On DLP and IP Theft

Data loss prevention battle is a battle you are going to lose. You have no choice in the matter! You do, however, have a choice between (metaphorically speaking):

• dying an embarrassing, Darwin awards-worthy, death that will become industry’s laughing matter for years to come (“he had 650,000 unencrypted payment card numbers on a public web server…in 2012! Now, that IS funny!”), and
• dying a death of a hero and simply knowing that, even though you did everything that can be done, it just wasn’t enough (“well…nothing short of cutting the wire AND removing all system users would have helped”).

These morbid thoughts were inspired by a recently released “DBIR Snapshot:  Intellectual Property Theft” [PDF], the saddest production so far from the Verizon research team. Even though most of DLP tool deployments (some say up to 70%) are there to protect regulated  data (and not corporate intellectual property), there are organizations that use DLP technology as one of the weapons in their (losing) war against IP theft. Note that I didn’t say “the weapon” or “a key weapon”: content-aware DLP simply cannot do this job on its own without encryption, access control, log monitoring, application security, etc. Those who are looking to “get a DLP box” that will block the IP theft are guaranteed to be disappointed since many other tools and PLENTY of work by smart people is required as well.

Specifically, the DBIR snapshot contains two key learnings about intellectual property (IP) theft:

• It is detected years after the incident (“Whereas our historical findings consistently show  breach discovery timeframes in the “months”  category, IP theft frequently takes years to discover” and “the criminal usually dictates both the timeframe and method of discovery”)
• Even after it is detected, the organizations actually have trouble plugging the leak (“… due to the complexity  and longevity of many IP-related breaches, identifying all systems involved can be a real challenge. […] Thus, containment can become a drawn-out game of plugging holes and waiting for leaks to spring up elsewhere”)

Why are things THAT royally screwed up? There is no single explanation, but here are a few thoughts:

• Broken business processes produce staggering piles of sensitive data stored outside of “official” and [hopefully] secured repositories (and DLP discovery capabilities are critical here). DLP consultants note that casual exposure of sensitive information within the perimeter is a  common target of attackers. Recent GTP “info-sprawl” research revealed way more of this than most care to admit….
• IT “owns” the infrastructure, but business owns (with no quotes) the information. IP protection efforts that start from using DLP discovery capabilities must continue into taking aggressive action against spread of confidential data – and only information owners can do it, while IT cannot. If the business side does not get “information risk” (and most don’t seem to), losses of valuable IP will continue.
• Many business want a quick and easy way of stopping valuable information theft, but are unwilling to even clearly define (not that I didn’t necessarily say “classify”) what such “valuable information” might be in a machine-understandable way.
• Purely on the IT side, network security is just  easier than data security (especially for former network engineers that moved up to security). Many of the successful IP protection efforts require a culture change, not just a tool change – and that is extra-hard at large organizations. Understanding content-level security (driven by DLP) and rules applied to data, not accounts and systems, tends to go slowly at many places.
• One of the DLP literati I spoke with provided the following explanation, that I really like: “IP theft is cancer, not trauma” and most of today’s security thinking (and tooling) is field medicine, not oncology. The organization subject to pervasive IP theft does not die overnight (as a PCI DSS non-compliant payment provider might), but slowly loses its market position. Today we are simply not equipped for tracking such data losses and then correlating them to the overall business health.

Therefore, if you are thinking of procuring and deploying DLP for IP theft protection, think of a DLP tool  as a catalyst for culture change (and NOT as a plug for the leaks). DLP can be wildly successful if it is used to change the organizational culture (from the very top down), and it can fail EPICALLY if perceived as The Tool to Stop Data Losses.

Related posts:

• DLP and/or/for/vs Data Security
• On DLP Processes or “No DLP For Dummies”
• On DLP Research