At first glance, it might not appear that Enterprise DLP (EDLP) and Insider Threat Management (ITM) programs are very much aligned. EDLP traditionally focused on following the data, where ITM focused on the user. Regardless of how you establish and operate these two programs, Proofpoint believes in a unified people-centric DLP approach that unifies incident management to add value to investigations into both the data and the user.
Large enterprise organizations will often make a conscious choice to run these two programs independently with different criteria, constituents, goals and measures of success. The case could also be made to tightly align the goals of both programs. In midsize organizations, you may struggle to separate these two programs due to resources and scalability.
ITM and DLP Program Criteria
Your DLP and ITM programs should include the following criteria (at a minimum):
A Program Charter Document
A program-level guide that covers the purpose, scope, members and mission of the DLP or ITM program. If your security policies (more specifically, your security incident management processes) align to either NIST or ISO, you should look to use either NIST 800-61 or ISO 27035 as a supporting element of your DLP and ITM programs.
Solicit the support of a business-focused sponsor—ideally one outside of IT or information security teams (in other words, not your CIO or CISO). Ensure you have alignment in your program purpose and scope with the desired outcomes of your organization. Your Chief Legal Officer (General Counsel), CFO, COO/CEO or a business unit lead can serve as credible program sponsors. HR and privacy leaders could also be a strong option for sponsorship.
Well-defined roles and responsibilities
If you use RACI charts to define responsible, accountable, consulted and informed parties, that’s great. If not, there’s a lot of other ways to do this. A section of your charter document explaining the department/individual and the program expectations is a minimum must-have.
Avoid trying to do it all at once
Don’t try to boil the ocean. Implement guardrails and proper scoping for your program to give it the greatest chance for success. Look for ways to expand your program to stages two and three once you establish a solid foundation. This is where products and technology can help by making sure you are precise when mapping policies to controls.
Major Differences Between DLP and ITM Program
There are a few classic differences in the philosophies of a DLP program and an ITM program.
As mentioned above, DLP programs traditionally focus on content inspection and data governance first, providing evidence of data access and proof of movement (or exfiltration/manipulation) and only then do they correlate that data event to a specific user. The primary takeaway of a classic DLP program is the data event comes first and the investigation follows once the data event is verified.
With an insider threat management program, the focus begins with the user. A thorough understanding of how users behave an interact with not only data but also applications and other users are critical metrics to fuel your ITM program. A baseline assessment of knowing who your riskiest users are is incredibly helpful (hint: it’s not just your executives, your finance department or your over-privileged IT security admins).
When covering the Enterprise DLP market at Gartner, and published the last two Gartner Magic Quadrants and Critical Capabilities in 2016 and 2017, we defined three primary use cases for Enterprise DLP. These three use cases focused on meeting regulatory compliance requirements, protecting intellectual property and performing data visibility and monitoring.
For insider threat management, developing personas and deeply understanding the user and their potential motivations are pivotal for the accuracy, speed and success of your program. You must determine whether a potential insider is negligent, compromised or truly malicious. You also must conduct this analysis with a specialized process because there are several human resources, legal and privacy considerations beyond just events lighting up a SOC analyst’s console. This user-level understanding could also be helpful as a part of your DLP program.
Finally, don’t get caught up in heavy policy granularity at the beginning of your program. Take a people-centric DLP approach to your program and work through any program exceptions in a prioritized and thoughtful way. Keep in mind, there are several “low tech” and “no-tech” ways to defeat any DLP or ITM program. Having a unified incident management interface that can apply a people-centric approach to both DLP and ITM investigations can improve accuracy and efficiency.
To learn more best practices around ITM and Enterprise DLP, subscribe to the Proofpoint Blog.