Data is at the center of business. No matter what your business, you store, use, and build data that drives your business forward. Data today includes everything from your software product to customer lists to every other bit of critical information that makes your business run smoother and more productively.
As such a critical resource, data loss prevention (DLP) should be a top priority for every organization.
In practice, this means creating a data loss prevention strategy with the right set of DLP controls that can be implemented and maintained over time everywhere your data is.
This article aims to explain the issues surrounding data leakage prevention policies and offer a data loss prevention policy template that can be useful in keeping your data secure.
Defining Data Loss Prevention
As we will see, data loss prevention is a broad term.
Building on the definition provided by NIST, data loss prevention is best defined as the tools and techniques that we use to prevent our data from leaking out or otherwise being negatively impacted.
For more detail, let us look at a few of the different types of data loss that we commonly see in the field.
5 Types of Data Loss
Not all data loss scenarios are the same. When we think of data loss, it can often mean different things to different people depending on where you sit.
For our good friends over in IT, data loss can bring up first thoughts of power outages or servers going down; maybe there are other connectivity issues impacting uptime that can lead to data becoming unavailable or totally lost. It could simply be a hardware issue on the servers or at the endpoint.
Perhaps someone made an honest mistake and now the reports for Q1 are missing.
We can put data loss into numerous categories, but here are five groups that I find to be most useful for our context.
Criminal
These are your classic instances of a malicious actor, internal or external, taking an action to harm your data.
This can include stealing, encrypting, manipulating, exposing, or otherwise impacting the data in a way that affects its confidentiality, integrity, or availability.
Intentional
In these cases, an employee makes a decision to delete data. However, in some cases, they may not have known that their actions could have negatively impacted their organization later down the line.
That said, data deletion is not necessarily a bad thing.
Quite the opposite, organizations hold onto far more data than they really should. This is often used for marketing purposes or simply just held onto because someone never got around to getting rid of it.
Especially when it comes to customer data, organizations should hold onto the data that they can find a real business justification for because at some point, all that data becomes a liability. If a breach occurs and data is stolen, then the organization is responsible for that data, leaving them with only risk and very little reward.
Unintentional
This is your “oopsie” type of data loss where someone makes a mistake that ends up exposing data.
The Verizon Data Breach Investigations Report (DBIR) refers to these as Miscellaneous Errors and it is an unfortunately common type of data loss because it draws on human error more than malevolence.
These unintentional acts of data loss can include:
- Losing the physical drive
- Administrative errors
- Mistakenly deleting the data
Failure
Looking over to the IT side of the house, these are the practical and non-malicious cases where something simply goes wrong and data disappears.
Common cases include:
- Hardware failures like a hard disc stopping to work
- Software bugs that cause the program to break or files to be corrupted
- Power failure leads to memory loss and there goes your data
Natural Disasters
Acts of nature or fate, something terrible happens and harms your data.
Fires, floods, earthquakes, and plenty of other disastrous events fill this category.
Common Causes of Data Loss for Security Teams
Putting the natural causes aside, things like the wearing down of hardware, fires, and other acts from the digital deities, let’s focus on the human methods that can lead to data loss.
Communication Applications
Sending data over email or chats, both intentionally and unintentionally, can be an innocuous yet effective way for an insider to leak data out to themselves or another party.
Uploading or Transfering
Moving files to public clouds or other unsecured places off the network can be a good way to move large quantities of data. Services like WeTransfer make it easy to send big files; while other data storage services like SharePoint, Google Drive, DropBox, etc can be useful tools as well.
Physical Devices
Downloading data onto an external device like a thumb drive or hard disk helps to avoid the network monitoring tools. It worked for Edward Snowden and Chelsea Manning. But they come with their own risks as an investigation can often trace the action back to an individual’s machine.
As we see in our next case, sometimes a data leaker leaves the digital devices behind and simply goes analogue.
Reality Winner — A DLP Story of Mixed Success
The case of Edward Snowden and his massive leak of classified information from his time as a government contractor is probably the most well known story when it comes to data security gone wrong.
But the newly minted Russian citizen Snowden is far from alone in the long list of DLP examples.
Back in 2017, former Air Force translator Reality Winner was working as an intelligence contractor when she came across National Security Agency reports surrounding Russian involvement in the 2016 elections.
Winner then printed out the reports and sent them to The Intercept, which in turn grossly mishandled the documents in what can only be viewed as a comedy of errors, funny to most everyone except Winner.
For starters, they reportedly sent a copy of the original document to a source at the NSA for confirmation instead of simply copying the content onto a new page.
From this copy, the FBI quickly determined that this information had been printed out by an insider at the office using three pieces of data:
- Creases were easily visible, showing that someone had likely folded it up before removing it from the office
- Micro-dots identify the printer used to print it
- The Intercept apparently left the postmark showing that it had been sent from Augusta, GA near to Winner’s office
The FBI’s investigation found that six people had accessed the page with the information. Then closing in on Winner, they found that she had used her personal email account on her computer to correspond with The Intercept.
While tragic for Winner, her story highlights the challenges of data loss prevention while showing how having the right tools (along with negligent adversaries) can lead to a fast resolution of the incident.
10 Data Loss Prevention Best Practices
Implementing the right set of DLP tools and solutions can go a long way in helping to reduce the risk of data leakage.
The basic building blocks of this strategy should include using DLP tools and data loss prevention techniques for identifying where data is, defining policies, monitoring, enforcing your policies, and being able to investigate quickly when an incident does occur.
