Securosis, L.L.C.Best Practices for EndpointData Loss Preventionby Rich MogullThis Report Sponsored by:Securosis, L.L.C.

Author’s NoteThe content in this report was developed independently of any sponsors. It is based on material originally posted on theSecurosis blog but has been enhanced and professionally edited.This report is sponsored by Symantec Inc.Special thanks to Chris Pepper for editing and content support.Sponsored by SymantecSymantec’s Vontu Data Loss Prevention Solution is the industry's first integrated suite to prevent the loss of confidentialdata wherever it is stored or used - across endpoint, network, and storage systems. By reducing the risk of data loss,Vontu DLP helps organizations ensure public confidence, demonstrate compliance, and maintain competitive advantage.Symantec’s Data Loss Prevention customers include many of the world’s largest and most data-driven enterprises andgovernment agencies. Symantec’s DLP products have received numerous awards, including IDG’s InfoWorld 2007Technology of the Year Award for “Best Data Leak Prevention,“ as well as SC Magazine’s 2006 U.S. Excellence Award for“Best Enterprise Security Solution“ and Global Award for “Best New Security Solution.“ For more information, please visit report is licensed under the Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 nd/3.0/us/Securosis, L.L.C.

Table of ContentsIntroductionInformation Protection for the Mobile WorkforceTechnology OverviewBroad Scanning with Deep Content AnalysisDeployment Best PracticesPreparing for Deployment446699Use Cases13Conclusion14About the Author15About Securosis15Best Practices for Endpoint DLP

IntroductionInformation Protection for the Modern WorkforceThe modern enterprise faces information protection challenges we never could have imagined in the days whenmainframes were dominant. The average laptop can carry up to a half-terabyte of storage, while keychain-sized USBstorage devices can hold entire customer databases. Our users promiscuously connect to any network within wirelessrange of their laptops, emailing and exchanging our most sensitive information via a mix of private and public services.Simply locking down users is no longer an option; we need enabling technologies that protect our information while onlyminimally restricting our users. Rather than broadly blocking activity, we want to only block those actions that candamage us. These information protections needs to be mobile, adaptive, and minimally intrusive.One of the most promising techniques to help reduce this risk is labelled Data Loss Prevention (DLP). While most peoplethink of network monitors when they hear “DLP”, the truth is that DLP tools have evolved to work on the network, instorage, and on the endpoint. Endpoint DLP is particularly well suited for enabling the modern workforce — it enables usto intelligently protect our information based on the content, without completely blocking users from useful tools andservices ranging from portable storage to online services.Defining Endpoint DLPConsider our definition of DLP:”Products that, based on central policies, identify, monitor, and protect data at rest, in motion, and in use through deepcontent analysis”.Endpoint DLP helps manage all three aspects of this problem. The first is protecting data at rest when it’s on theendpoint — or what we call content discovery. Our primary goal is keepingtrack of sensitive data as it proliferates out to laptops, desktops, and evenportable media. The second part, and the most difficult problem in DLP, isprotecting data in use. This is a catch-all term we use to describe DLPmonitoring and protection of content as it’s used on a desktop — cut andpaste, moving data into and out of applications, and even tying in withencryption and enterprise Document Rights Management (DRM). Finally,endpoint DLP provides data in motion protection for systems outside thepurview of network DLP — such as laptops out in the field.Endpoint DLP is a little difficult to discuss since it’s one of the fastestchanging areas in a rapidly evolving space. No single product has every little piece of functionality we’re going to talkabout, so (at least where functionality is concerned) this report will lay out all the recommended options which you canthen prioritize to meet your own needs.Best Practices for Endpoint DLP

Endpoint DLP DriversAt the beginning of the DLP market we nearly always recommended organizations start with network DLP. A network toolallows you to protect both managed and unmanaged systems (like contractor laptops), and is typically easier to deploy inan enterprise (since you don’t have to touch every desktop and server). It also has advantages in terms of the numberand types of content protection policies you can deploy, how it integrates with email for workflow, and the scope ofchannels covered. During the DLP market’s first few years, it was hard to even find a content-aware endpoint agent.But customer demand for endpoint DLP quickly grew thanks to two major needs — content discovery on the endpoint,and the ability to prevent loss through USB storage devices. We continue to see basic USB blocking tools with absolutelyno content awareness brand themselves as DLP. The first batches of endpoint DLP tools focused on exactly theseproblems — discovery and content-aware portable media/USB device control.The next major driver for endpoint DLP is supporting network policies when a system is outside the corporate gateway.We all live in an increasingly mobile workforce where we need to support consistent policies no matter where someone isphysically located, nor how they connect to the Internet.Finally, we see some demand for deeper integration of DLP with how a user interacts with their system. In part, this is tosupport more intensive policies to reduce malicious loss of data. You might, for example, disallow certain content frommoving into certain applications, such as encryption tools. Some of these same hooks are used to limit cut/paste, printscreen, and fax, or to enable more advanced security such as automatic encryption and application of DRM rights.The Full Suite AdvantageAs we’ve already hinted, there are some limitations to endpoint only DLP solutions. The first is that they only protectmanaged systems where you can deploy agents. If you’re worried about contractors on your network or you wantprotection in case someone tries to use a server to send data outside the walls, you’re out of luck. Also, because somecontent analysis policies are processor and memory intensive, it is problematic to get them running on resourceconstrained endpoints. Finally, there are many discovery situations where you don’t want to deploy a local endpoint agentfor your content analysis — e.g., when performing discovery on a large SAN.Thus our bias towards full-suite solutions. Network DLP reduces losses on the enterprise network from both managedand unmanaged systems, and servers and workstations. Content discovery finds and protects stored data throughoutthe enterprise, while endpoint DLP protects systems that leave the network, and reduces risks across vectors thatcircumvent the network. It’s the combination of all these layers that provides the best overall risk reduction. All of this ismanaged through a single policy, workflow, and administration server; rather than forcing you to create different policies;for different channels and products, with different capabilities, workflow, and management.Best Practices for Endpoint DLP

