Cyber Security Articles

DATA LEAKAGE PREVENTION (DLP)

12 Practical Tips for Success

PART 1

Illyas Kooliyankal,
SVP & Chief Information Security Officer, Abu Dhabi Bank.
Email: illyaskool@gmail.com
Cyber Security Articles DATA LEAKAGE PREVENTION

Table of contents

Introduction 3
Consequences of data leakage 4
Focus areas 5
What could go wrong? 6
What is missing in DLP programs? 7
Overall summary 15

www.SecureReading.com 2
Cyber Security Articles DATA LEAKAGE PREVENTION

Introduction
CYBER SECURITY TRENDS & DATA-CENTRIC SECURITY

Cyber Security trends show that organisations are now realising the importance of data-centric
security than relying on perimeter controls only. Information is the most valuable asset that any
organisation possesses. Modern businesses entirely depend on data, irrespective of its size and
location.

Flexible and easy-to-use data is the business related technologies. Perimeters and
driver, which combine with cost-effectiveness business isolations are the subjects of the
lead to the aggressive adoption of cloud and past now.

One of the
biggest
concerns
organizations
have is Data
Leaks, but
overlooked in
the past and
till now

Multi-tenancy, Cloud, Big Data, Artificial auditing, and consultancy - everywhere easy
Intelligence, FinTechs, and IoTs - all require and quick access to information is
data and mobility. Business engagements, unavoidable.
analysis, reporting, advisory services,

The digital transformation and technological advancement across all walks of life demonstrate the
significance of protecting the organisations from data leakages.

www.SecureReading.com 3
Cyber Security Articles DATA LEAKAGE PREVENTION

Consequences of Data Leakage

The challenge in front of Cybersecurity professionals is how to protect the organisation from data
leakages without impacting genuine business activities.

Current and
future
technology
direction
and
adoption
leads to
more
avenue for
data leaks

Data Leakage Prevention (DLP) is at the heart The list of companies at the wrong end of
of any information security programs but this includes Facebook, Google and many
often overlooked due to the efforts involved bigger names. Unauthorized data leakage is
and lack of expertise available. Even today, the root cause of most of the current age
most organisations fail miserably in frauds happening in the industry.
implementing controls around data leakage.

Any lapses around data protection

could end up in not having the right
level of controls around sensitive
information, and can potentially lead to
financial, reputational, legal/regulatory
or competitive losses to the
organisation.

www.SecureReading.com 4
Cyber Security Articles DATA LEAKAGE PREVENTION

Data Leaks
can lead to
significant
damages to
organization
and services

FOCUS AREAS
In this article, we look at Technological limitations or Lack of defining and
some of the critical ineffectiveness often being adhering to appropriate
mistakes around data blamed for failure in Data processes and failure in
leakage prevention Leakage Prevention (DLP) educating the people
programs and how to initiatives, but in fact, that is around it significantly
address those to meet the only one angle of the whole hinders a successful DLP
targeted Cyber Security problem. program.
objectives.

Right process, trained and

skilled users, and the
appropriate technology -
This is the holistic and
effective approach to take
by organizations to manage
information leakages.

Technology alone
cannot solve the
problem, but a
holistic approach
can!

www.SecureReading.com 5
Cyber Security Articles DATA LEAKAGE PREVENTION

What could go Wrong?

Data leaks can happen due to numerous factors, including Human error, process failure, technology
failure, hacking or an intentional malicious attempt by an internal employee.

Data leakages can happen due to many reasons –

It could be due to People, Process and Technology

What is missing in DLP Programs?

1 Lack of a comprehensive data security policy, and governance framework including

classification schema/levels.

The absence of management approved policy and a defined framework, could lead to an
inconsistent approach and ineffective implementation of DLP controls.

