E-Guide
INTRODUCTION
TO DATA LOSS
PREVENTION
TOOLS
▲
SearchSecurity

PAG E 2 O F 11 SP ONSORED BY
Home
Introduction to data
loss prevention
products
INTRODUCTION TO DATA LOSS PREVENTION TOOLS
data loss prevention (DLP)strategyisn’t
something to be taken lightly: its cost,
impact on process, and responsibility for
keepinganenterprise’sdatasecurecannot
beunderstatedasdatabecomesmoreaccessibleandmobile.Inthis
e-guide discover what it means for security for data to be in use, in
motion, and at rest; how DLP works in a standalone vs. integrated
context; the DLP learning curve; and more.
A

PAG E 3 O F 11 SP ONSORED BY
Home
Introduction to data
loss prevention
products
INTRODUCTION TO DATA LOSS PREVENTION TOOLS
INTRODUCTION TO DATA LOSS PREVENTION PRODUCTS
Bill Hayes, Cybersecurity analyst and writer
We are living in a time when sensitive information flows seamlessly through-
out organizations and out to employees across the globe. Unfortunately, this
data can wind up in the hands of unintended recipients, who can then cherry-
pick the data for their own profit. While the threat of malicious insiders is a
valid concern, equally grave data exposures occur through poorly understood
businessprocessesthatuseinsecureprotocolsandprocedures,andwhenem-
ployees do not practice secure data handling.
Tosolvetheseproblems,datalossprevention(DLP)toolshelpidentifyand
plug information leaks before they negatively impact organizations.
Most organizations have some kind of classification scheme intended to
identify the kinds of data they use. Once categorized, the appropriate controls
canthenbeappliedtomonitorandcontroldataaccess,transportationandstor-
age. In the days when businesses stored information on paper and microfilm,
controls such as printed access rosters, security guards, locked filing cabinets
and combination safes prevented unauthorized access and dissemination.

PAG E 4 O F 11 SP ONSORED BY
Home
Introduction to data
loss prevention
products
INTRODUCTION TO DATA LOSS PREVENTION TOOLS
With data mostly reduced to digital form nowadays, companies have to use
special software to detect data theft while maintaining these older security
controls (as long as paper or microfilm records still exist).
DLP: DATA IN USE, IN MOTION, AT REST
Dependingontheiruse,DLPtoolscandetectandblockthepotentialexposure
of sensitive information while in use, in motion or at rest.
Data in use is data that is being processed, is in memory and may be
presentintemporaryfiles.Itposesadangerifinsecureendpointdevices
are processing the data or may be routing it to unapproved storage or
unapproved remote locations.
Data in motion is data traveling across a network in a point-to-point
transaction.Thedangerhereliesindatatransactionsthatmaytakesen-
sitiveinformationbeyondtheorganization'sperimeterortounintended
printouts or storage media.

PAG E 5 OF 11 SP ONSORED BY
Home
Introduction to data
loss prevention
products
INTRODUCTION TO DATA LOSS PREVENTION TOOLS
Data at rest is data that is stored in digital form in persistent (not tem-
porary)files,andcanincludeend-userfilesanddatabaseslocatedonfile
servers, backup tapes, SAN storage and portable media.
Datalosspreventioncanensureendusersdon'tsendsensitiveinformation
outsidetheirorganization'snetworkormoveitfromsecuretoinsecurestorage.
WhileDLPproductsdoaddresstheinsiderthreat,theyarealsoveryusefulasa
technicalcontroltopreventtheinadvertentexposureofsensitiveinformation
bypersonsunfamiliarwithitsvalueortheproperwaytoprocess,transmitand
store sensitive information.
HOW DLP WORKS: STANDALONE VS. INTEGRATED
DLP products are designed to detect sensitive information as it is accessed
by endpoint devices like desktops and mobile devices, as it lies dormant on a
file server in forgotten documents, and as it moves through an organization's
networks using any number of protocols. DLP tools address the problems of
sensitive data usage, movement and storage based on an organization's un-
derstanding of what it wants to protect and where the data is allowed at any
moment.

PAG E 6 OF 11 SP ONSORED BY
Home
Introduction to data
loss prevention
products
INTRODUCTION TO DATA LOSS PREVENTION TOOLS
Standalone DLP products can reside on specialized appliances or can be
sold as software to be installed on the enterprise's own hardware. They are
specialized and only address data loss prevention. A full soup-to-nuts DLP
product monitors data at rest using a file scanning engine. It also features a
networkappliancetomonitordataintransitoveracompany’snetworkon
many network protocols.
An endpoint agent detects sensitive information in memory, during print-
ing attempts, copying to portable media or exiting through network protocols.
Theagentsmayalsobeabletodetectsensitiveinformationatrestbyscanning
files found on endpoint logical drives.
Standalone DLP products also provide some manner of management con-
sole,areportgenerator,apolicymanager,adatabasetostoresignificantevents
andaquarantineserverorfoldertostorecapturedsensitivedata.Thereisalso
usually a method to build custom detection policies.
Integrated DLP features, by contrast to standalone DLP, are usually found
on perimeter security gateways such as Web or email security gateways, in-
trusion detection systems/intrusion prevention systems, endpoint security
suitesandunifiedthreatmanagementproducts.Dependingontheirmainfunc-
tions, these products are most useful at detecting sensitive data in motion and

