TrueDLP

Data Loss Prevention (DLP) seems to be everywhere right now – and with good reason, given the daily flood of reports of lost, stolen and otherwise breached data. Last month, DLP market analyst Rich Mogull, Securosis security research and advisory firm, circled back to a theme that seems to be popping up everywhere: how to simplify DLP?

In his article (http://securosis.com/blog/comments/top-3-steps-to-simplify-dlp-without-compromise/), Mogull sets the scene by noting “… with massive amounts of content and data streaming throughout the enterprise in support of countless business processes, the idea that we can somehow wrangle this information in any meaningful way, with minimal disruptions to business process, is daunting…”.

Mogull has some good advice for anyone starting a DLP project: take it step by step; he likens it to eating an elephant, bite by bite. Narrow your scope. Consider starting with Network DLP, as many of our customers do, then adding endpoints.  And start with one policy. You can then add another policy as you fine-tune.

We think this is great advice. In addition, we suggest you look at the complexity of the hardware and software you deploy to make sure it will give you what you need without taking over your life. We got started in this business – our only business is DLP, actually – because we saw a growing demand for preventing data loss but a limited set of very complex and kludgy solutions. Why should you have to hire a full-time person to manage just the DLP tool? That’s unrealistic. And why would you want to mess around with 6 or 7 different appliances to manage, update, troubleshoot, and the like? That just does not make sense.

Ask your vendor these questions and determine your scope to get better DLP deployment success. And we’d love to hear from you if you have tips, ideas or comments on Mogull’s advice or on DLP deployment.

Aberdeen Defines Key Characteristics of “Best in Class” DLP Users; What You Can Learn from Them

Last week, Aberdeen Group released its fourth annual report on data loss prevention (DLP). The report, “Content-Aware, The 2010 Data Loss Prevent Report” by analyst Derek Brink, CISSP, concludes “… companies achieving top results successfully use content-aware technologies to identify sensitive data across multiple channels, and to invoke a range of remediation options to enforce their established security policies. In doing so, they reap the substantial benefits of fewer actual incidents of data loss or data exposure, fewer audit deficiencies, and lower operational cost.”

The report details a number of characteristics and practices, as well as hurdles, of top organizations in deploying DLP. While much has been said about the market and choices for DLP, this report is unique in defining what organizations are doing today with DLP and why or why not, as well as metrics.

Interestingly, top performers as identified in this report noted staff bandwidth and complexity of DLP solutions as the big challenges, while others were challenged by organization issues and lack of policy. As we have said over and over, here at Code Green Networks, we believe simplicity and cost-effectiveness are key to DLP success.

So what can you, as an existing or potential user of DLP, learn from these companies? One interesting finding is that for those organizations denoted as best in class, 93% of data loss or exposure incidents were inadvertent – not malicious. This compares to just 65% for all others. Does having a DLP solution in place mean fewer malicious, or deliberate, data exposure incidents? Financially, top performers invested about $90,000 more than others in total cost of DLP but avoided $6.8 million in costs associated with data loss or exposure – 75 times the return on their investment. So-called “laggards” reported an increase of almost 4 times that of best in class brethren in increase in data loss or exposure incidents.

You can get this report and learn how your colleagues and other organizations are using DLP, simply register at http://v1.aberdeen.com/includes/asp/sponsored_registration.asp?ci=/launch/report/benchmark/6575-RA-content-aware-data-loss.asp&spid=30410182&camp=2

Earlier this month Gartner released its 2010 Magic Quadrant for Content-Aware Data Loss Prevention, and we are extremely pleased that the analysts recognize the value and strength of Code Green Network’s easy-to-use, low-cost, content-aware network data loss prevention solution.

“It is very easy to deploy and use for up to 50,000 users, making the overall offering attractive to price sensitive enterprise buyers.”

2010 Magic Quadrant for Content-Aware Data Loss Prevention, Gartner, Inc.
The complete report can be obtained from Gartner Group.

We believe that Gartner and other analysts’ recommendations can be very helpful in sorting through the myriad of products on the market. We suggest taking the Magic Quadrant and the associated analysis into consideration based on your organization’s size, needs and infrastructure.

A key theme emerged in this year’s report: ease-of-use, or as we think about it, simplicity. While data loss prevention (DLP) solutions have existed for some time, they typically have been complex to deploy and manage, and in many cases, engineered as “bolt on” products added to other solutions in the vendor’s product line. Since DLP is our only business, we have focused on simplicity: easy-to-set up, easy-to-deploy, and easy-to-manage. In most cases, our customers get a complete DLP solution in a single appliance, while the same functionality can require up to seven appliances from other vendors. More complex solutions often require a full-time person just to manage them. In contrast, most TrueDLP users spend as little as an hour each week managing DLP:

“I like that minimal IT time is needed to maintain the system. Responding to alerts and refining policies, as management identifies new data to be registered, is all that’s required from me or my team.”
Steve Scott, Information Security Manager, St. Charles Health System

Although price sensitivity is not a theme in this year’s report, as reflective of the vendors in the “Leaders Quadrant”, Code Green Network continues its pioneering position of being a cost effective enterprise solution with the lowest total cost of ownership–providing full features in a single appliance with no complicated licensing fees. Customers can add more seats or locations by adding appliances in a modular way.

