Implementation of DLP-system on the example of retail
“I beg your pardon,” a familiar voice spoke out to me from the darkness firmly but very quietly. Looking back, I saw the silhouette of a stranger smoothly moving in my direction. “Are you late?” He continued. “Perhaps,” I replied, quickly scrolling through all the options for a potential dialogue, comparing the appearance of a person with variations of his possible requests that came to mind.
It was a grandfather of about seventy, with a gray neat mustache and gray hair swaying slightly in the wind. He was wearing glasses, a gray suit, inherent in all people of that age, and a dazzling bright blue shirt. He seemed dressed absurdly and brightly, given the fact that we were in one of the sleeping districts of Moscow. After my answer, he glanced at his watch and also firmly, but with a grin, said: “Then I, perhaps, was already late.” “Why do you?” - I did not fully understand what was going on. “But because I don’t know how long your“ maybe ”lasts,” answered the grandfather with a sly smile on his face. “Time, time, it cannot be devalued, you tell me these“ maybe ”for a long time, we are all waiting,” he continued without a smile. "A lot of bukav, write an article on Habr, deadlines are tight," said the grandfather, and I woke up ...
As it turned out, it was a dream, a dream sign. In order not to annoy Nikita Mikhalkov from my dream, I, a young guy from LANIT-Integration , wrote an article about the introduction of a DLP system using the example of retail.
')
What is a DLP system? Suppose you already know what it is, and you can write: “Yes, DLP is like a mammoth”, “What is there to tell?”, “This is not news”. I will answer right away: the article contains a story about the important part of the implementation of the system - analytics, because the techies do not know what information is really important. In addition, it should be noted that there are a lot of articles about DLP, but how it is implemented and why integrators do the work is not. And yes, there will be a brief descriptive digest of DLP, other people, not you, may not know. Maxim from LANIT cares about readers. Let's go!
DLP (Data Leak Prevention) - data leak prevention. The work of the system consists in analyzing information circulating inside the organization and going outside. That is, this time, the accounting department will not make a mass mailing of information about your salary. Thanks to a set of specific rules set by the system, you can block the transfer of confidential information or notify you that confidential information can be transferred to the wrong hands.
Descriptive excursion is over, we go further.
Do you have a corporate network? Does it handle confidential information? Are you afraid that someone other than you will use your confidential information?
"YES! YES! YES! ”, Impulsively and convulsively, as Agutin, beating on the button, the well-known retail company answered us to these questions and was not mistaken.
Our customer understood that the threat of leakage of confidential information in the overwhelming part lies in the current and former employees of the company. Therefore, it was important to reduce the risk of a potential incident like “employee and his friends”. Yes, you can say: “Take normal employees” or “You do not trust employees, why should they trust you?”. The answer is simple - the “crank” with the letter “m” will be found everywhere, and its “eccentricity” may not appear immediately, and this is a risk.
But even with an ideal scenario, one cannot be sure that a reliable and professional employee will not make a mistake. For such employees, the system works like a life jacket and at some point asks: “Maybe you don’t need it?”.
Three major stages of implementation:
Before the introduction of any system you need to conduct an examination of the object of future work. Therefore, the first plane our engineers and consultants on information security went to find out all about the customer.
What we discussed:
After the survey, we, together with the customer, began to consider all possible options for the future technical collab. Having formed a list of customer needs, we selected two domestic and two foreign vendors. By comparing the solutions, the most suitable product was selected. After approval of the decision started piloting.
Pilot testing took place within one month. As a result, we made sure that the chosen solution covers all customer requirements. Having developed the report and defended it, we moved to the next stage.
After the pilot, we started the implementation. The first thing we started with was the creation of a system architecture covering all divisions, departments and branches. Further - the coordination of the plan for implementation. It looks like a bottle broken on a ship. We needed to explain to all employees what we implement, how it works, what goals we pursue. Thanks to the briefings on the DLP system and its purpose, we gained understanding from the staff and were ready to continue our plan.
The next step was the introduction of iron, setting up software and developing policies.
After the installation and deployment work, we needed to clearly understand what we would protect and how to configure our DLP according to the necessary policies. Often the company has no idea of confidential information. One person will never say what information is confidential for the entire company, and in this case we are talking about an international organization with thousands of employees.
