Non-technological leak protection problems. Field Engineer Practice
I was recently asked a question: “Is the DLP system still a fashionable toy or a real tool?”. And I was confused. Is a hammer a tool, a weapon or a fashion accessory? If it is rubber, pink and the size of a car key, this is most likely a fashion accessory. If he was in blood and a shred of hair stuck to him, he must have been a weapon. But in most other cases, it is still a tool.
Implementation Practice: Expectations and Reality
When it comes to talking about cases from the practice of introducing and using DLP systems, they often expect that now there will be movies and Germans. The investigation, the chase, the valiant officers of the Security Council detained the intruder, and then in court he was sentenced to a fine, dismissal and ten years of continuous execution. Well, or at least the story of how hackers with the help of secret technology still deceived the valiant Security Council and hid with stolen data. And then they sold them for a billion dollars and lived happily ever after on islands in the warm sea.
However, in practice, I do not say anything. Because nothing like this usually happens. And this is not because secrecy and customers do not allow us to talk about leaks. And because no one is particularly aware of whether there were any leaks at all or not. This is fun in banks: ATMs are opened there, security systems are being hacked, employees are being blackmailed - pure Hollywood! And all because it is real money that is easy to count.
And DLP is not about money, but about data. Quite a different story. And stories about implementations turn into a tedious epic about how we convinced the information security service that they need it. Then they blackmailed responsible persons so that they would tell us what the protected information actually is in their company and where to find it. Then they explained to accountants and lawyers why they no longer recommended wearing CT on a flash drive home.
That is, instead of the work of an engineer, you get the work of a detective, a psychologist and a wandering preacher.
Why is this so?
Where do such difficulties come from? It would seem that the idea of protecting one’s property, and a valuable one (and often a critical one), should be met with enthusiasm. But this usually does not happen.
The reasons for this phenomenon, I myself see something like this:
The unwillingness of ideology
The level of development of IT and IB in a company depends on many factors. On the age of the company, on the availability of the budget, on the size, on the industry, on management policy. But one way or another, everyone is at a different level.
And the very first, most serious problem is the problem of maturity in a psychological, ideological sense. If a company treats confidential information carelessly, there is no understanding of what it is and why it should be protected at all - the introduction of a DLP system will meet with great difficulties. The employee, who will undertake such a task, will face misunderstanding and disapproval on the part of management and furious resistance from users.
And leave this situation alone - why save people against their will? But this is not always the case, because the situation often arises - the Supreme Guide ordered the introduction of the results of the incident in another holding company, and on the ground they are not really ready for this.
Not prepared psychologically: people do not understand that information costs money and that it can be stolen, and that information often costs much more than a truck of alcoholic beverages or rolled metal.
They are not ready organizationally - the company does not regulate the procedure for protecting confidential information, and even there is simply no understanding that information is confidential.
Not technically ready - companies would first set up firewalling and backup, update the park at least a little, so that employees do not really work on typewriters.
And it turns out that there is an order to introduce a DLP system, but there is no readiness and ability to fulfill it. This is a difficult situation both for the customer company and for the integrator company, and it is often allowed by the introduction of a “model” of the system - to a limited extent, without real policies. That is, a mass-dimensional layout of the system is purchased at the price of the original.
')
Infrastructure failure
And, by the way, about typewriters. As a rule, companies technologically develop along a certain natural path. There are the simplest, most necessary and, as a rule, the cheapest solutions. They are introduced first. It is clear that there is no point in introducing some complex systems for detecting targeted attacks, unless the company has properly implemented firewalling, there is no centralized management of antivirus software, and backup is not configured.
For a number of reasons, it is rather difficult to jump over this natural process, and most importantly - there is no need. Thus, the company must be ready to implement one or another solution in the field of IT and IB, to ripen to it. And the DLP systems are quite high on this evolutionary ladder, and they usually have to be seen for quite a long time. Accordingly, many companies simply do not need a DLP system at this stage. That is, of course, necessary, but they have many other, more urgent tasks and simpler, cheaper, and necessary solutions that need to be implemented.
Bad marketing
Separate trouble is marketing. It seems that marketing should help sell, but in practice often everything turns out the other way around.
There is such a thing - Hype Cycle (Gartner technology maturity cycle). In short, its essence: each new technology goes through a certain development cycle. The technology appears, develops, causes interest, goes on sale - and this is where marketing is turned on. Advertising. Which promises that the system will do everything, solve all problems, and also bring coffee to bed and a little more of this delicious asparagus with cream sauce. And the technology at this stage is still raw. And there is a big gap between expectations and reality, causing great disappointment. Well, the opinion is spreading that this technology is a hoax, an unnecessary toy and extortion of money.
And that's all, technology is discredited. Then, if you are lucky, the work on the mistakes, adaptation, development, and technology still finds its place in the market. But it is - if you're lucky.
