The difference in the approaches to information security in "us" and in "them" (for example, DLP)
Modern DLP-system - a huge combine, which can be used very differently. A couple of years ago, the developers of DLP systems were in such a position that they all had approximately the same product, which needs to be somehow developed, but it is not entirely clear where. Approximately then two different approaches were identified, which can be divided into “western” and “eastern”. Most likely this is due to differences in business cultures and in general with differences in the principles of work of "security men."
What are these differences?
On the left, the western approach “to close everything, nothing is impossible”, to the right our “control everything and everyone”
If you exaggerate, the DLP-system is a program that analyzes all traffic in the organization and blocks the transfer, if the transmitted information looks like confidential.
')
The diagram shows the principle of DLP operation on the example of the rule “prohibit the transfer of credit card data”. Two letters are sent, in the letter No. 1 there are credit card details, in the letter No. 2 there is no. After analysis on the mail server, the letter No. 2 is sent to the addressee, and the letter No. 1 is returned to the addressee, and the security officer / administrator is notified of an attempted violation.
Western security experts use the program only to block sensitive information. Practically it looks like this - the system is installed, they mark what they mean by important information, they set up security rules, set the blocking option for certain operations, and return to the system once a month to refine the rules and test their performance. Anything that is not intended to work is blocked by other tools, and DLP monitors the allowed traffic (usually mail) for violations.
Accordingly, Western developers are primarily concerned with the provision of fast and reliable locks, a clear algorithm for setting rules, leaving some little analytics at the mercy of other systems (for example, SIEM). Sometimes in “their” systems it is not even possible to save the intercepted data and, accordingly, to carry out a retrospective analysis and investigation - why, because the system is not intended for this and do not use this functionality?
At the same time, the “Eastern” approach is characterized by another way of controlling the instrument received in hand. DLP collects a huge amount of information while working - all staff talks, time spent in applications, websites visited, typed text, etc. In the process of collecting, the system can not only check the transfer of sensitive information, but also analyze and process information in accordance with the settings made - and this data can be made available in visual form in the form of graphs, charts, tables, document transfer diagrams and employee communications.
I specifically do not want to mention the ethical side of the question, this is too vast a topic and deserves a separate discussion, but this functionality is in demand - therefore, domestic (and Asian, they have a similar approach) developers pay more attention to analytical capabilities, and modern DLP in some moments more like tools for tracking user behavior, products class UBA. With this approach, the economic security of organizations is largely ensured, such a product is interesting to security personnel as a tool for full-fledged investigations, and the main functionality of the “classic” DLP is the most important blocking tool.
The difference between the approaches is noticeable to the naked eye, but with what it is connected - the question remains open. Perhaps this is due to different laws and attitudes toward the notorious privacy, or the historical context may be important and “our” guys, along with the Chinese, love the “manual” control mode more than the automation. It would also be interesting to find out if there are similar examples of such different ramifications of the functionality of similar products in the evolution of "we" and "they", who remember - send.
What are these differences?
On the left, the western approach “to close everything, nothing is impossible”, to the right our “control everything and everyone”
If you exaggerate, the DLP-system is a program that analyzes all traffic in the organization and blocks the transfer, if the transmitted information looks like confidential.
')
The diagram shows the principle of DLP operation on the example of the rule “prohibit the transfer of credit card data”. Two letters are sent, in the letter No. 1 there are credit card details, in the letter No. 2 there is no. After analysis on the mail server, the letter No. 2 is sent to the addressee, and the letter No. 1 is returned to the addressee, and the security officer / administrator is notified of an attempted violation.
Western security experts use the program only to block sensitive information. Practically it looks like this - the system is installed, they mark what they mean by important information, they set up security rules, set the blocking option for certain operations, and return to the system once a month to refine the rules and test their performance. Anything that is not intended to work is blocked by other tools, and DLP monitors the allowed traffic (usually mail) for violations.
Accordingly, Western developers are primarily concerned with the provision of fast and reliable locks, a clear algorithm for setting rules, leaving some little analytics at the mercy of other systems (for example, SIEM). Sometimes in “their” systems it is not even possible to save the intercepted data and, accordingly, to carry out a retrospective analysis and investigation - why, because the system is not intended for this and do not use this functionality?
At the same time, the “Eastern” approach is characterized by another way of controlling the instrument received in hand. DLP collects a huge amount of information while working - all staff talks, time spent in applications, websites visited, typed text, etc. In the process of collecting, the system can not only check the transfer of sensitive information, but also analyze and process information in accordance with the settings made - and this data can be made available in visual form in the form of graphs, charts, tables, document transfer diagrams and employee communications.
I specifically do not want to mention the ethical side of the question, this is too vast a topic and deserves a separate discussion, but this functionality is in demand - therefore, domestic (and Asian, they have a similar approach) developers pay more attention to analytical capabilities, and modern DLP in some moments more like tools for tracking user behavior, products class UBA. With this approach, the economic security of organizations is largely ensured, such a product is interesting to security personnel as a tool for full-fledged investigations, and the main functionality of the “classic” DLP is the most important blocking tool.
The difference between the approaches is noticeable to the naked eye, but with what it is connected - the question remains open. Perhaps this is due to different laws and attitudes toward the notorious privacy, or the historical context may be important and “our” guys, along with the Chinese, love the “manual” control mode more than the automation. It would also be interesting to find out if there are similar examples of such different ramifications of the functionality of similar products in the evolution of "we" and "they", who remember - send.
Source: https://habr.com/ru/post/352588/
All Articles