Chapter 4: “Managing Your Data Loss Prevention Solution”
Congratulations on a successful DLP deployment and configuration! If your policies and priorities are well defined, then management won’t pose any difficulties for you and your team. Developing and following efficient day-to-day processes is described in the fourth and final chapter of the white paper Implementing and Managing a Data Loss Prevention Solution by Rich Mogull, analyst and CEO of independent research firm Securosis. Chapter 4, Managing Your Data Loss Prevention Solution, offers practical insights into management, maintenance, and reporting. Just to give you an idea about it takes—if you are monitoring 10,000 employees, you’ll probably need one dedicated, full-time technical resource.
Improved Incident Management
The whole point of implementing a DLP solution is to help you better detect and manage incidents. There are six important facets of effective incident handling:
- Management of the incident-handling queue: Most DLP solutions have an interface for incident management, which may be the responsibility of just a few individuals, or it could be distributed among a number of security specialists. Important features of the interface that will greatly assist incident handling include: interface customization, filtering of incidents, sort capabilities, and one-click handling right from the queue—without the need to open each incident.
- Initial investigation: Because DLP is all about how sensitive data is used, stored, and shared, you’ll want to make sure that most incidents are reviewed. The individuals assigned to incident handling will need to discover whether the incident is real, its severity level, and next steps. A history of violations by a particular user or of certain policies is useful, as it will help your incident handlers determine whether there is bigger issue or a trend.
- Initial disposition: After the initial investigation has been conducted, the incident can be elevated, or it could be subject to deeper investigation.
- Escalation and case management: At times, investigations may uncover misconduct by employees, which can potentially lead to firing and could require the involvement of HR or your legal department. Many DLP solutions include features that support this, with the ability to create appropriate reports or upload supporting documents for evidence.
- Closing an incident: Generally speaking, your DLP solution will be able to handle incidents in a matter of minutes, but there may be times when you might want to keep a case open for further investigation. Give some thought to what your retention policy will be and adapt your DLP tool accordingly.
- Archiving: Most DLP tools allow you to keep incident histories for more than a year—
always a good idea if you need to go back a review an incident.
Keep Your Policies Fresh
Day-to-day policy management activities help keep your policies current and help ensure that you have the best possible security controls in place. These generally don’t take up much time, but are necessary nonetheless. Typically, these tasks include distributing new policies to the right groups, adding new policies (follow the full deployment process), reviewing policies to make sure they meet your current business needs, tuning policies, and retiring policies that are no longer valid.
Analysis, which helps you focus on trends and the big picture, is another task that you’ll be engaged in on a regular basis after DLP deployment. There are three types of analysis that you will likely want to do: trend analysis to find out how risk may be increasing or decreasing over time, risk analysis to see what you might be missing or what policies may need to be added, and effectiveness analysis to make sure your DLP tool is working the way it should.
Troubleshoot, Maintain, and Report
When it comes to daily management, DLP is much like any other security solution. You’ll want to keep an eye on problems like false positives or negatives, system components that aren’t communicating properly, integration issues with web or email gateways, and new tools that are not compatible with your DLP solution. Maintenance, which is a relatively easy task in the case of DLP, consists of regular system backups, carefully clearing old incidents from archives to free up space, health checks, and updating server and endpoint agents. Finally, you’ll need to decide on how and when to produce reports that you will be presenting to management. Most enterprises create a variety of reports: monthly and quarterly summaries of all activity, trend reports, and compliance reports, which can be tied to audits.
Stay Up to Date
Keep up with the latest insights and news on DLP. Go to www.mcafee.com/DLP to learn more about McAfee Data Loss Prevention solutions, and please follow us on Twitter (@McAfeeDLP) and subscribe to the McAfee YouTube Channel for the latest videos.