

So is there any hope?

The short answer is “no, not the way we’re doing things today.”

Early DLP software concentrated on border protection and intruder detection. The idea was that individual hackers were constantly probing your network looking for “barn doors” that weren’t locked. It was assumed that these hackers had no definite target in mind, but simply tested for easy targets. If your “door” was harder to get through than another organization’s, then they’d go to that one and leave you alone.

But the attackers have changed. The Guardian story cited above notes “China and Russia have been accused of being behind most of the sophisticated cyber-attacks, with state-sponsored hackers targeting military secrets from western governments, or intellectual property from British and American defence firms.” Additionally, organized cybercrime gangs (the so-called “Digital Mafia”) have been cited as constantly attempting to penetrate systems to obtain data for financial gain. Individual hackers have fallen far down the list of potential threats.

The DLP vendors have tried to keep up with the ever more sophisticated penetration attacks, and do a good job. But even if they can block 99.99% of penetration attempts, how many get through? It’s hard to find data, but one blogger tracked intrusion attempts a few years ago and noted 2556 in a two week period. This is not a high value target, yet even using the best available DLP products this site would still get penetrated once every 8 weeks, 6-7 times per year. A major corporation or government entity could see hundreds, even thousands times the number of attacks with a concomitant number of successful ones.

And that’s just one threat vector.

Borders, fences, firewalls, and the like are intended to protect your data from outsiders who have no legitimate right to it. But what about insiders? What about those who have the right to view and manipulate the data as part of their job?

Recently in South Carolina an employee of the state Medicaid program (a health program for certain people and families with low incomes and resources) was charged with collecting PII (Names, addresses, phone numbers, and Social Security numbers, which also double as Medicaid ID numbers) of over 200,000 clients and transferring it to his personal storage via email. This was done in small pieces over the course of several months. The employee had a legitimate right to access the data as individual records – he just amalgamated these records over time!

Many current DLP packages will monitor outgoing data (email, web postings, social networks, etc.) to see if privileged or protected data (or PII) is leaving the organization and alerting security personnel. This can minimize the data loss/leakage, but not eliminate it. In the best case scenario the data can be recovered before damage is done.

But, of course, not all insider data leakage is caused by rogue employees.

In the now classic case of RSA Security, data was stolen that allowed the hackers (believed to be state sponsored) to foil the vaunted (and ubiquitous) SecureID hardware tokens from the company. These hackers didn’t find an open door, nor did they obtain a willing accomplice on the inside. Rather, they used sophisticated phishing techniques to persuade one user to open an attachment to an email, which installed a backdoor Trojan allowing these criminals to get into the system, pose as legitimate users, and get the data they came looking for. Yes, audit software discovered the breach. But that horse was already out of the barn, in the wild and doing damage. It’s generally believed that attacks on a number of defense contractors later resulted from this breach.

And that still doesn’t cover all the possibilities.

We still read about lost laptops, notebooks and tablets; mislaid (or stolen) USB drives (it used to be floppy disks); unwiped hard drives getting recycled – all with proprietary or personal data on them. No intruder detection system, data monitoring system or any number of audit logs are going to let you know that this has occurred.

So what should you do – short of throwing up your hands and simply releasing all of your own data before someone else does?

You need a plan. Today’s DLP software should be a part of it, of course, but you need more. You need to be prepared, now, for what will happen when the data leakage occurs. Too often, when the worst happens, the organization that lost data sends out a spokesperson, who looks like a deer trapped in the headlights with no ready answers as to how they are going to cope with the disaster that’s befallen them.

Most large organizations – commercial entities, governments, university systems and the like – have well-developed disaster recovery plans. They know exactly what they’ll do in case of fire, flood, insurrection, or other disruptions to their normal flow of business. Few, if any, though, have plans to deal with the devastating disaster that data leakage and data loss can be. How devastating? Just ask the folks at VASCO Data Security. When their subsidiary, Diginotar (a Dutch security Certificate Authority), was breached and fraudulent certificates issued it was first taken over by the government and then declared bankrupt.

The reality is that you need a three-pronged approach to protect your data, determine if it’s been leaked and react promptly, efficiently and appropriately when the leak occurs. I call these three DLP, DLD and DLR.

  • DLP – Data Leak Protection, which includes data encryption, firewalls, intruder detection systems and the like. These systems are designed to thwart intruders and can do a good job of that. Additionally, these systems can protect data that is inadvertently sent “into the wild” (lost, stolen or strayed computers and drives).
  • DLD – Data Leak Detection; when DLP fails, this part of the solution will let you know. DLD is also the area where you monitor legitimate users (employees, contractors, vendors, partners, clients, etc.) to discover criminal behavior or fraudulent account usage. DLD systems can also be configured to trigger automatic responses shutting down the avenue through which data is leaking.
  • DLR – Data Leak Resilience, or how to recover and bounce back from data leaks. In essence, this is a disaster recovery plan for data leaks and includes hardware and/or software modifications (to thwart the leak vector), notification protocols (to inform data owners or regulatory authorities as well as the press) and recovery methods (to, as much as possible, restore the situation as it existed pre-leak).
Many call this three-pronged approach Data Loss Mitigation (although at least one of my colleagues abhors the term) and I’ll stick with it for now (but your suggestions are welcome).

In any event, you need to work on the DLR portion; you need that disaster recovery plan for data leakage – so get to work on it now.