Data Loss Prevention (DLP) can greatly help organizations understand and control the data that is used, stored and transmitted and it is seeing increasing use in PCI-DSS compliance.  Another technology, Security Information and Event Management (SIEM), collects and analyzes data in real time from multiple sources including server logs, network devices, firewalls and intrusion detection systems.  In this article, we will enumerate how the combination of SIEM and DLP can improve the security and compliance of a corporation.  Taken together SIEM and DLP can work so that data flow within a corporation is transparent, therefore, affording more control to the corporation and less ability to misuse that information.

What are DLP and SIEM

As stated earlier, DLP is a conscious effort to prevent the loss of data due to undesirable individuals, groups, or circumstances.  DLP systems figure out which pieces of information are more important than others, therefore, creating a prioritized list.  DLP is a comprehensive set of methodologies and technologies that can look at more information across departments, better than localized isolated searches.  SIEM is technology that can take and interpret information coming in from network security devices and server logs allowing greater visibility into the use, transmission and storage of data.  SIEM allows a company to consolidate security information from many different areas so that the organization can better understand and prioritize how it will protect its data.

Protecting the company’s data is a primary responsibility in information security.  With increased complexity and interoperability of systems, this task becomes much more difficult, especially on a localized basis.  With the help of DLP, the job of protecting information becomes much more clear.  Using SIEM in conjunction with DLP can further ease the job of the information security department in protecting organizational data, preventing breaches and in meeting regulatory requirements.

The correlation between real threats in real time and how and where the most sensitive pieces of information are stored and dealt with falls squarely within the realm of SIEM and DLP.  Furthermore, allowing a combination of DLP and SIEM, a company can see its security in one program, not several, thus making the process more efficient.  Efficiency is a key part of making a good business great.  This sentiment can be translated into the world of protecting documents.  SIEM can be tuned to focus on where the data is found, thus helping the DLP team protect the information at the source, in transit, and at its destination.  Also, SIEM can refine the way that DLP identifies sensitive information, alerts DLP to new resources, and new threats to organizational information.

Combining these two methods of protection, DLP and SIEM, can give the organization more insight on where additional security controls should be placed and it allows for faster incident response.  This allows for a more effective strategy against potential threats.  DLP can prevent malicious or accidental users from abusing the system by only allowing authorized access into certain accounts, as well as, informing the company when these documents have been retrieved.  Simultaneously, SIEM is working to sharpen controls by monitoring the retrieval of the information ,thus making the retrieval alerts as streamlined, efficient, and quick as possible.  These two devices provide what information security offices need, visibility and control.

 

Examples

Internal Threats

Companies sometimes have information but cannot act on it because it is buried in a server log or a database.  For example, in 2008 Verizon Business had breach information on 82% of cases but they were unable to use this information.  DLP and SIEM could have enabled Verizon to better understand and prevent these breaches.

The reality of the world is employees often change positions.  Without proper employee termination procedures and security controls, terminated employees could transfer customer documents or steal intellectual property and other sensitive information.  The use of DLP and SIEM provides real time information in data access and can flag inappropriate or out of the norm activity.  This is something we have dealt with many times in our forensic work and we help companies protect against it in our information security consulting practice.

External Threats

Take a company that deals with the regular transfer of credit card information and is Payment Card Industry (PCI) Data Security Standard (PCI DSS) compliant.  PCI-DSS compliance can help protect the organization and mitigate a variety of attacks but DLP and SIEM can give the organization knowledge on where attacks might be focused.  Fingerprinting and other prerequisite external threats can herald the onset of a larger attack and DLP and SIEM would highlight these prerequisites so that the organization could respond and protect itself and its data.

 

DLP and SIEM in a distributed mobile world

DLP and SIEM are especially valuable to organizations that are increasingly mobile.  More and more workers access corporate data from mobile devices or machines connected to a VPN.  Protecting information was already difficult when it was limited to one network and a few select locations.  However, that time is well in the past.  New facets of modern employment widen the gap that information security needs to cover.  With the help of DLP, threats can be prioritized according to importance and with SIEM the data transfer and storage will be transparent, easing the burden on the information technology and security department in protecting a larger set of assets.

The use of DLP and SIEM can greatly enhance the capabilities of information security departments.  SIEM allows a company to make the access, transfer, and reception of data within the company more apparent and can further improve DLP initiatives in protecting and controlling data within the organization.  The advantage of using both DLP and SIEM within an individual company streamlines the process of protecting vital information and makes the company more efficient.  For more information on DLP, see our previous article.

 

For more information

Gartner Report: Critical Capabilities for SIEM

DLP opportunities seen in compliance push