As for DLP, in Russia we are at a stage when manufacturers recover from the effects of stupid and unfair advertising, and products are improving and becoming worthy adult solutions. Technologies, including domestic development, have leaped forward. It is possible to control almost all channels. Confidential data recognition technologies continue to improve. But this taste of disappointment - “we tried / looked / revered, and all this is your DLP is a complete deception” - it is still present.
Perfectionism
Perfectionism in practice often means "all or nothing." That is, the DLP-system should be able to audit and block, and control all imaginable channels, recognize speech and pictures in the text, understand that the pictures are drawn if it is not a text, and many more wonderful things. But if the system does not know one of these things, then you should not get involved with it.
The desire to get everything in bulk is understandable. But, firstly, there are no systems that everyone can. Perhaps in the future they will appear, and new systems will compete not so much in the number of opportunities, as in the quality of their implementation. But while there are no perfect systems. Secondly, a system that can do a lot is worth a lot. The option "I can do everything for three kopecks" also yet.
Well, another consequence of marketing - for some reason, it is believed that it is enough to install a DLP system, and it will immediately, out of the box, find all the intruders and prevent all leaks. And completely independently. Which, of course, is far from reality. The reverse side of a complex comprehensive system - significant labor costs for implementation, and most importantly, maintenance.
So, one should choose not an all-powerful system, but one that will solve actual problems for the money that is worth solving these problems.
Well, play?
So the main difficulty in implementing DLP systems (and one of the main reasons for such a large number of leaks) I see is that many companies are not yet ready to protect their information. Someone technically, someone organizationally, but the majority - ideologically.
And the number and volume of leaks grow. Moreover, 2/3 of the leaks in statistics fall on the share of internal violators, that is, they are definitely within the scope of the DLP systems. Yes, we can continue to hope that "this story is not about us, and we are not interesting to anyone." You can continue to relate to the fact that the managers who quit carry away the bases with them, as if they were accustomed to evil, and immediately put these losses into the budget. Another thing is that there is a crisis in the yard, and there is an opinion that sponsoring thieves and nuns is an inadmissible luxury.
But there are reverse situations. Companies with a small budget for information security are implementing separate modules of DLP systems, some separate mechanisms in order to fight precisely with those threats, the fight against which is a priority. Not chasing after marketing ghosts, not turning away from threats, setting real goals and reaching them.
Whether the DLP system is a fashionable toy or tool is a matter of attitude. If you treat it like a toy - you get a toy. And if as a tool - with it it is possible to solve the tasks and achieve the intended results.
Implementation Practice: Expectations and Reality
When it comes to talking about cases from the practice of introducing and using DLP systems, they often expect that now there will be movies and Germans. The investigation, the chase, the valiant officers of the Security Council detained the intruder, and then in court he was sentenced to a fine, dismissal and ten years of continuous execution. Well, or at least the story of how hackers with the help of secret technology still deceived the valiant Security Council and hid with stolen data. And then they sold them for a billion dollars and lived happily ever after on islands in the warm sea.
However, in practice, I do not say anything. Because nothing like this usually happens. And this is not because secrecy and customers do not allow us to talk about leaks. And because no one is particularly aware of whether there were any leaks at all or not. This is fun in banks: ATMs are opened there, security systems are being hacked, employees are being blackmailed - pure Hollywood! And all because it is real money that is easy to count.
And DLP is not about money, but about data. Quite a different story. And stories about implementations turn into a tedious epic about how we convinced the information security service that they need it. Then they blackmailed responsible persons so that they would tell us what the protected information actually is in their company and where to find it. Then they explained to accountants and lawyers why they no longer recommended wearing CT on a flash drive home.
That is, instead of the work of an engineer, you get the work of a detective, a psychologist and a wandering preacher.
Why is this so?
Where do such difficulties come from? It would seem that the idea of protecting one’s property, and a valuable one (and often a critical one), should be met with enthusiasm. But this usually does not happen.
The reasons for this phenomenon, I myself see something like this:
- ideology unavailability;
- infrastructure unavailability;
- bad marketing;
- perfectionism.
The unwillingness of ideology
The level of development of IT and IB in a company depends on many factors. On the age of the company, on the availability of the budget, on the size, on the industry, on management policy. But one way or another, everyone is at a different level.
And the very first, most serious problem is the problem of maturity in a psychological, ideological sense. If a company treats confidential information carelessly, there is no understanding of what it is and why it should be protected at all - the introduction of a DLP system will meet with great difficulties. The employee, who will undertake such a task, will face misunderstanding and disapproval on the part of management and furious resistance from users.
And leave this situation alone - why save people against their will? But this is not always the case, because the situation often arises - the Supreme Guide ordered the introduction of the results of the incident in another holding company, and on the ground they are not really ready for this.
