Chicago (Midwest) Data Loss Prevention User Group

DTE has implemented Vontu for Network, Endpoint, and Discover.  I have a couple of questions for the User Group members regarding your roll out of the product.  

Have you roll-out any of the Acceptable Use rules/policies?

Have you rolled out Endpoint and are you blocking users from copying data to removable media or are you just notifying the user that they have potentially violated one of the data leakage policies and that they need to use care?

Any information you could provide us with would greatly be appreciated.

Sincerely,

Cheryl Fierk

Hi Cheryl, I wanted to take a crack at your questions:

1. Have you roll-out any of the Acceptable Use rules/policies?

In the DLP implementations I've done, the AU rules/policies haven't been turned on at all, or, if they have been turned on, the number of matches has been set to very high and it's been an audit-only policy. Foul language, improper/inappropriate Web surfing,etc. are so common that they'd likely crowd out all other type of incidents and policy violations.

2. Have you rolled out Endpoint and are you blocking users from copying data to removable media or are you just notifying the user that they have potentially violated one of the data leakage policies and that they need to use care?

I recommend the latter initially, to help condition users and to baseline the scope of your problem(s). Then, once users are aware of the ability and functionality, you might begin enabling the prevention/blocking on select user groups within the organizations (i.e., most tech-savvy users, or users handling most sensitive-data, etc.)

Hope this helps!

--
Sean Steele, CISSP, CISA
Sr. Security Consultant
infoLock Technologies
877.610.5625 x219 direct
202.270.8672 mobile
ssteele@infolocktech.com

Sean,

Thanks for your suggestions.  Can you tell me what you have implemented and any issues you have seen?

Have you rolled out Endpoint and are you blocking users from copying data to removable media or are you just notifying the user that they have potentially violated one of the data leakage policies and that they need to use care?

We are also starting out notifying users with the plans for turning on the blocking after that.  That seems to be the "best practice" approach.

I'm looking for similar info.   We need to develop implementation policies etc that describe how we intend to use the product within our company.  One of the big issues is oversight.  Think "who's watching the watchers"?  DLP gives the admin access to info they normally would not have and this of course can be abused if no oversight is in place.  Auditors look for this type of check and balance.  Does anybody have any sort of docs or procedures regarding how they've implemented DLP and how it's use is audited?

thx.

We have implemented DLP and we have a member from each of the Organizations assigned to review the incidents from their respective area.  Information Protection and Security is responsible for oversight to ensure that the Privacy Review Team is reviewing their incidents.  We acutally produce metrics and distribute them.

Auditing has not performed an official audit so we do not know if we are missing any controls.

Cheryl

We have just started turning on the rules for endpoint.  Users will begin to be notified when they copy a file to a removable media that violates one of the potential information handling rules.  We are currently testing with SEP to see if we can allow read access to all USB Removable Media as identified by Windows and only allow write access to the four USB drives that are totally encrypted.

We are still in the testing phase.  We also will need to present our solution to Upper Management to ensure this is the direction they would like to head.

Cheryl

Cheryl, did you have any updates regarding your work on the Endpoint configuration/rollout? I'd like to hear what direction you went. Thanks,

We are using SEP to do our blocking based on whether or not you are using an encrypted thumb drive.  It doesn't matter what type of file you are copying or whether it breaks one of our DLP rules.  Today we have 28 users set with the blocking policy turned on and todate we have had no issues.  We are adding another 128 users to the SEP policy to see if they come up with anything we didn't think of.  I believe we are on the leading edge of doing this. 

I can let you know as our pilot population increases if we see any additional impact.

Cheryl

Just curious! Thanks for any updates.

Problem is that when users add any other domain in to, cc or bcc field along with domain name from the whitelist, the message got delivered.

I need compliance with minimum condition and maximum results, because the system we have is very big, and there are over 3000 mails daily.

 

Problem is that we can make compliance for every domain name of e-mail in internet, the stem will by extremely slow.

Can Vontu make this?

Any help on how to proceed will be much appreciated.

Regards
Anton