Therefore it is necessary to conduct an interview. Moreover, the interview should take place with key information holders, i.e. with people who have certain competencies and understanding of what information is confidential in their field, because it is the heads of departments that are business consumers of the DLP functionality. Information about the leakage after processing by the security officer comes to the head, who makes a further decision on what to do with this incident.
A source
To determine the owners of the information we need, we studied the organizational structure, experienced consultants made a proposal, and the customer’s manager finally determined the list of interviewees. It should be noted that the interview can be useful only when the head of the department fully understands what and how it functions in his department. The superior leadership may not be aware of the intricacies of this or that sphere.
From the interview it became clear to us what information is confidential for the company. From each department you can get all types of confidential information, which should find only a specific recipient.
For further configuration, we need examples of documents containing the protected information. The respondent indicated to us where it is stored and how it is transmitted. We need all these analytical details to set up certain rules of the system and to understand how to protect this information.
After that, the policies were written and agreed in the form that is convenient for transfer to the system.
Typically, the DLP system works according to the following algorithm:
How to teach the system to analyze the information it receives?
Here are some types of confidentiality documentation review:
After commissioning, we started to conduct preliminary tests:
When data is received, the number of false positives, not exceeding 30%, is considered to be a perfectly tuned DLP system. The explanation is that more than 100,000 events can occur per day, so this percentage is valid. But even with the initially huge number of LPS (false response rate), there were also events requiring attention from the security officer.
The role of the integrator is:
Let it not all points, but it is already clear, than purchase of iron with conductings differs from purposeful purchase of the equipment and its setup for specific objectives.
We integrate with love.
LANIT
P.S. Sold the car))
It was a grandfather of about seventy, with a gray neat mustache and gray hair swaying slightly in the wind. He was wearing glasses, a gray suit, inherent in all people of that age, and a dazzling bright blue shirt. He seemed dressed absurdly and brightly, given the fact that we were in one of the sleeping districts of Moscow. After my answer, he glanced at his watch and also firmly, but with a grin, said: “Then I, perhaps, was already late.” “Why do you?” - I did not fully understand what was going on. “But because I don’t know how long your“ maybe ”lasts,” answered the grandfather with a sly smile on his face. “Time, time, it cannot be devalued, you tell me these“ maybe ”for a long time, we are all waiting,” he continued without a smile. "A lot of bukav, write an article on Habr, deadlines are tight," said the grandfather, and I woke up ...
As it turned out, it was a dream, a dream sign. In order not to annoy Nikita Mikhalkov from my dream, I, a young guy from LANIT-Integration , wrote an article about the introduction of a DLP system using the example of retail.
')
1. What is a DLP system?
What is a DLP system? Suppose you already know what it is, and you can write: “Yes, DLP is like a mammoth”, “What is there to tell?”, “This is not news”. I will answer right away: the article contains a story about the important part of the implementation of the system - analytics, because the techies do not know what information is really important. In addition, it should be noted that there are a lot of articles about DLP, but how it is implemented and why integrators do the work is not. And yes, there will be a brief descriptive digest of DLP, other people, not you, may not know. Maxim from LANIT cares about readers. Let's go!
DLP (Data Leak Prevention) - data leak prevention. The work of the system consists in analyzing information circulating inside the organization and going outside. That is, this time, the accounting department will not make a mass mailing of information about your salary. Thanks to a set of specific rules set by the system, you can block the transfer of confidential information or notify you that confidential information can be transferred to the wrong hands.
Descriptive excursion is over, we go further.
2. What inspired the implementation
Do you have a corporate network? Does it handle confidential information? Are you afraid that someone other than you will use your confidential information?
"YES! YES! YES! ”, Impulsively and convulsively, as Agutin, beating on the button, the well-known retail company answered us to these questions and was not mistaken.
Our customer understood that the threat of leakage of confidential information in the overwhelming part lies in the current and former employees of the company. Therefore, it was important to reduce the risk of a potential incident like “employee and his friends”. Yes, you can say: “Take normal employees” or “You do not trust employees, why should they trust you?”. The answer is simple - the “crank” with the letter “m” will be found everywhere, and its “eccentricity” may not appear immediately, and this is a risk.
But even with an ideal scenario, one cannot be sure that a reliable and professional employee will not make a mistake. For such employees, the system works like a life jacket and at some point asks: “Maybe you don’t need it?”.