Not prepared psychologically: people do not understand that information costs money and that it can be stolen, and that information often costs much more than a truck of alcoholic beverages or rolled metal.
They are not ready organizationally - the company does not regulate the procedure for protecting confidential information, and even there is simply no understanding that information is confidential.
Not technically ready - companies would first set up firewalling and backup, update the park at least a little, so that employees do not really work on typewriters.
And it turns out that there is an order to introduce a DLP system, but there is no readiness and ability to fulfill it. This is a difficult situation both for the customer company and for the integrator company, and it is often allowed by the introduction of a “model” of the system - to a limited extent, without real policies. That is, a mass-dimensional layout of the system is purchased at the price of the original.
')
Infrastructure failure
And, by the way, about typewriters. As a rule, companies technologically develop along a certain natural path. There are the simplest, most necessary and, as a rule, the cheapest solutions. They are introduced first. It is clear that there is no point in introducing some complex systems for detecting targeted attacks, unless the company has properly implemented firewalling, there is no centralized management of antivirus software, and backup is not configured.
For a number of reasons, it is rather difficult to jump over this natural process, and most importantly - there is no need. Thus, the company must be ready to implement one or another solution in the field of IT and IB, to ripen to it. And the DLP systems are quite high on this evolutionary ladder, and they usually have to be seen for quite a long time. Accordingly, many companies simply do not need a DLP system at this stage. That is, of course, necessary, but they have many other, more urgent tasks and simpler, cheaper, and necessary solutions that need to be implemented.
Bad marketing
Separate trouble is marketing. It seems that marketing should help sell, but in practice often everything turns out the other way around.
There is such a thing - Hype Cycle (Gartner technology maturity cycle). In short, its essence: each new technology goes through a certain development cycle. The technology appears, develops, causes interest, goes on sale - and this is where marketing is turned on. Advertising. Which promises that the system will do everything, solve all problems, and also bring coffee to bed and a little more of this delicious asparagus with cream sauce. And the technology at this stage is still raw. And there is a big gap between expectations and reality, causing great disappointment. Well, the opinion is spreading that this technology is a hoax, an unnecessary toy and extortion of money.
And that's all, technology is discredited. Then, if you are lucky, the work on the mistakes, adaptation, development, and technology still finds its place in the market. But it is - if you're lucky.
As for DLP, in Russia we are at a stage when manufacturers recover from the effects of stupid and unfair advertising, and products are improving and becoming worthy adult solutions. Technologies, including domestic development, have leaped forward. It is possible to control almost all channels. Confidential data recognition technologies continue to improve. But this taste of disappointment - “we tried / looked / revered, and all this is your DLP is a complete deception” - it is still present.
Perfectionism
Perfectionism in practice often means "all or nothing." That is, the DLP-system should be able to audit and block, and control all imaginable channels, recognize speech and pictures in the text, understand that the pictures are drawn if it is not a text, and many more wonderful things. But if the system does not know one of these things, then you should not get involved with it.
The desire to get everything in bulk is understandable. But, firstly, there are no systems that everyone can. Perhaps in the future they will appear, and new systems will compete not so much in the number of opportunities, as in the quality of their implementation. But while there are no perfect systems. Secondly, a system that can do a lot is worth a lot. The option "I can do everything for three kopecks" also yet.
Well, another consequence of marketing - for some reason, it is believed that it is enough to install a DLP system, and it will immediately, out of the box, find all the intruders and prevent all leaks. And completely independently. Which, of course, is far from reality. The reverse side of a complex comprehensive system - significant labor costs for implementation, and most importantly, maintenance.
So, one should choose not an all-powerful system, but one that will solve actual problems for the money that is worth solving these problems.
Well, play?
So the main difficulty in implementing DLP systems (and one of the main reasons for such a large number of leaks) I see is that many companies are not yet ready to protect their information. Someone technically, someone organizationally, but the majority - ideologically.
And the number and volume of leaks grow. Moreover, 2/3 of the leaks in statistics fall on the share of internal violators, that is, they are definitely within the scope of the DLP systems. Yes, we can continue to hope that "this story is not about us, and we are not interesting to anyone." You can continue to relate to the fact that the managers who quit carry away the bases with them, as if they were accustomed to evil, and immediately put these losses into the budget. Another thing is that there is a crisis in the yard, and there is an opinion that sponsoring thieves and nuns is an inadmissible luxury.
But there are reverse situations. Companies with a small budget for information security are implementing separate modules of DLP systems, some separate mechanisms in order to fight precisely with those threats, the fight against which is a priority. Not chasing after marketing ghosts, not turning away from threats, setting real goals and reaching them.
Whether the DLP system is a fashionable toy or tool is a matter of attitude. If you treat it like a toy - you get a toy. And if as a tool - with it it is possible to solve the tasks and achieve the intended results.
Source: https://habr.com/ru/post/301120/
All Articles