Wednesday, September 3, 2014

Symantec Data Loss Prevention Implementation Strategy

Data Loss Prevention (DLP) is fast becoming an key element in protecting an organization's data.  Access to information is critical to an organizations success, conversely the consequence of a data loss incident has never been higher than now. 

Despite the hefty price tag, a DLP solution often proves to be a relatively easy sell (we protect *all* your data against electronic leakage!).  Whilst a successful implementation can achieve those lofty goals, the devil is in the details. 

The most important requirement is to have complete buy-in from the business, in fact achieving a successful implementation will be absolutely impossible without input from all the stakeholders.  Secondly we need to realize that any DLP solution is an iterative process.  Lastly we need to have a proper implementation plan in place and this will be the focus of this post.

High-Level Process Overview

Identify Confidential Data and Data at Risk (Phase 1)

Create Policies (Phase 2)

Discover Data-at-Rest (Phase 3)

Protect the Endpoints (Phases 4 - 6)

Protect Data-at-Rest and Data-in-Motion (Phases 7 - 8)

Remediation and risk reduction (Phase 9)

Breakdown of Phases

Phase 1 - Identify Confidential Data

During this phase we will train DLP to indentify data that is critical and confidential to the business.

  1. Involve relevant relevant stakeholders (compliance and risk officers, Heads of Departments, IT) to assist in identifying confidential data.

  2. Obtain sample data based on the above

  3. Introduce the sample data into the DLP Solution

    1. Sample data population for Exact Data Matching techniques (EDM) based policies

    2. Sample data population for Described Content Matching (DCM) based policies

    3. Sample data population for Indexed Data Matching techniques (IDM) based policies

    4. Submission of of positive and negative samples for Vector Machine Learning (VML)

Phase 2 - Policy Creation

  1. Identify reporting an alerting audience

  2. Create policies to alert based on the datasets submitted in Phase 1

Phase 3 Enable Data-at-Rest / Network Discover

During this phase we will enable the Network Discover component of Symantec DLP.  This allows us to scan data repositories on the LAN (File Servers / NAS's etc.) for policy violations.  We will only alert the DLP team during this phase.

  1. Deploy Symantec Data Insight (if purchased as part of the DLP Suite) to assist with identification of data owners, as well as to monitor and log permissions and data accesses by end-users.

  2. Configure Data Insight / DLP integration which will enable DLP to infer data owners based on intelligence gained from Symantec Data Insight.

  3. Consult with stakeholders to identify all relevant data repositories on the network

  4. Initiate a Network Discover scan of all the data repositories based on the previously created EDM, DCM, IDM and VML policies.

  5. Re-iterate the process to fine-tune the policies and EDM, DCM, IDM and VML data-sets

  6. Enable alerting to the relevant stakeholders and re-iterate based on feedback

Phase 4 - Pilot Deployment - Endpoints

During this phase we will only be monitoring.  Alerts will only be sent to the DLP team - no end user alerting or notification.

  1. EDM Policy Implementation for pilot group

  2. DCM based Policy Implementation on for pilot group

  3. IDM based Policy Implementation for pilot group

  4. Re-iterative review of DLP policies, EDM, DCM, IDM and VML data based on alerting and reporting

Phase 5 - Enable Prevent Mode for Pilot Group

During this phase we will actively start blocking and alerting on the endpoints.  Both the end-users and the DLP team will receive alerts and notification.  We will depend heavily on end-user feedback to further streamline our DLP policies.

  1. Enable end-user notification

  2. Fine tune DLP policies based on end-user feedback as well as alerts

  3. Fine tune EDM, DCM, IDM and VML data based on end-user feedback

  4. Re-iterate the process to reduce false-positives

  5. Enable alerting to relevant stakeholders (Data owners, Heads of Departments etc.)

Phase 6 - Roll out the Endpoint Agent to all users

During this phase we will roll-out the DLP endpoint agent to all users.  Our policies and confidential data has been thoroughly fine-tuned so we can safely enable end-user alerting as well.

  1. Ideally we should provide the end-users with DLP / Security awareness training during this phase

  2. Deploy the DLP endpoint agent via the organization's preferred deployment mechanism (GPO / SCCM / Altiris etc.)

  3. Further fine-tuning of policies and EDM, DCM, IDM and VML data-sets based on alerting and end-user feedback

Phase 7 - Enable Data-at-Rest / Network Prevent

During this phase we will activate the blocking mode of the Network Prevent component.  This will involve quarantining, copying, encrypting and/or applying DRM to sensitive and confidential data existing on your data repositories.  Alerting will be to the DLP team as well as the relevant stakeholders.

  1. Verify all Data repositories configured within DLP during Phase 5

  2. Create the necessary FlexResponse rules to automatically respond to incidents.

  3. Actions include quarantining, copying, encrypting and/or applying DRM

  4. Add the FlexResponse rule to your policies

  5. Scan your data repositories

Phase 8 - Deploy Network Monitor and Network Prevent for Email and Web

During this phase we deploy the Network Monitor component, which operates via a mirror / SPAN port to capture Data in Transit incidents.  We will also deploy the Web and Email DLP components.  Alerting will be done to the the DLP team as well as the relevant stakeholders.

  1. Install the physical DLP Network Monitor Server (This server cannot be virtualised as per Symantec)
  2. Integrate the DLP Network Prevent for Email component with your existing MTA (DLP can operate in either Reflecting or Forwarding mode)
  3. Integrate the DLP Network Prevent for Web component with your existing proxy server.  (The proxy server needs to act as an ICAP client to DLP.  Symantec DLP supports both the REQMOD and RESPMOD modes of ICAP)

  4. Further fine-tuning of policies and EDM, DCM, IDM and VML data-sets based on alerting

Phase 9 - Ongoing remediation and reporting on risk reduction

This phase will be perpetual.  As incidents occur they will be re-mediated, and reporting to the relevant stakeholders will be set up and adjusted as necessary.  Your DLP solution is now fully deployed, and your policies and EDM, DCM, IDM and VML fingerprints will be continuously updated by the DLP team as business data changes over time.