Solution
The starting point for any DLP implementation is Following the DLP Policy, it is
an explicit policy with business relevance, in recommended to have a detailed Data
alignment with organisational Cyber Security Security Governance Framework to define
Policy. roles, responsibilities, activities,
procedures, data flow diagram, and data
schemes etc.

www.SecureReading.com 6
Cyber Security Articles DATA LEAKAGE PREVENTION

2 Lapses in effectively identifying information, that needs to be classified and protected.

Most organisations lack an up-to-date means, the organisations may not have the
inventory of information assets. Firms try to control to protect it.
create the inventory by collecting the details
of only documents or on an ad-hoc basis. The essential prerequisite for any information
security assessment is an accurate asset
This method of inventory creation is a inventory at the organisation. However, most
challenge for implementing effective data of the time, it doesn't happen to be the case.
leakage prevention measures, since the lack
of effectively identifying the valuable data,

The lack of asset

inventory is an additional
burden to the data
classification team, as
the starting point is to
have the right inventory of
services, processes, and
data associated with
those.

Solution

organisations must addresses, information Needs to brainstorm and

seriously consider having a from procurement, finance, identify all the possible
comprehensive asset Enterprise Architecture sources of data for an asset
inventory, that is regularly team etc. inventory, which includes
updated. the list of business/support
Past risk assessment, other services & products,
The inventory shall include internal engagements must processes, software and
the digital assets as well. If have data collected for the hardware assets, and
one is not available, collect purpose, that also could be information asset.
the data from multiple reviewed, prepare an initial
sources, including the list of assets.
Active Directory data, IP

www.SecureReading.com 7
Cyber Security Articles DATA LEAKAGE PREVENTION

File Shares, Business Impact Analysis (BIA) data from the Business Continuity Team, past risk
assessment data are some of the sources.

Also, valuable
inputs can be
obtained from
Intranet/Internet,
Service Catalogues,
Configuration
Management
Database (CMDB),
SOPs (Standard
Operating
Procedures), and
Product & Services
list from business
departments.

3 The absence of a structured approach to collecting information

Once the organisation These adhoc process may

identifies the need for In the typical case, the lead to incomplete,
information collection and Information Security Team inefficient, and very time-
classification, the next will either meet the consuming process, and at
question would be where to concerned department or the end a less than
start and how to execute ask them to provide the desirable result regarding
that? The biggest challenge data. Alternatively, they may asset inventory and
here is the absence of any refer to the available classified data for leakage
guideline, policies and documentation. prevention.
procedures.

Solution
Based on the defined policy and governance This source could include the BIAs, Fraud
framework, and identified innovative Investigation Reports, past incident reports,
approaches to execution, the source of data DLP (if existing solution) events/incidents, HR
collection needs to be listed. disciplinary records, File shares, and Intranet
portals.

InfoSec teams should have the right template for the information collection and right questions for
classifying the data. Before meeting and interviewing/collecting information from the business
departments, carry out maximum background work, and fill the templates.

www.SecureReading.com 8
Cyber Security Articles DATA LEAKAGE PREVENTION

Revalidation and refinement of the data collected

should be the target objective for the direct
engagement with the business, which reduces the
overhead on them and much quicker progress in
the exercise.

Also, the technical solution for

identifying/discovering and labelling of data is a
complementing approach to have a more
comprehensive data classification process.

4 Failure to conduct comprehensive classification exercise

Even after having the Without ensuring an Thousands of false positive

inventory of data, most effective classification, it alerts are another
organisations don’t have leads DLP to focus on a significant challenge that
the right process or criteria massive amount of data, originates from a weak
to classify the information. that may include non- classification process,
sensitive and could lead to which will, in turn, makes it
inefficient policies, and impossible for the security
wastage of investments. team to monitor and
respond.

Solution

Based on the Data Definitely, the InfoSec team

Classification Policy and needs to prioritise and set During the classification
Governance Framework, clear expectations and exercise itself, the team can
organisations need to outcome. Data identify the business impact
conduct a data classification may be of the data breach, and then
classification exercise. This extended to define the data the controls required for the
classification process may flow diagram, to understand classified data based on
have to go through multiple the legitimate business criticality, and business
iterations to get maximum activities and related data needs.
accuracy. path, to reduce the false
positives.

www.SecureReading.com 9
Cyber Security Articles DATA LEAKAGE PREVENTION

InfoSec team needs to play a significant role in

reducing overhead to the business and also
provide the right visibility on the risks, and
potential controls for the business to
recommend relevant measures through an
informed decision process.

