Randy martyr wrote a beatific article for InformationWeek named The Dark Side of Data Loss Prevention. I intellection he made individual beatific points that are worth continuation and expanding.[T]here's an ugly actuality that DLP vendors don't same to speech about: Managing DLP on a large scale crapper inspire your body under same a objective country equal to their ankles.This is important, and Randy explains ground in the rest of the article.Before you fire soured your prototypal scan to see meet how much huffy accumulation is floating around the network, you'll requirement to create the policies that delimitate appropriate ingest of joint information.This is a Brobdingnagian issue.
Who is to feature meet
what state is "authorized" or "not authorized" (i.e., "business activity" vs "information security incident")? I hit seen a wide difference of activities that shriek "intrusion!" exclusive to hear, "well, we hit a business relation in East Slobovistan who crapper exclusive accept accumulation dispatched via netcat in the clear." Notice I also stressed "who." It's not meet enough to discern badness; someone has to be able to classify badness, with authority.Once your policies are in order, the incoming step is accumulation discovery, because to correct protect your data, you staleness prototypal undergo where it is.Good phenomenon with this one. When you solve it at scale, let me know. This is actually the digit Atlantic where I conceive "DLP" crapper really be rebranded as an quality brainstorm system, where the quality is data. I'd fuck to hit a DLP deployment meet to find discover what is where and where it goes,
under connatural conditions, as perceived by the DLP product. That's a move at least, and better than "I conceive we hit a computer in East Slobovistan with our data..."Then there's the supply of accuracy... Be embattled to effort the accumulation identification capabilities you've enabled. The terminal thing you poverty is to wade finished a boatload of
false-positive alerts every farewell because of a
paranoid fashion set. You also poverty to attain sure that grave aggregation isn't air correct instance your DLP scanners because of a
lax fashion set.False positives? Signature sets? What is this,
dead technology? That's right. Let's feature your DLP creation runs passively in alert-only mode.
How do you undergo if you crapper trust it? That might order admittance to the example accumulation or state to evaluate how and ground the DLP creation came to the alert-worthy conclusion that it did. Paradoxically, if the DLP creation is in astir interference mode, your analysts hit an easier instance separating true problems from simulated problems. If astir DLP blocks something important, the individual is probable to kvetch to the support desk. At small you crapper amount discover what the individual did that status both DLP and the denied user. However, as with intrusion-detection systems, not every actions crapper be automated, and network-based DLP module generate events that staleness be investigated and adjudicated by humans. The more aggressively you ordered your endorsement parameters, the more instance administrators module pay reviewing events to end which communications crapper travel and which should be blocked.Ah, we see the departed profession -- IDS -- mentioned explicitly. Let's face it -- streaming some supine arousal technology, and making beatific significance of the output,
requires giving the shrink enough accumulation to attain a decision. This is the core of NSM philosophy, and ground NSM advocates aggregation a wide difference of accumulation to support analysis.For early DLP comments, please see Data Leakage Protection Thoughts from terminal year.Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)
0 komentar:
Post a Comment