PAG E 7 O F 11 SP ONSORED BY
Home
Introduction to data
loss prevention
products
INTRODUCTION TO DATA LOSS PREVENTION TOOLS
sensitive data in use. Vulnerability scanners, for example, usually have DLP
plug-ins to detect sensitive data at rest, such as Social Security numbers.
Unlike the convenience of having a standalone DLP product, security
products with integrated DLP from different vendors do not share the same
management consoles, policy management engines and data storage. That
means an organization's DLP capability may end up being scattered among
severaldifferenttypesofsecurityproducts.Quarantinefunctions,iftheyexist,
are handled through different management interfaces as well. Any attempt to
correlate DLP events will have to be handled through a security information
management (SIEM) system or a separate data correlation engine.
DLP'S USEFULNESS
DLP tools are especially useful to organizations that have sensitive data with
a long shelf life, such as financial data, health insurance data or intellectual
property. Government agencies, universities, RD labs and technology com-
panies are fertile grounds for cyber-espionage. Banks, retail, e-commerce and
financialorganizationscertainlyhavemuchtoloseaswell.Whilehealthinsur-
ancemightseemtobethedomainofmedicalandinsuranceorganizations,any
organizationthatself-administerscompanyhealthinsuranceplanscouldalso

PAG E 8 OF 11 SP ONSORED BY
Home
Introduction to data
loss prevention
products
INTRODUCTION TO DATA LOSS PREVENTION TOOLS
be a target.
Sure, when DLP is mentioned, protecting credit card numbers comes to
mind. While credit card numbers are in demand by cybercriminals, the shelf
life for a credit card on underground websites is usually only a few days before
its use has been detected, however. The average price for a stolen U.S. credit
cardonRussiancybercrimeforumsdeclinedfrom$3in2011toadollarin2013.
By contrast, stolen healthcare records may get up to $10 per record.
Cybercriminals target medical records because of their shelf life, and the
theft of them may not be immediately detected. These records are sources
of patient names, insurance policy numbers, diagnosis codes and personally
identifiable information. Cybercriminals can use this data to buy medical
equipmentorprescriptiondrugsthatcanthenberesold.Additionally,theycan
create false identities to file false claims with health insurers.
THE DLP LEARNING CURVE
DLP tools often come with pre-defined policies to help detect sensitive data
types, such as intellectual property, personally identifiable information, pro-
tected health information, Social Security numbers and payment card infor-
mation. In practice, since each organization has different ways of expressing

PAG E 9 OF 11 SP ONSORED BY
Home
Introduction to data
loss prevention
products
INTRODUCTION TO DATA LOSS PREVENTION TOOLS
processing and storing information, a fair amount of customization is needed
to accurately detect them and thus prevent data compromise.
Giventhislevelofcomplexity,cybersecuritystaffchargedwithDLPsystem
administrationandanalysisfacesasignificantcurveinlearninghowtoconfig-
ureandemployDLPtechnology.FormalDLPapplicationtrainingisbeneficial
and working knowledge of Regular Expression parsing is highly useful. Ad-
ditionally, DLP staff should meet with business process owners to learn about
each type of sensitive data and what forms and formats it might take.
DLP DECISIONS
BeforebuyingastandaloneDLPproduct,organizationsshouldassesscurrently
owned cybersecurity products to see what DLP features are present and how
they can be used either to supplement or replace a standalone DLP product.
The price for a standalone DLP product, which is not insignificant, should be
weighedagainstthelaborandadditionalproductsrequiredtotransformanar-
ray of currently deployed security products with integrated DLP features into
a coherent DLP protection suite.
Enterprise-levelDLPproductsareusuallypricedwithlargerorganizations
in mind or companies with high risks and onerous compliance requirements.

PAG E 10 O F 11 SP ONSORED BY
Home
Introduction to data
loss prevention
products
INTRODUCTION TO DATA LOSS PREVENTION TOOLS
Smaller firms with lighter purses might want to consider the integrated DLP
route,providedtheyhavethecriticalmassofintegratedDLPproductsalready
at hand.
In either case, DLP projects can demand significant investment of re-
sources,suchasITskills,hardware,storageresourcesand--ofcourse--dollars.

PAG E 11 OF 11 SP ONSORED BY
Home
Introduction to data
loss prevention
products
INTRODUCTION TO DATA LOSS PREVENTION TOOLS
FREE RESOURCES FOR TECHNOLOGY PROFESSIONALS
TechTarget publishes targeted technology media that address
yourneedforinformationandresourcesforresearchingprod-
ucts, developing strategy and making cost-effective purchase
decisions. Our network of technology-specific Web sites gives
youaccesstoindustryexperts,independentcontentandanaly-
sis and the Web’s largest library of vendor-provided white pa-
pers, webcasts, podcasts, videos, virtual trade shows, research
reports and more —drawing on the rich RD resources of technology providers to address
market trends, challenges and solutions. Our live events and virtual seminars give you ac-
cess to vendor neutral, expert commentary and advice on the issues and challenges you
face daily. Our social community IT Knowledge Exchange allows you to share real world
information in real time with peers and experts.
WHAT MAKES TECHTARGET UNIQUE?
TechTarget is squarely focused on the enterprise IT space. Our team of editors and net-
workofindustryexpertsprovidetherichest,mostrelevantcontenttoITprofessionalsand
management. We leverage the immediacy of the Web, the networking and face-to-face op-
portunitiesofeventsandvirtualevents,andtheabilitytointeractwithpeers—alltocreate
compellingandactionableinformationforenterpriseITprofessionalsacrossallindustries
and markets.