DLP Will Always Be Leaky

Data leak protection (DLP) technology is valuable, and will be widely used. All the same, it's important to get expectations right.

DLP will always be leaky. It will be useful to stop most employees from doing things they shouldn't do, most of the time. But in particular, it won't stop malicious and badly intended people from doing things they shouldn't do.

There are two reasons for this:

  • Security follows functionality. For the sake of productivity and convenience, users will be allowed to do things that make it hard to stop data leaks.
  • Rapid change of technology. New ways of getting out information are appearing all the time, and it's hard for vendors to keep up. To see examples, check our recent bulletin, Compliance in a Web 2.0 World.

... David Ferris

One Comment

  1. Kevin Rowney
    Posted June 13, 2008 at 11:02 AM | Permalink

    There’s a big untold story around the distribution of risks in enterprise environments that is the primary motivator for what the DLP vendors are focusing on. More analysts and practitioners need to understand that giant swaths of risk are now treatable with DLP, and that the threat models not yet addressable by DLP offerings are relatively rare events.

    There’s multiple studies now (Ponemon, FBI/CSI, USSS, Symantec/Vontu, Verizon) clearly indicating that distribution of risks across threat vectors is far from uniform. In particular, it seem clear from these studies that two of the biggest categories of risk: 1) well meaning insiders, and 2) internal data exposure events that lead to hacker breach; account for a really large chunk of the overall risk profile.

    This point that you and many other analysts raise about malicious insiders and the difficulty of addressing those risks seems to ignore a lot of the context both from the studies cited above and our customer experience. If – as we see repeatedly in our deployments – the bulk of the risk of exposure is from well-meaning insiders and internal data exposure events; then its just sound thinking to prioritize treatment of those risks FIRST because that’s just basic risk management. The data show that these risks really are more important.

    Another key item of research that is often ignored around the problem of malicious insiders is that both USSS and FBI have run the personality profiles on convicted cases of malicious insiders. A consistent pattern emerges in these cases that the perpetrators are often angry and bitter employees who seek revenge in a quasi-public and sloppy fashion. The assumption that security people and analysts often make is that malicious insiders are subtle and hard to catch, but the case histories just don’t show that to be the case (usually).

    My point is that – even though DLP solutions are not designed to do this sort of thing – we very often catch such cases. Even though we focus on catching the biggest most threatening risks (well meaning insiders and internal data breaches) we are often involved with cases of malicious data loss. The sloppy practice of these vengeful insiders makes them very obvious to the Data Loss Prevention systems.

    Summarizing, Data Loss Prevention vendors actually aren’t all that leaky and the stuff we miss – often enough – is way less important than the stuff we catch.

    Kevin Rowney
    Founder, Vontu Division of Symantec

  2. Posted June 13, 2008 at 11:22 AM | Permalink

    Kevin, yes. This is basically what we’ve been telling people since about 2005.

    I don’t see how David’s bulletin is inconsistent with this. Especially the 2nd graf.

  3. dferris
    Posted June 16, 2008 at 4:27 PM | Permalink

    Kevin,

    Thanks for this posting. I really like the points you make. They sound valid to me, and important. Like Richi, it’s not clear to me that we disagree with you.

Post a comment

You must be logged in to post a comment. To comment, first join our community.