5 No background work, to collect, analyse and gather services, process and information.

Most cases, data classification starts and of the data to be collected and analysed.
ends without the real benefit for the Lack of policy and procedure and an
organisation. The considerable challenge approach document is just added more
faced by the organisation is around where to troubles to this.
start, and how to proceed, and the sheer size

Solution
Define a clear roadmap for data classification, with different steps, phases, activities, ownership,
constraints, risks, challenges, and proactive solutions. Analyse the data in hand, sources of the
same, correlate those to identify as much information as possible.

6 Lack of total visibility of data - including data that is being received by the organisation.

Most organisations may Many other data The absence of total

have the visibility of data it sources/locations may be visibility leads to
produces, including the missing for the data incomplete security around
documents created by identification and data leakages. It may lead
employees, or reports classification exercise. to legal, regulatory and
produced from applications. contractual breaches too.

Notably, information received from partners or Contractual and regulatory responsibilities to

third parties doesn’t get the visibility for data protect those data also gets overlooked due to
identification and classification. this.

www.SecureReading.com 10
Cyber Security Articles DATA LEAKAGE PREVENTION

Solution
Establish an effective and automated Centralised locations for incoming data,
process to ensure that all data location and detecting attachments and sensitive data
incoming and outgoing channels are being through email and other channels, and
identified and monitored. establishing a data room for information
exchange with third parties can assist
towards this.

7 No defined roadmap for data classification and data leakage prevention

Planning for the complete solution, without However, in most of the

short terms objectives and quick wins cases, organisations tend to
As in any other initiative, it is not practical to target to finish and get the
achieve a perfect or 100% accurate output at perfect solution at the outset
one go. of the data classification and
leakage prevention exercise.

Solution
It is always better to take step by step approach and target a certain maturity level at the initial
phase.

Define short-term goals, and work towards that. Instead of aiming the perfect and most accurate
output, set reasonable
expectations according
to business criticality
and priority.

However, ensure that

the approach and the
data are right to quickly
compile and iterate for
refined accuracy on an
ongoing basis. Ensure
continual improvement
with a defined KPI.

www.SecureReading.com 11
Cyber Security Articles DATA LEAKAGE PREVENTION

8 Lack of Right Technology for Data Classification & DLP

Many organizations procure by market trends or vendor being sold as a magic band
data labelling and DLP sales pitch. for all security problems,
solutions without including data leakages.
understanding and defining Many case the procurement
the requirements and and implementation done
business environment without understanding the In the end, solutions may be
adequately. Selection of the functionalities required, and implemented but without
solution may be done in an without the right clarity any real business benefit or
ad-hoc manner, influenced about the solution effective control of data
objectives. Technologies leakages.

Solution
A comprehensive risk A detailed Request For Solutions need to be
assessment shall be Proposal (RFP), Business procured, that can mitigate
conducted in consideration Requirements Document the risks, in an effective and
with data leakage aspects, and Functional efficient manner, without
covering the vulnerabilities Specification Document impacting the business
and threats. Potential threat must be developed with a operations.
agents and channels of focus on target objectives
data leakages shall not be and outcomes of the
overlooked. program.

Selection of the product or combination of products shall be

done based on well-defined evaluation criteria, and
comprehensive process that may include running a POC (Proof
Of Concept).

Implementation and configuration of the solutions must be

done with qualified and experienced professionals in order to
configure and maximise the usage of all available
functionalities in alignment with the risk scenarios and
business needs.

9 The absence of a defined process for DLP rule creation, and refinement

Organisations miss defining the risks and channels of data leakage and what levels of policies to
apply. Also, it could lead again to ineffective policies, and can cause business disruption, and may
not detect or respond to critical data leaks.

Business inputs and decision also may be missing, if the right visibility and discussion to define
the rules are not taken.

www.SecureReading.com 12
Cyber Security Articles DATA LEAKAGE PREVENTION

Solution
Business logic and data flow mapping could Policies can be defined to detect, prevent or
be analysed to determine the business needs asking for justification based on the
of data transfer. Authorised activities and significance of the data and the consequence
relevant stakeholder identification help to due to its leakage.
determine the genuine data transmissions
and potential leakages.

