Banking on Data LossHow to Know When Your Solution is Efficient and Effective
Data loss prevention has undergone a paradigm shift, according to Jared Thorkelson, principal of DLP Experts, and Tom Clare, senior director of product marketing at Blue Coat Systems. And in an exclusive interview, these two DLP authorities discuss:
- The biggest DLP myths in the marketplace;
- How to know whether your solution is effective;
- How to derive ROI from your DLP deployment.
Thorkelson is Principal at DLP Experts, a firm dedicated exclusively to data loss prevention (DLP) products and services. DLP Experts serves it customers with leading DLP and data protection technologies to provide an agnostic approach to the problem of data security. Foundational consulting services support buyers of DLP technologies with a field-tested and comprehensive data loss prevention process. Thorkelson has held executive level positions with technology firms for nearly twenty years and holds a bachelor's degree from Brigham Young University.
As senior director of product marketing at Blue Coat Systems, Clare drives product strategy for the company's Secure Web Gateway solution.Â Prior to Blue Coat, he held senior product marketing and management positions with Check Point Software Technologies, Qualys and McAfee. His security career began with a federal firewall project in the mid-90s and has encompassed firewall, VPN, encryption, intrusion detection, risk-assessment, anti-virus and proxy solutions. Clare holds a B.S. in computer science from Central Michigan University and an M.B.A. from the University of Texas.Â
TOM FIELD: What is the true value of DLP? Hi, this is Tom Field, Editorial Director with Information Security Media Group. We're talking about DLP today, and we're talking with Jared Thorkelson, Principal with DLP Experts and Tom Clare, Senior Director of Product Marketing with Blue Coat Systems. Jared and Tom, thanks so much for joining me today.
JARED THORKELSON: Thank you.
FIELD: Just to get us started here, Jared, why don't you tell a little bit about yourself, and then Tom, chime in right after and tell us a bit about yourself and your background please.
THORKELSON: My name is Jared Thorkelson and my company is DLP Experts. As the name implies, we are a little bit unique in the industry in that we offer products and services with a focus exclusively on data loss prevention and data protection technologies. I've been in the technology and security states now for going on 20 years, and I have spent the last four years focused specifically on data loss prevention.
TOM CLARE: I'm Tom Clare. I've been involved with security since the early '90s, involved with early firewalls, antivirus, virtual private networks. Got involved with Blue Coat in 2003, so I've been around many years, involved with our lap gateways and pocket solutions and, of course, now the advent of data loss prevention as an option for your web gateway and other areas for DLP and putting email. I've also done network and discovery.
FIELD: Well, good, let's talk a little bit about the marketplace. Jared, I've got a couple questions for you upfront. First is: What do you find the biggest DLP myths in today's marketplace?
Biggest DLP Myths
THORKELSON: Oh that's an interesting place to start. You know tons of DLP space is really still evolving, and it overlaps slightly with so many different product offerings like device control, email and web security, encryption, and consequently just about any technology company can now claim some small element of DLP in their offering. In fact, there is one big office supply chain with an extensive listing of what is called "Data Loss Prevention Solutions", which includes things like removable storage devices, privacy filters for computer monitors and surge protectors. So that is an example of the wide net that the term data loss prevention seems to cast, and this really leaves the marketplace very confused about what products really constitute data loss prevention.
So the first area of confusion or myth, if you will, is really what constitutes data loss prevention? Without getting into a specific definition of DLP, I can say for example that an encrypted thumb drive is not DLP. A lot of venders would like to push the monitored DLP onto all their products.
Kind of an extension of this myth is the idea that it is possible to address DLP with an add-on to another security product. In reality, most of these solutions cover only one leakage vector, and very often they do that with limited data detection capability. In many respects, you know that just doesn't fit the generally accepted definition of data loss prevention, which typically calls for content awareness. A lot of these add-on DLP products really don't provide that.
Then lastly, there is this long standing notion that DLP solutions must be by definition architecturally complex. If you consider how DLP solutions have evolved over the past five or six years, you start to see how the technologies have grown in complexity and what I'm excited about is the new news that there are solutions that address the major requirements of DLP without that added architectural complexity. In fact, just recently, to show this contrast, I saw two different vendor proposals for a customer's data loss prevention initiative. One of these solutions called for over a dozen separate servers, and the other solution called for just two. So you can see that contrast between over a dozen and two servers. That is kind of the way the market place is going.