The report highlights that 40% of Gartner clients interviewed, led with their network requirements. Gartner states that enterprises that began with network (or endpoint capabilities) nearly always deploy data discovery functions next.

According to Rich Mogul, from the Securosis research and advisory firm, this is because network deployments typically provide the most immediate information with the lowest effort, http://www.securosis.com/tag/data+loss+prevention. We have also seen that same trend.  Almost all of our customers begin with Network DLP, add Discovery capabilities, and then begin to think about Endpoint DLP.

With input from our channel partners and customers, we continue to evolve our solution to strengthen and further expand its capabilities.  Watch for more news on this soon, as well as updates on our ongoing expansion into markets outside North America.

The explosion of social networking tools – Facebook, Twitter, LinkedIn and others – has created some big, new headaches for IT managers and those concerned with protecting corporate networks and data.  Many workers assume they need and will get instant access to these tools, but they might not realize the potential risks and harm using them can inflict on their companies.

In an article published June 3, Code Green Networks’ CTO Mark Menke discusses the growing usage of these networks and the impact on security and data protection. Code Green Networks’ sales team has heard plenty of hair-raising stories by now about medical staff posting patient data on Twitter and Facebook, about critical corporate information leaking out via LinkedIn and other scary scenarios – and we estimate this is the tip of the iceberg as social networking tool usage becomes embedded into many workers’ everyday workflow. DLP, or data loss prevention, is one tool that can be used alongside strong policies and other mainstream protections.

Check out Mr. Menke’s article at SC Magazine.com.

In this video, I give a quick “chalk talk” about of how to use a Data Loss Prevention solution to prevent your organization from losing information over the Web.

Topics Covered Include:

• Leveraging the Proxy architecture with a DLP solution to stop data leaks
• How a Data Loss Prevention works to monitor and stop HTTP traffic

I have also authored a whitepaper on this topic that can be found on the Code Green Network’s site: http://www.codegreennetworks.com/resources/downloads/wp_web20.pdf

Video on YouTube: Preventing Data Loss Via HTTP

-Chris

Venerable IT security source SC Magazine, which publishes in print and online in the U.S., U.K. and Australia, last week awarded Code Green Networks TrueDLP its “Best Buy” award.

In its review, posted May 3, the magazine’s review team described TrueDLP as an “all-in-one appliance which includes all the necessary network DLP features.” The review gave TrueDLP five stars across the board, noting full functionality, ease of use, performance, documentation, support, and value for money.

The review can be read in its entirety at http://www.scmagazineus.com/code-green-networks-truedlp/review/3148/. The review echoes what we feel are some of the key aspects of the TrueDLP solution – the ability of users to plug in a single appliance for true network DLP and a solution that can be easily set up and requires minimal upkeep and monitoring for effectiveness. When users are ready to scale the appliance to other sites, to protect more data or to otherwise expand, they can easily do that in a modular fashion.

Unfortunately, the experience of IT managers with early DLP solutions was not that simple, and therefore, many organizations are not protecting their data despite the daily flood of data breaches reported, and the enormous increase in data protection regulations in much of the world.  Some DLP solutions require users to install multiple appliances for various functions, and most require extensive set-up and babysitting. Our thought is that you should not have to hire someone just to track your DLP solution!

Forty-six states, the District of Columbia, Puerto Rico and the Virgin Islands now have laws in place that require notification when an individual’s confidential information has been compromised.  Mishandled medical records, social security numbers, credit card numbers and the like trigger mandatory notification.  The National Conference of State Legislatures (NCSL) has a listing of all the State Security Breach Notification Laws on their Web site.

To safeguard personal or sensitive data, whose transmission could activate the security breach notification laws, companies should deploy security systems that will adequately identify personal information in any electronic transmission and, if necessary, block or encrypt the transmission.  In evaluating and deploying such security systems, consideration should be given to systems that can perform the following actions:

• Registration and discovery – Companies should be able to devise and implement a set of rules that identify whether or not data is sensitive or personal. This is done with network-based appliances and/or software that allows companies to define policies identifying the data (using techniques such as database fingerprinting, file fingerprinting, exact file matching, pattern matching, regular expressions, and lexicons/dictionaries), and then safely import that data in a way that provides high-speed data inspection and confirmation of a “match” when sensitive data transmissions are detected.

• Data inspection – The system should be able to inspect data in storage, on servers, as it travels over the network, and as it is used on desktop systems. This requires the system to be able to identify data even when it is enclosed within a compressed archive, part of a PDF file, part of a document such as a spreadsheet, presentation, word processor document, or transmitted via e-mail, webmail, and even a “Web 2.0” application.

• Data blocking – The system should be able to block the transmission of sensitive data whenever necessary. This is especially important for web-based e-mail systems and “Web 2.0” applications, which are often encrypted and a rapidly growing conduit for data loss.

