Essential tools of the security trade: DLP and SIEM

Data Loss Prevention (DLP) can greatly help organizations understand and control the data that is used, stored and transmitted and it is seeing increasing use in PCI-DSS compliance.  Another technology, Security Information and Event Management (SIEM), collects and analyzes data in real time from multiple sources including server logs, network devices, firewalls and intrusion detection systems.  In this article, I will enumerate how the combination of SIEM and DLP can improve the security and compliance of a corporation.  Taken together SIEM and DLP can work so that data flow within a corporation is transparent, therefore, affording more control to the corporation and less ability to misuse that information.

What are DLP and SIEM

As stated earlier, DLP is a conscious effort to prevent the loss of data due to undesirable individuals, groups, or circumstances.  DLP systems figure out which pieces of information are more important than others, therefore, creating a prioritized list.  DLP is a comprehensive set of methodologies and technologies that can look at more information across departments, better than localized isolated searches.  SIEM is technology that can take and interpret information coming in from network security devices and server logs allowing greater visibility into the use, transmission and storage of data.  SIEM allows a company to consolidate security information from many different areas so that the organization can better understand and prioritize how it will protect its data.

Protecting the companyÔÇÖs data is a primary responsibility in information security.┬á With increased complexity and interoperability of systems, this task becomes much more difficult, especially on a localized basis.┬á With the help of DLP, the job of protecting information becomes much more clear.┬á Using SIEM in conjunction with DLP can further ease the job of the information security department in protecting organizational data, preventing breaches and in meeting regulatory requirements.

The correlation between real threats in real time and how and where the most sensitive pieces of information are stored and dealt with falls squarely within the realm of SIEM and DLP.  Furthermore, allowing a combination of DLP and SIEM, a company can see its security in one program, not several, thus making the process more efficient.  Efficiency is a key part of making a good business great.  This sentiment can be translated into the world of protecting documents.  SIEM can be tuned to focus on where the data is found, thus helping the DLP team protect the information at the source, in transit, and at its destination.  Also, SIEM can refine the way that DLP identifies sensitive information, alerts DLP to new resources, and new threats to organizational information.

Combining these two methods of protection, DLP and SIEM, can give the organization more insight on where additional security controls should be placed and it allows for faster incident response.  This allows for a more effective strategy against potential threats.  DLP can prevent malicious or accidental users from abusing the system by only allowing authorized access into certain accounts, as well as, informing the company when these documents have been retrieved.  Simultaneously, SIEM is working to sharpen controls by monitoring the retrieval of the information ,thus making the retrieval alerts as streamlined, efficient, and quick as possible.  These two devices provide what information security offices need, visibility and control.

 

Examples

Internal Threats

Companies sometimes have information but cannot act on it because it is buried in a server log or a database.  For example, in 2008 Verizon Business had breach information on 82% of cases but they were unable to use this information.  DLP and SIEM could have enabled Verizon to better understand and prevent these breaches.

The reality of the world is employees often change positions.  Without proper employee termination procedures and security controls, terminated employees could transfer customer documents or steal intellectual property and other sensitive information.  The use of DLP and SIEM provides real time information in data access and can flag inappropriate or out of the norm activity.  This is something I have dealt with many times in my forensic work and I help companies protect against it in my information security consulting practice.

External Threats

Take a company that deals with the regular transfer of credit card information and is Payment Card Industry (PCI) Data Security Standard (PCI DSS) compliant.  PCI-DSS compliance can help protect the organization and mitigate a variety of attacks but DLP and SIEM can give the organization knowledge on where attacks might be focused.  Fingerprinting and other prerequisite external threats can herald the onset of a larger attack and DLP and SIEM would highlight these prerequisites so that the organization could respond and protect itself and its data.

 

DLP and SIEM in a distributed mobile world

DLP and SIEM are especially valuable to organizations that are increasingly mobile.  More and more workers access corporate data from mobile devices or machines connected to a VPN.  Protecting information was already difficult when it was limited to one network and a few select locations.  However, that time is well in the past.  New facets of modern employment widen the gap that information security needs to cover.  With the help of DLP, threats can be prioritized according to importance and with SIEM the data transfer and storage will be transparent, easing the burden on the information technology and security department in protecting a larger set of assets.

The use of DLP and SIEM can greatly enhance the capabilities of information security departments.  SIEM allows a company to make the access, transfer, and reception of data within the company more apparent and can further improve DLP initiatives in protecting and controlling data within the organization.  The advantage of using both DLP and SIEM within an individual company streamlines the process of protecting vital information and makes the company more efficient.  For more information on DLP, see my previous article.

 

For more information

Gartner Report: Critical Capabilities for SIEM

DLP opportunities seen in compliance push

 

16 thoughts on “Essential tools of the security trade: DLP and SIEM

    • You will find that many of the solutions out there are hybrid solutions that take from many different concepts. A solution could be labeled SIEM and provide some DLP elements too. You may also see a IDS (Intrusion Detection System)/IPS (Intrusion Prevention System) with some features too. The two technologies are closely aligned and I think you will get the best value when you implement a solution that combines the control of DLP and the awareness of SIEM.

    • Hugh,

      These solutions can be quite expensive if implemented entirely in-house. You might consider a managed security solution. Feel free to contact us and we can help you plan a solution that is the right size for your business. There are also some open source tools that we are familiar with. You could consider deploying them in your organization and then have an outside firm like JurInnov manage the solution for you. It all depends on your data security needs.

    • Batanarge,

      Companies that want to better control sensitive data would benefit from DLP and companies that want to better understand what is going on in their information systems would want SIEM. There are a variety of solutions around that can be implemented to help meet these goals.

  1. There is of course another side to this: Without a SIEM (or at least a good log solution) its nearly impossible to handle specific network security queries from Management. So even a SIEM that isn’t doing much can save time and help an overworked security professional.

  2. SIEM requires ongoing effort to provide value: no commitment = no value. Many organizations make large investments into SIEM and end up realizing very little value.

Leave a Reply

Your email address will not be published. Required fields are marked *