RE: When , where, how?

[Shane Anglin <Shane.Anglin () knology com>]

Another 2cents to add to the penny pile...

Data classification ...  if you cannot do this, you cannot implement DLP effectively.

identify what data is where and classify its importance.   If you are concerned with just credit card numbers, easy 
enough.  If you are concerned with intellectual property and business operational data, much more is involved.  Like 
the previous responses said, it takes management support to pursue DLP effectively.

Identify what you have to protect, where that data is, and who manages that data.   At the end of that process, you 
tweak your DLP solution to protect it.

Something I find that is critical and usually not done very well: Identify an owner of that silo of data (in an 
enterprise, this is critical) who can maintain data classification for their area... for instance, 
InformationTechnology will not know what Business Operations data is critical to business operations... IT would be 
able to identify things that have credit cards numbers, social security numbers, and other PII , but generally not what 
is mission critical info.  Another example, IT may not know which documents contain contractual information and 
shouldn't be expected to.  Each DLP solution has an approach on how to handle these situations (putting a marker in the 
file, having the files/directories digitally signed or hashed, telling IT what keywords to match in DLP, etc)... some 
DLP solutions are more manual than others and handle issues differently... but someone over that silo of data must 
decide the classification of their data.

In my opinion, IT's job is to provide the tools and constructs to the business units to classify their data, and IT 
must then implement DLP around their systems' processes based upon the classification.

Regards,

Shane Anglin


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Mark Brunner
Sent: Thursday, May 26, 2011 4:38 PM
To: security-basics () securityfocus com
Cc: 'a bv'
Subject: RE: When , where, how?

Dude,

In my opinion, EVERY business needs a DLP strategy and solution.  It can be homegrown, it can be freeware, it can be 
commercial.  You are talking about identifying and protecting critical, private and confidential data from being 
stolen.  That is a no-brainer, and is at the very heart of information security.  If you are not taking steps to 
protect that information, you are doomed.

The need depends on the connectivity available and the technology used, not location, culture, or even legislation.  
Survival is the driver, or soon will be.  If your company connects to the Internet to share and collect email, you need 
a DLP solution that manages that connectivity.  If your company uses Instant Messaging, you need a DLP solution that 
handles that.
If you provide FTP services, you need to address that.  Whatever methods and services the company uses to connect and 
share information with others needs to be considered and addressed.  Addressing them may entail stopping their use, 
monitoring and reporting their use, restricting their use through policy and monitoring, filtering with technology, or 
other means.

How to implement the solution?  Well, to answer that would take a book.  Or several, because not every solution is the 
same, and not every implementation is the same.  Best advice that I can offer for implementation would be stage it.  Do 
it in phases.  Pilot it first with a medium sized group, and put it into monitoring only mode. This will aid in 
identifying your baseline, what is "normal", and what is in need of investigation.  Like an IDS/IPS solution, this is a 
disruptive technology that is _initially_ prone to error, both false-positive and false-negative.  It will need to be 
tuned and maintained regularly.  Once you understand what is being sent, where, and by whom, you can start modifying 
the rule-set and tightening up your classifications.

Gaining buy-in, identifying data owners, working with other departments, that is what a good consultant does as part of 
your project.  That sort of intell never comes free, and if it does, it is suspect.  In this economic climate, you need 
to support your local businesses, and start bringing in the expertise that you don't have.  Make certain that Knowledge 
Transfer is written into the engagement contract, and DON'T let the PM or Consultant nibble away at the time allotted 
to this part.  It is how you will learn to tweak, adjust and manage the new infrastructure devices that you will be 
introducing to the environment.

Just my 2¢, collect the whole dollar!

Mark B
Information Security Manager & IT Consultant Greater Toronto Area, Ontario Canada My Blog  http://kohi10.wordpress.com/


CONFIDENTIALITY NOTICE: This e-mail and any attached documents may contain
confidential or legally privileged information that is intended only for the
named recipient(s). Delivery of this message to any person other than the
intended recipient(s) is not intended in any way to waive privilege or
confidentiality.  Unauthorized use, dissemination or copying is prohibited.
If you have received this communication in error, please notify the sender
and destroy all copies of this e-mail.  Thank you for your cooperation.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of a bv
Sent: Thursday, May 26, 2011 3:18 AM
To: security-basics () securityfocus com
Subject: DLP: When , where, how?

Hi,

I would like to have your opinion about when/which organizations  need
a DLP solution? How the need depends on organizations work area,
country,region or culture ? How to implement the solution and handle
the data classification and
coorperate with data owners, business  departments.

Regards

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL
certificate.  We look at how SSL works, how it benefits your company and how
your customers can tell if a site is secure. You will find out how to test,
purchase, install and use a thawte Digital Certificate on your Apache web
server. Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727
d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------