New York Data Loss Prevention User Group

What Statistics do you gather/report for Data in motion or Discover

This is an ongoing question for us and I wanted to get other opinions. We are trying to gather statistics that properly represent what we are doing. This is both a way to measure the effectiveness of the project over time and something that can be reported up.  It is not clear to me what I have stated below is necessary nor sufficient and any comments or additions are of great interest.

The one wide open area that I have is Network Discover. What do you report. It is not clear to me what effective metrics are in this area. Note that I don't do Endpoint.

What we report (Email all false positives removed)
      Defects per 100K (over all level of compliance:

• Blocked messages 
• and monitored messages.

     Payload of these messages (talks about overall care of data and training:  

• Average number of records in a blocked email (Thinking of using median)
• Average number of records in a Monitored message. (Thinking of using median)

     Totals

• Total number of messages blocked
• Total number of messages Monitored (remove all false positives)

I don't have a clue about Network Discover but here are my thoughts

• Number of Shares scanned?
• Number of GIG scanned ?
• Number of "exposed" shares found (not discover really)?
• Number of files passed over due to filters in scan..?
• Number of events per gig?
• Number of records per gig scanned?
• Number of records per (gig scanned + gig skipped)?

Note I am asking for what you do or would like not necessary what is available. We can deal with Vontu on that later. Also what you think a particular statistic tells you about your environment.

If you don't want to post to this thread, contact me directly by clicking on my Symantec Connect user name and sendig me a private message.

This is one of the places that I think an open discussion might be of help to us all.
Also this is open to all Vontu customers not just the NY users group.

for DAR, we do the basics

devices scanned
shares scanned
files scanned

and then for the concept of incidents, we capture number of incidents and number of matches, with some breakdown by the policy that fired...

on our high sev policy, which probably includes many of the fields any company would do for a high sev, we see approx 10% of shares fire, approx 1 out of 1000 files fire... high level #s

Instead of defects per 100,000, we report a 1 in ____ number, as in 1 in 400 emails contain non-public information (NPI), which is a statistic that Vontu used in older marketing materials.  We have to be careful in how we frame the metric, but it provides a pretty good indication of the effectiveness of blocking data in motion.

For DAR, sheer # of records detected is our biggest statistic -- we developed an ROI analysis that looks at the liklihood of one of those records being disclosed, and using the known average cost of a record involved in a data breach (something like $240 for financial institutions) for a "risk averted" figure.

We report up the number of users who wrote to USB devices and the number of files that were written.
I think that you have to be very careful with the statstics that are reported up because with any of them not only report them but have a plan to drive them in the correct direction.  Only report items if you plan to do something about it and then use the stats to show progress over time.

Do you do anything to normalize for the size of your environment overall?

Though the 1  of 1K files has lots of "stuff" is worthwhile by its self.

Thanks
Eric

We  have thought about your DAR method but we are concerned about a big find of data on a single server throughing off the stats.

Also if you don't mind me asking what kind of analysis do you do to determine the likelihood of a singe record being exposed? That might be as hard as any good stats on density and quantity.

If we can calculate a known value (such as all of the records that were blocked in motion instead of getting out), we can get the cost of total failure if every record that got out were to be involved in a data breach.  We then take a range based on industry averages of fraud to determine how much of this total loss might become actual loss.  Javelin released some stats on the average rate of fraud -- it's something like 4.32% of all Americans experience fraud due to identity theft each year on average, while the victims of a data breach are something like 19.5% likely to experience fraud.  So, we estimate our impact to be somewhere between 4.32% and 19.5% of the total losses that could have happened.  It's not perfect, and to be quite honest with you it hasn't gone through much scrutiny for accuracy, but by basing it on industry stats we're a little more comfortable in making a guess.  I'd love to hear feedback -- proving ROI of something that generates no revenue but is thought to significantly reduce risk is definitely an interesting challenge.

I should also note that more conventional statistics form the vast majority of our reporting -- repeat offenders, total # of unencrypted records removed from the enterprise, # of devices content searched using DAR each month, etc.