10 Ineffective and inappropriate reporting and responding procedures

Data classification and In case of any detected Considering the sensitivity

leakage prevention could be incident or potential of the incidents, lapses in
ineffective, if the process incident, most of the time these could lead to
around it is not well defined, lack of clarity is lacking on organisational resistance,
which includes how to how to report, what actions impact the employee
report and respond to the to take, whom to contact, morale, and business
different activities around. and who is authorised to disruptions.
take the decision.

Solution
Incident Response procedure, with a
defined subcategory for data leakage
incidents, shall be defined with clear
roles and responsibilities and
escalation matrix.

The sensitivity of the incidents, parties

involved, and the consequence of the
leakage may be referred to define
appropriate procedures and escalation
levels.

Also needed is to define the violation levels, disciplinary process, reporting management, and
corrective actions - in alignment with relevant organisational policies and procedures.

11 Lack of process and commitment to continue the classification process on an ongoing basis

Even if the first time exercise is completed successfully, the real effectiveness of data classification
and leakage prevention depends on how good the company maintains and improve its data
classification process and leakage prevention mechanisms.

www.SecureReading.com 13
Cyber Security Articles DATA LEAKAGE PREVENTION

Solution
Policy and procedures must be defined with Relevant data labelling tools, its integration
assigned responsibilities to make sure that with data leakage prevention (DLP) solutions,
the data classification and leakage defined and automated processes, employee
prevention is an ongoing exercise. education and awareness are crucial for the
effectiveness of ongoing adherence to
relevant controls.

12 A scarcity of skilled resources, who understand and can effectively achieve DLP Objectives

Traditional methods and thinking cannot Lack of quality resources with holistic
produce the desired results in data experience in security and business acumen
classification and data leakage prevention and that too with an innovative mindset is a
(DLP) activities, especially considering the significant challenge for organisations.
complexity and magnitude of the work
involved.

Solution
Define the frameworks, templates, processes, and implement the right technology for data
classification and leakage prevention. Identify and hire good talent with technology and process
related skills and experience, with a mindset to learn and understand the business services and
processes.
The resource needs training and nurturing to support the organisational data leakage prevention
objectives.

Robust planning
and controls
around people is
key to the
success of Data
Leakage
Prevention
Program

www.SecureReading.com 14
Cyber Security Articles DATA LEAKAGE PREVENTION

Overall Summary of DLP Challenges and Proposed Solutions

Summary of the challenges around DLP & proposed solutions depicted in the infographics below.

www.SecureReading.com 15
Cyber Security Articles DATA LEAKAGE PREVENTION

About the Author

Illyas Kooliyankal is a renowned Cyber Security Transformation Leader, serving as SVP & CISO in a
leading bank in Abu Dhabi. He is currently a member of prestigious UAE Bank Federation Information
Security Committee and former Vice President of ISC2 (UAE Chapter). Winner of many international
awards, including the EC Council (USA) Global CISO Award (Runner Up), ISACA CISO and Emirates
Airlines CISM Award and a celebrated keynote speaker at international conferences in the USA, UK,
Singapore, Dubai, etc. With more than 15 industry certifications and many whitepapers and articles,
he brings in his innovative thoughts to transform organizational security landscape.

About Secure Reading

Established by a team of visionary Corporate Head-Quarters UAE
leaders in the global cyber security
41/406 E, 4th Floor G-19, AFNAN Building
arena, and closely mentored by The Square-Dubai
Beejay Towers, Rajaji Road
prominent CISOs, Secure Reading is an Cochin 682035 PO Box: 98981
online portal, a complete knowledge Phone: +971 4 269 5669
Ph: +91 9995531819,
base with cyber security news, advisory +91 9744303817 Email: info@rightclickuae.com
services, training etc. We also provide Email: info@securereading.com
cyber security consultation for enabling Learn more at www.securereading.com
individuals and businesses to fight the
toughest of cyber challenges.

Copyright © 2018 Secure Reading

www.SecureReading.com 16