• Data encryption – The system should be able to encrypt sensitive data before it is transmitted to outside recipients via approved corporate email solutions.  The method used to encrypt the email message should be easy for the recipient to comprehend, and the process for securely decrypting the message should be straightforward.

• User notification – Users should be notified when they are attempting to send sensitive or personal data and the violation is deemed to be minor. Most sensitive data transmissions are inadvertent, so notification helps users understand why their transmission was blocked and modify their behavior going forward to comply with corporate policy.  For more severe violations, the solution should be able to block the transmission and alert administrators immediately.

• Logging and reporting – IT administrators should be able to generate detailed logs and reports on encryption and transmission blocking-related activities in order to prove compliance with the statute.

These data loss prevention (DLP) requirements can be met today with Code Green Network TrueDLP.  Companies considering DLP and email encryption solutions should look for holistic systems that not only offer a comprehensive feature set, but which can be deployed relatively easily and quickly at a reasonable cost.

This year, in March alone, REPORTED data breach incidents tripled those of the preceding months, and looks like we are on track to do the same in all of 2010 compared to 2009. Where is all this data going? And why is it missing?  A recent article in CU Info Security, 22 Banking Breaches So Far in 2010, notes that many of these incidents were reported by financial institutions. These include regional or local banks, credit services organizations and even the U.S. Security & Exchange Commission.

We have to get smarter about figuring out what data we have, where it is and how to keep it where it belongs. Known solutions, and some very effective ones, exist to help. It should not cost you the annual IT budget. Here is a quick and dirty list of some things you can do – now and near-term – to prevent your company from being the next one in the headlines facing public scorn, hefty fines and associated negatives.

1. Figure out what data you have that needs to be protected  - what’s considered sensitive?
2. Find that data  - where does it live? Who has access to it?
3. Narrow down who needs access – not everybody needs to have everything.
4. Set polices and communicate them broadly and repeatedly. Determine how you enforce.
5. Look at solutions like data loss prevention: it’s proven. It can be implemented in a few hours or a few days in many organizations. A good solution requires less than an hour or so a week to manage and should be scalable so you can add users and sites easily.

The reality is that you CAN prevent these ugly mishaps.  Townsend RealTick, the premier global, multi-broker, broker neutral, cross-asset Execution Management System, has learned how to protect its data. They use Code Green Networks TrueDLP to prevent highly sensitive date from leaving their network. You can learn more about their DLP strategy, the obstacles that they overcame, and why they selected TrueDLP at http://www.bankinfosecurity.com/podcasts.php?podcastID=429 (registration required by bankinfosecurity.com)

Everyone in healthcare knows that new HIPAA regulations, implemented as part of the HITECH Act this year, have raised the bar on compliance. In particular, data leak prevention has become a hot spot for many healthcare organizations. As we’ve noted before, we identified more than 22 million sensitive records floating around one such healthcare organization. The HITECH act mandates federal data breach notification requirement for security breaches involving protected health information. And it covers not just the actual healthcare organization but any individual or company acting on that organization’s behalf.  As a result, healthcare orgs are looking closely at how to prevent data breaches.

CynergisTek, a leading provider of security solutions for healthcare organizations, has stepped up and taken the lead on providing a new Data Loss Prevention (DLP) solution as a way to prevent PHI from leaving healthcare organizations.  Using Code Green Networks TrueDLP cutting-edge detection technology, combined with the company’s analytical expertise, healthcare organizations are eliminating leaks of confidential information especially via channels such as the network, personal email accounts, social media, removable storage and mobile devices.

Sharon Finney, Corporate Data Security Officer at Adventist Health System says, “DLP solutions have traditionally been so cost prohibitive that few organizations are ever able to tackle this issue in a meaningful way.  Solutions like CynergisTek’s make thorough DLP analysis and reporting much more accessible. We take a very rigorous approach to evaluating and selecting security solutions, and the CynergisTek offering clearly stood out from the pack as the best combination of quality and value for our organization.”

For more information visit, www.cynergistek.com.

It seems just like yesterday, when the Veterans Affairs Department (VA) was sending out notices to millions of patients informing them that their personal data might have been compromised. The year was 2006, and my dad called me in a panic immediately after receiving a notice that his information had been stolen. It was the largest data leak of social security numbers (26.5 million) ever, and the incident that led the public to question the security of their sensitive information.

Fast forward to March, 2010–the Veterans Affairs Department’s inspector general has launched a criminal investigation into a physician assistant’s alleged downloading of veterans’ clinical data at its Atlanta medical center. According to an article published in Nextgov News, “the assistant allegedly recorded two sets of patient data on to a personal laptop for research purposes. One set included three years’ worth of patient data and another held 18 years of medical information.” One of the most disturbing parts of this article is that the department is questioning whether or not they plan on notifying the veterans who records were downloaded during this latest breach.

So what happened? Where did the VA’s commitment to protect their patients’ privacy go wrong? Did they not educate their employees about what is acceptable to download and what is not? Do they even know where their unauthorized clinical data is within their organization? What are they planning to do to protect the veterans over the next 4 years?