3. Stages of work
Three major stages of implementation:
- formation of requirements
- design and installation,
- analytics and system setup.
Formation of requirements
Before the introduction of any system you need to conduct an examination of the object of future work. Therefore, the first plane our engineers and consultants on information security went to find out all about the customer.
What we discussed:
- organizational and administrative documentation relating to the security and classification of information,
- list of information resources
- network diagrams
- data flow schemes
- organizational structure.
After the survey, we, together with the customer, began to consider all possible options for the future technical collab. Having formed a list of customer needs, we selected two domestic and two foreign vendors. By comparing the solutions, the most suitable product was selected. After approval of the decision started piloting.
Pilot testing took place within one month. As a result, we made sure that the chosen solution covers all customer requirements. Having developed the report and defended it, we moved to the next stage.
Design and installation
After the pilot, we started the implementation. The first thing we started with was the creation of a system architecture covering all divisions, departments and branches. Further - the coordination of the plan for implementation. It looks like a bottle broken on a ship. We needed to explain to all employees what we implement, how it works, what goals we pursue. Thanks to the briefings on the DLP system and its purpose, we gained understanding from the staff and were ready to continue our plan.
The next step was the introduction of iron, setting up software and developing policies.
You can spend millions on the delivery and implementation of the system, but without its proper configuration, the result will not be achieved. The out-of-the-box DLP system is not efficient and does not function properly.
System analytics and tuning
After the installation and deployment work, we needed to clearly understand what we would protect and how to configure our DLP according to the necessary policies. Often the company has no idea of confidential information. One person will never say what information is confidential for the entire company, and in this case we are talking about an international organization with thousands of employees.
Therefore it is necessary to conduct an interview. Moreover, the interview should take place with key information holders, i.e. with people who have certain competencies and understanding of what information is confidential in their field, because it is the heads of departments that are business consumers of the DLP functionality. Information about the leakage after processing by the security officer comes to the head, who makes a further decision on what to do with this incident.
To determine the owners of the information we need, we studied the organizational structure, experienced consultants made a proposal, and the customer’s manager finally determined the list of interviewees. It should be noted that the interview can be useful only when the head of the department fully understands what and how it functions in his department. The superior leadership may not be aware of the intricacies of this or that sphere.
From the interview it became clear to us what information is confidential for the company. From each department you can get all types of confidential information, which should find only a specific recipient.
For further configuration, we need examples of documents containing the protected information. The respondent indicated to us where it is stored and how it is transmitted. We need all these analytical details to set up certain rules of the system and to understand how to protect this information.
After that, the policies were written and agreed in the form that is convenient for transfer to the system.
Typically, the DLP system works according to the following algorithm:
- interception of information (the system records the file - received, sent, open, etc.);
- analysis of information (the system determines where the document is sent and determines the nature of the information in it based on customized labels, understands what kind of document it is);
- blocking or notification of an incident (the system determines how legitimate the operation on the document is (processing according to the configured policies)).
How to teach the system to analyze the information it receives?
Here are some types of confidentiality documentation review:
- Forms / Forms Detector
Allows you to detect forms / forms containing such confidential information as tax, medical, insurance forms, etc. - Digital prints
Uses fingerprinting methods to detect confidential information stored in unstructured data, including Microsoft Office documents, PDF files; and binary files such as jpeg, cad and multimedia files. IDM also detects "derived" content, such as text copied from the original document to another file. - Matching
Discovers content by identifying sources of structured data, including databases, directory servers, or other structured data files.
We prescribed the necessary policies, we had to hold the final events before the delivery of works.
4. Summary
After commissioning, we started to conduct preliminary tests:
- DLP performance and compliance tests;
- troubleshooting and documentation changes.
When data is received, the number of false positives, not exceeding 30%, is considered to be a perfectly tuned DLP system. The explanation is that more than 100,000 events can occur per day, so this percentage is valid. But even with the initially huge number of LPS (false response rate), there were also events requiring attention from the security officer.
The role of the integrator is:
- in a careful selection of the system for specific tasks, comparing all possible options,
- staff training
- analysis of the processed information
- system setup
- individual approach
- expertise.
Let it not all points, but it is already clear, than purchase of iron with conductings differs from purposeful purchase of the equipment and its setup for specific objectives.
We integrate with love.
LANIT
P.S. Sold the car))
Source: https://habr.com/ru/post/458704/
All Articles