FIELD: Now, Jared, you and I have talked offline a little bit, and you have described a paradigm shift. Describe for our audiences please, what has been the DLP paradigm shift you've seen?
THORKELSON: Well, you know it actually ties into the myth that I just mentioned. These really constitute the DLP paradigm shift, and the original thinking on DLP or the original paradigm if you will, was one that addressed just the single component. As I look back in my experience in security, there were a lot of email security vendors in the marketplace that could do a little bit of the DLP equation. So, that was kind of the first paradigm. While this was very simple, it didn't address the complete requirements for preventing data loss, and as the marketplace has evolved, those requirements have grown. Over time, vendors created more complete solutions which resulted in what we know today as the first generation DLP solutions, which typically are modular multi-server approaches. What that means is one box for monitoring, another for blocking, another for discovery, and so on. This is the architectural complexity I referred to earlier.
So, the paradigm shift we are actually witnessing today is really driven by the end user requirement of more simple DLP enforcement technologies. The paradigm shift is being reacted to by each vendor differently, and it is interesting to see the varied responses from those vendors.
When is DLP Effective?
FIELD: One more question for you, Jared, and then I want to bring Tom into the discussion as well. Given the dynamics you just laid out for us, how does an organization know when its DLP solution is effective?
THORKELSON: That is a very difficult question to answer because by the very nature of data loss prevention, you really don't know what sensitive data might be leaking from your company until you actually deploy some form of either DLP monitoring or enforcement. Actually I take that back, I guess there is one way you will know if you are leaking sensitive data without even DLP technology, and that is when the FBI shows up at your office. That is a very serious situation. When somebody shows up with a list of customers whose data has leaked, that's problematic.
But seriously, you'll really only know when your DLP solution is effective when you deploy it and you start to see the reports of what has been prevented from leaking, and that is a big distinction as well. Not just what has been detected, but what has actually been prevented. A lot of companies, when we talk about DLP, the P standing for prevention, but the reality is that most vendors focus on data loss detection, and then a lot of companies, for a number of different reasons, maintain that idea of data loss detection and really don't move into the prevention stage like I feel they should.
Second Generation DLP
FIELD: Very good, and again I want to bring Tom Clare into this now. Tom, you and I have spoken offline as well, and you've talked about second generation DLP solutions. Why don't you outline for us what you see as the hallmarks of these second generation solutions?
CLARE: One of the key things that Jared kind of pointed out was the reduction of the architectural complexity, as we move to an appliance form factor. The appliance and the software that is in it is all pre-built ready to go, so appliance ready, policy ready, and it is a multi-purpose solution. You can use it for discovery, fingerprint your data and, of course, update your policy. That can be purposed for email, monitoring and protection, web email monitoring and protection, or network. So, again, multipurpose appliance architecture; dedicated, high performance on a dual 64 CPU's, memory up around 24 gigs or higher; boxes that can handle enterprise level fingerprinting, which is very intensive. It is a lot like antivirus -- you're building signatures. Fingerprinting is just like signatures with your confidential data, and you're going to be going on ahead and hit some very, very large content management servers and trying to locate road locations of that to reign in your policies. You end up knowing where your data is, and you've had very consistent policies.
That allows in the situation Jared described earlier where he saw a bid, and there are two appliances which are most likely next generation DLP, versus 12 servers. The reason there were 12 was one was dedicated just to email monitoring and then email protect. The company would have to acquire the software, acquire the hardware, acquire the databases, assemble all that together, and the issue there is it is not re-deployable. So, as you go through the phases of DLP, you probably are going to want to move things around. It can be pretty intense on discovery on the initial phases and a lot of hardware. If you can't repurpose the system, it just puts in a layer of complexity from the first generation you really don't need. That is a quick answer: multi-purpose, high performance, and ready to deploy.
When Does ROI Emerge?
FIELD: So, Jared talked about when a DLP solution is deemed effective. Give us an insight of when does an organization start to see the benefits of these DLP solutions?
CLARE: In DLP there are really two topics. There is efficiency, and there is effectiveness. Obviously second generation is going to give you some efficiency right off the bat. You can wrap up appliance and go. But there is a valley of processing you have to go through with DLP. A lot of companies get kind of stuck in the middle. If you look at the research of over a hundred companies, the best practices in DLP, they started out with a focus to protect their brands. They wanted to protect their trust and relationship with their customers, their business partners. They just weren't reacting to compliance. So, again very proactive; they had consistent policies for data in use, data in motion, and all the different locations. And so, some organizations are worldwide. A lot of locations are hard to do, but a complex environment is still going to have to have consistent policy. So even before you get around the technology in the second generation appliance, you have to understand your consistent policy and then the best in class, best practice organization must complete a discovery. They just didn't put a monitoring gateway and start looking at patterns and things like that, like you see with simple DLP. They went and did the work; they found all the road locations, and they reigned things in and developed a consistent policy. It also used solutions that would educate the user, and they moved to automated prevention. We'll talk about some of that in a little bit about some of the results. I think the key thing with best practices is: Know your data. Develop consistent policies, and that starts right away with discovery.