Identify Where Your Data Lives
The amount of data that we can store today is a blessing and a curse. One of the challenges that organizations, and security teams in particular, face is in knowing what data they have where.
Any DLP strategy is going to depend on starting with a base of knowledge about your data before you can start to protect it.
This means understanding where it is at rest, in transit, and in use.
Identify Risky Data or Operations that Require Extra Attention
Once you have identified your data, you have to figure out what is sensitive and needs that extra bit of protection above the rest. These are going to be bits like personally identifiable information (PII), source code, IP, financial information, etc. Anything that can have a very negative impact on your organization if it gets compromised.
Additionally, just as you should understand what data is sensitive, you should know which applications or parts of your environment are more vulnerable to abuse.
Maybe because it is a place where configurations can be changed to make it easier to exfiltrate data. Or perhaps it is where more sensitive data is being stored or where it is sent from.
Figure out where to start implementing your DLP strategy and then dive in.
Add Friction to the Transfer of Sensitive Files
We want to make it harder for our most sensitive data to make it out of the organization without anyone taking notice.
The best way to do this is by adding friction to the process in specific areas that have a business justification. For instance, you may want to have a policy that blocks the transfer of certain sensitive files.
If the transfer is legitimate, then you can have a second admin approve the transfer when the alert is triggered. You may also want to have less dramatic solutions where transfers are allowed but an admin is notified that the transfer is happening.
This keeps everyone in the loop without blocking the workflow altogether. It also makes it easier to go back and conduct investigations if a questionable incident does occur.
Note that an important part of this process here is to know where not to put too much additional friction that can slow less sensitive but important business processes, so be sure to evaluate before you enact.
Define How Users Can Log On
Select the IP addresses and locations that it either makes sense for your team to be logging in from, or that you have approved.
You probably do not need to have folks logging in from high risk countries that do not fit the regions where you work.
Define When They Can Log In
Malicious insiders and star employees often share a key personality trait in that they are willing to burn the midnight oil to get the job done.
You face added risk when people work off of primary business hours because they are more likely to avoid someone stumbling across them while they are setting up their data extraction.
This step can help prevent issues from both the insider threat actor who may be putting in those extra hours. It can also help alert you to those foreign hackers who are punching the clock at Moscow morning time.
Observe and Analyze User Behavior
Once you have defined parameters and put controls in place, the next step is to observe for suspicious behavior that could be indicative of a malicious insider.
As we have noted previously, insider threats pose a tricky challenge for security teams because they are using legitimate credentials and in most cases, are authorized to access the resources that they are exploiting.
However, if you have tools in place that track activity across multiple data points, then you can detect anomalies like someone trying to interact with data that is not under their normal purview in their role.
Maybe they are trying to transfer files or change a configuration.
If it is out of the ordinary, then you should want to know about it.
Track Activities Involving PII
Direct your focus to the areas that most need your attention. Customer PII is one of the most valuable bits of data that your organization holds, due in no small measure to the regulations surrounding it.
Use tools to record activity when PII is accessed, and if necessary, set policies to block access or transfers of PII if conditions are too risky or policies are violated.
Printed Document Tracking
As we saw in the Reality Winner story, not every exfiltration of data is on a flash drive or uploaded. Sometimes it simply gets folded into a pocket and walks out the door.
Tracking printing can block an avenue for data exfiltration attempts looking to skirt around the digital protections that you have in place for the email and file transfer prevention.
Application and Website Observation
To harp again on Winner (sorry not sorry), observation of applications like personal email accounts, chat services, or any other method of communication that can be an avenue of data exfiltration can be key to catching an insider. It can even serve as an early warning that an employee may be high risk.
If Winner’s employer was taking a more proactive approach of monitoring her web browsing, flagging regular visits to sites like The Intercept as potential risks, then perhaps they could have prevented the leak.
Why she was corresponding with The Intercept on a work machine (reportedly) is confusing and certainly bad OpSec at the very least.
Leverage Logs
If an incident does occur, logs are exceedingly useful for investigating and responding.
Once a suspect has been narrowed down, you want to be able to see what else they may have come in contact with and expand your investigation to a wider circle.
Good logs can help to not just track activity but make it easy to find what you are looking for and show you more information to direct your search. They should tell a story that leads to a quick conclusion.
Cultivate Your Human Element
DLP techniques and tools play a significant role in keeping your data safe and sound.
Engaging with the humans in your organization will play a critical role as well. This means a couple of measures taken at every level of the team.
The first step to preventing an insider from turning malicious is to make them feel like a part of the team. While ideological or politically directed actors will always be a factor, financial reasons will continue to be the primary motivator for employees to betray their organization.
Training your management to check in with your people is a very significant step towards making people feel heard. Do they have issues about the workplace that are bothering them? Problems in their personal lives that may lead them to seek an illicit payday outside of their usual pay stub? You won’t know if you don’t ask.
Working with management and employees can also help to raise awareness of what to look for from a potentially malicious insider. It is incredible how a security team can use a well trained organization as a force multiplier in creating a culture of security.
Maximize your human resources.
Conclusion
A successful data loss prevention program depends on your ability to build a comprehensive culture of security that takes into account both the human and technical aspects. It starts with identifying your potential weaknesses, setting your technology to detect and analyze suspicious behavior, and then observing moving forward, taking action as needed.
Hopefully by combining the right set of tools, techniques, and policies, you will be able to mitigate your risk of data leakage without impacting your organization’s capacity to work efficiently.