Technology OverviewBroad Scanning with Deep Content AnalysisThe key distinguishing feature of DLP, endpoint or otherwise, is deep content analysis based on central policies. Thiscontrasts with non-DLP endpoint tools, such as encryption or portable device control (USB blocking). While covering allcontent analysis techniques is beyond the scope of this report, some of the more common ones include partialdocument matching, database fingerprinting (or exact data matching), rules-based, conceptual, statistical, predefinedcategories (like PCI compliance), and combinations of the above. They offer far deeper analysis than just simple keywordand regular expression matching. Ideally, your endpoint DLP tool should also offer preventative controls, not just policyalerts after violations occur. How does all this work?Base Agent FunctionsThere is tremendous variation in the capabilities of different endpoint agents. Even for a single given function, there canbe a dozen different approaches, all with varying degrees of success. Also, not all agents contain all features; in fact,most agents lack one or more major areas of functionality.Agents include four generic layers/features:1. Content Discovery: Scanning of stored content for policy violations.2. File System Protection: Monitoring and enforcement of file operations asthey occur (as opposed to discovery, which is scanning of contentalready written to media). Most often, this is used to prevent content frombeing written to portable media/USB. It’s also where tools hook in forautomatic encryption or application of DRM rights.3. Network Protection: Monitoring and enforcement of network operations.Provides protection similar to gateway DLP when an endpoint is off thecorporate network. Since most endpoints treat printing and faxing as aform of network traffic, this is where most print/fax protection can beenforced (the rest comes from special print/fax hooks).4. GUI/Kernel Protection: A more generic category to cover data in use scenarios, such as cut/paste, applicationrestrictions, and print screen.Between these four categories we cover most of the day to day operations a user might perform that places content atrisk. It hits our primary drivers from the last section — protecting data from portable storage, protecting systems off thecorporate network, and supporting discovery on the endpoint. Most of the tools on the market start with file and (then)networking features before moving on to some of the more complex GUI/kernel functions.Best Practices for Endpoint DLP6

Agent Content AwarenessEven if you have an endpoint with a quad-core processor and 8 GB of RAM, it would be wasteful to devote all thathorsepower to enforcing DLP.Content analysis may be resource intensive, depending on the types of policies you are trying to enforce. Also, differentagents have different enforcement capabilities, which may or may not match up to their gateway counterparts. At aminimum, most endpoint tools support rules/regular expressions, some degree of partial document matching, and awhole lot of contextual analysis. Others support their entire repertoire of content analysis techniques, but you will likelyhave to tune policies to run on more resource constrained endpoints.Some tools rely on the central management server for aspects of content analysis, to offload agent overhead. Ratherthan performing all analysis locally, they ship content back to the server, and act on any results. This obviously isn’t ideal,since those policies can’t be enforced when the endpoint is off the enterprise network, and it sucks up a bit ofbandwidth. But it does allow enforcement of policies that are otherwise totally unrealistic on an endpoint, such asfingerprinting of a large enterprise database.One emerging option is policies that adapt based on endpoint location. For example, when you’re on the enterprisenetwork most policies are enforced at the gateway. Once you access the Internet outside the corporate walls, a differentset of policies is enforced. For example, you might use database fingerprinting of the customer database at the gatewaywhen the laptop is in the office or on a (non-split-tunneled) VPN, but drop to a rule/regex for Social Security Numbers (oraccount numbers) for mobile workers. Sure, you’ll get more false positives, but you’re still able to protect your sensitiveinformation while meeting performance requirements.Agent ManagementAgent management consists of two main functions — deployment and maintenance. On the deployment side, mosttools today are designed to work with whatever workstation management tools your organization already uses. As withother software tools, you create a deployment package and then distribute it along with any other software updates. Ifyou don’t already have a software deployment tool, you’ll want to look for an endpoint DLP tool that includes basicdeployment capabilities. Since all endpoint DLP tools include central policy management, deployment is fairlystraightforward. There’s little need to customize packages based on user, group, or other variables beyond the location ofthe central management server.The rest of the agent’s lifecycle, aside from major updates, is controlled through the central management server. Agentsshould communicate regularly with the central server to receive policy updates and report incidents/activity. When thecentral management server is accessible, this should happen in near real time. When the endpoint is off the enterprisenetwork (without VPN/remote access), the DLP tool will store violations locally in a secure repository that’s encrypted andinaccessible to the user. The tool will then connect with the management server next time it’s accessible, receiving policyupdates and reporting activity. The management server should produce aging reports to help you identify endpointswhich are out of date and need to be refreshed. Under some circumstances, the endpoint may be able to communicateremote violations through encrypted email or another secure mechanism from outside the corporate firewall.Aside from content policy updates and activity reporting, there are a few other features that require central management.For content discovery, you’ll need to control scanning schedule/frequency, as well as bandwidth and perfor