FIELD: Well that is exactly where I wanted to go with this. It seems pretty easy to build a business case for investing in DLP, but where and how do you start to get back that ROI as you mentioned?
CLARE: Yeah, that is the second half. So again, back to that efficiency and effectiveness. We just covered efficiency, but effectiveness is really interesting. One study was pretty large -- over 100 different organizations -- and what we saw is that you can get stuck in this valley. If you use monitoring only, if you use practices that notify users and kind of coaching type stuff, the incident rate over a year didn't change or go down. You really saw reduction in DLP instances when you moved to automated prevention. So, here you've got your email and your web gateway set up. You are doing the monitoring, and you see a violation under your consistent policies, you go ahead and block that and notify the user appropriately with an alert that the following transaction is not allowed due to a policy that is known and communicated and aware within the organization at large. So in the study, there was a 5x increase. If you had monitoring and notified user only, you're up quite a bit higher. You got that 5x reduction when you went to automated prevention. So, here you start to see your return on investment. One of the worst scenarios for a customer is to have the situation where there is no data loss, to invest in a lot of technology and then get stuck in the middle, kind of that discovery monitoring phase, and never make it all the way across that DLP valley into automated prevention, where you start to see the return on investment. So, worst case scenario: You're stuck in the middle, spend a lot of money on technology, still have DLP incidents, which you are probably dealing with, and you haven't got the return on investment. So you kind of have to crawl, walk, run whatever process it takes your organization to get to automated prevention, and then you see a huge reduction in incidents and you see a best practice situation.
DLP Trends for 2011FIELD: Tom, that is a great explanation. To wrap things up here, I've got a final question for each of you, and Jared, I'm going to throw this your way first. As we head into 2011 now, what do you see as the biggest DLP trends?
THORKELSON: Well, I would have to say that what I'm starting to see is an increase, an overall increase in not just the interest in DLP, but actual activity and initiatives. Organizations are actually deploying a DLP in a way that they haven't in past years. DLP is one of those technologies they said for years "It is going to be the year of DLP." I think 2011 may turn out to be that year of DLP. And along with that increased deployment rate is a push downward to smaller size organizations. DLP started with the biggest companies in the world who had to have DLP almost at any cost. Now it is kind of filtering down to smaller size organizations, and when I say smaller, I'm talking about you know 10,000, 5,000, 2,500-user organizations. So, that is what I see happening in 2011, a lot more activity and movement downward to smaller companies.
FIELD: Very good, and Tom, the same question for you. What are the DLP trends you're looking at as we head into next year?
CLARE: One of the hallmarks is going to be that focus on TCO, Total Cost of Operation -- what's my return on investment? You see those questions quickly. A lot of early DLP is known for having high professional services upwards of two to four times the original product cost, and this prohibits a lot of organizations from entering a DLP project. The financial wall of entry is just too high to climb. What we're seeing with the second generation appliances, which are more efficient, we can offer licensing just for discovery. So here you get a couple of appliances, ready to deploy, go ahead and do your fingerprinting, do your discovery that is contingent for that licensing and get into a much lower cost of entry.
Another key thing is I've been involved with security for 20 years, and at Blue Coat we have over 70 million users on a cloud-based defense, so we're very aware of what is happening with internet use and trends. One of the key things we're seeing is a big downward shift of web-based email. It used to be number five a year ago, and now it's down to number nine. Where the herd or the crowd is moving is social networking, which now ranks as our number one category and represents well over 25 percent of the web traffic that we see at Blue Coat. So, I think people are going to start seeing as we see the trend of the society toward social networking, we form communication, and the avenues for data loss are changing. I think it started out a lot of people focusing on email gateways, but we're seeing a big shift in communication. The web gateway is becoming very important ,and again that all wraps back to the key points that we made here.
So those are the trends I expect people to latch on to: lower cost of operation, more efficiency, and then recognizing their communication is becoming more social networking based.