Please enable JavaScript.

Coggle requires JavaScript to display documents.

15.4.5 (DATA LEAKAGE (Data Leak Prevention (facilitates the following…

- - - - • Locate and catalog sensitive information stored throughout the enterprise.
      - • Monitor and control the movement of sensitive information.
        
        across enterprise networks
        
        on end-user systems.
      - objectives are associated with the following three primary states of information:
        
        • Data at rest
        
        basic function of DLP solutions is the ability to identify and log where specific types of information (e.g., credit card or social security numbers) are STORED THROUGHOUT THE ENTERPRISE
        
        To accomplish this, most DLP systems use
        crawlers, #
        
        which are applications that are deployed remotely to log onto each end system and “crawl” through data stores, searching for and logging the location of specific information sets
        
        based on a set of rules that have been entered into the DLP management console.
        
        • Data in motion
        
        To monitor data movement on enterprise networks,
        
        DLP solutions use specific NETWORK APPLIANCES OR EMBEDDED TECHNOLOGY
        
        to selectively capture and analyze network traffic.
        
        how it works
        
        To inspect the information being sent across
        the network DLP solution must be able to
        
        passively MONITOR THE NETWORK TRAFFIC
        
        recognize the correct data streams to capture
        
        assemble the collected
        packets
        
        reconstruct the files carried in the data stream
        
        perform the same analysis that is done on the data at rest to determine whether any portion of the file contents is restricted by its rule set
        
        If sensitive data are detected flowing to an unauthorized destination
        
        DLP solution has the capability to alert and optionally block the data flows in real or near real time,
        
        again based on the rule set defined within its central management component.
        
        solution may also quarantine or encrypt the data in question.
        
        • Data in use
        
        refers to monitoring data movement stemming from actions taken by end users on their workstations that would entail
        
        copying data to a flash drive
        
        sending information to a printer
        
        even cutting and pasting between applications.
        
        DLP solutions typically accomplish this
        through the use of a software program known as an agent,
        
        ideally controlled by the same central management capabilities of the overall DLP solution.
      - The range of services available in the management console varies between products but many have functions in common, such as those outlined in the following sections.
        
        Policy Creation and Management
        
        Policies (rule sets) dictate the actions taken by the various DLP components.
        
        Most DLP solutions come with preconfigured policies (rules) that map to common regulations.
        
        important to be able to customize these
        policies or build completely custom policies.
        
        Should be built upon the ASSET MANAGEMENT AND DATA CLASSIFICATION exercises performed by the enterprise
        
        Directory Services Integration
        
        Integration with directory services allows the DLP console to map a network address to a named end user.
        
        Workflow Management
        
        provide the capacity TO CONFIGURE INCIDENT HANDLING allowing the central management system to ROUTE SPECIFIC INCIDENTS TO APPROPRIATE PARTIES
        
        based on violation type, severity, user and other such criteria.
        
        Backup and Restore
        
        features allow for PRESERVATION OF POLICIES AND OTHER CONFIGURATION SETTINGS
        
        Reporting
        
        reporting function may be internal or may leverage external reporting tools.
      - DLP Risk, Limitations and Considerations
        
        Encryption
        
        DLP solutions can only inspect encrypted information that they can first decrypt.
        
        Which do not happen in case of personal encryption packages installed by employee
        
        To mitigate this risk,
        
        policies should forbid the installation and use of encryption solutions that are not centrally managed
        
        users should be educated that anything that cannot be decrypted for inspection will ultimately be blocked.
        
        Excessive reporting and false positives
        
        Trying to monitor too many data patterns or enabling too many detection points early on can quickly overwhelm resources.
        
        important that the system be rolled out in phases, focusing on the highest risk areas first.
        
        greatest feature of a DLP solution is the ability to
        customize rules or templates to specific organizational data patterns.
        
        Improperly tuned network DLP modules
        
        Enabling the system in monitor-only mode allows for tuning and provides
        
        establish some means of accessibility in the event there is critical content being blocked during off-hours when the team managing the DLP solution is not available
        
        Proper tuning and testing of the DLP system should occur before enabling actual blocking of content.
        
        THE OPPORTUNITIES TO ALERT USERS OUT OF COMPLIANCE ACTIVITIES AND PROCEDURES so they may adjust accordingly.
        
        Involving the appropriate business and IT stakeholders in the planning and monitoring stages helps
        
        to ensure that disruptions to processes will be anticipated and mitigated
        
        Graphics
        
        DLP solutions cannot intelligently interpret graphics files
        
        alternates wont work like
        result : Gap in control
        
        manually inspecting all such information
        
        blocking
        
        Sensitive information scanned into a graphics file or intellectual property that exists
        
        Enterprise should develop strong policies that govern the use and dissemination of this information.
        
        HOWEVER, , they can identify specific
        file types, their source and destination.
        
        combined with well-defined traffic analysis, can flag uncharacteristic movement of this type of information and provide some level of control