DLP (Data Loss Prevention) solution
-
@scottalanmiller said in DLP (Data Loss Prevention) solution:
@Dashrender said in DLP (Data Loss Prevention) solution:
@scottalanmiller said in DLP (Data Loss Prevention) solution:
@Dashrender said in DLP (Data Loss Prevention) solution:
Ultimately the client decided it wasn't worth the hassle of buying/deploying DLP just so they could use USB sticks.
Instead - they will email or OD4B or Slack the files around that they neeSo in this case, it seems like the insurance requirement turned out to be a good thing. Pushed them to do things in a controlled, logical way rather than a crufty, silly, legacy way.
yes - sure, that's true, but come on, we both know that's not what the real intention of this request is/was - or at least I personally don't believe that someone at the insurance company has a personal vendetta against USB storage - but really, they are trying to prevent insurance data from being leaked... and when they were considering how things get leaked - they crazily started and stopped with USB storage.
Well, I don't know. Let's think about it... USB sticks being allowed is an extremely weird thing to want to keep. It's a super dangerous activity with little reason to be allowed in the modern world. So anyone doing it is likely to be doing loads of risky, stupid things because the reason to want to do it is almost certainly a bad one.
The goal is easily to heavily punish bad behaviour and/or encourage rethinking bad decisions. It's isolated, but it worked. Something risky and dumb turned into something modern and practical in a pretty predictable way. The insurance company pushed them to fix a process that you as IT alone could not do.
Do assume insurance companies are dumb when they do something that turns out really smart. They do their homework.
Their stated reason for wanting no USB was - "so our data doesn't walk out of your company." So while what you say has merit - it's not ever been a reason given for it's discontinued use... and hell, if it had.... if they had said - "you know, USB is legacy and carries the risk of passing infections along much more easily than say - emailing the data to someone, or using Dropbox, etc, so we'd much rather you share our data via those processes than via USB - and we'd like you to disable USB because reasons already mentioned" then the client would have likely gone that way from the start.
-
@DustinB3403 said in DLP (Data Loss Prevention) solution:
@Dashrender said in DLP (Data Loss Prevention) solution:
@scottalanmiller said in DLP (Data Loss Prevention) solution:
@Dashrender said in DLP (Data Loss Prevention) solution:
Ultimately the client decided it wasn't worth the hassle of buying/deploying DLP just so they could use USB sticks.
Instead - they will email or OD4B or Slack the files around that they neeSo in this case, it seems like the insurance requirement turned out to be a good thing. Pushed them to do things in a controlled, logical way rather than a crufty, silly, legacy way.
yes - sure, that's true, but come on, we both know that's not what the real intention of this request is/was - or at least I personally don't believe that someone at the insurance company has a personal vendetta against USB storage - but really, they are trying to prevent insurance data from being leaked... and when they were considering how things get leaked - they crazily started and stopped with USB storage.
So wouldn't it be prudent to inform your insurance that data can be emailed, printed, dropbox'd, OD4B etc and that there is no way to control each of these and still operate the business?
Why would I volunteer myself for more work? My only requirement is to fulfill the audit requirements, not make more work and more spending for myself.
-
@Dashrender said in DLP (Data Loss Prevention) solution:
Why would I volunteer myself for more work? My only requirement is to fulfill the audit requirements, not make more work and more spending for myself.
To get the insurance provider to stop forcing ridiculous half-baked policy statements on their customers.
-
@DustinB3403 said in DLP (Data Loss Prevention) solution:
@Dashrender said in DLP (Data Loss Prevention) solution:
Why would I volunteer myself for more work? My only requirement is to fulfill the audit requirements, not make more work and more spending for myself.
To get the insurance provider to stop forcing ridiculous half-baked policy statements on their customers.
As a security minded person (though still not as good as Scott apparently) - I agree with that... but in this case, doing so is against the interest of my client (at least in term of me billing them more to deploy a DLP solution, etc).
Now that said - I did say something to the client. If the client wants to tell the insurance company (they don't) then by all means - we would tell them and go forward as needed/required by the insurance company.
-
Threatlocker? Leaves MacOS out though.
https://www.threatlocker.com/products/threatlocker-storage-control/ -
@Dashrender said in DLP (Data Loss Prevention) solution:
@scottalanmiller said in DLP (Data Loss Prevention) solution:
because the reason to want to do it is almost certainly a bad one.
We simply disagree here - it's legacy, sure, but I wouldn't call it bad. though - of course in typing this - at least with email/dropbox/OD4B, etc there is much less chance of a tag along virus (short of the file itself being infected) compared to a USB stick... ok fine - you win, it's probably a bad idea to still do that today.
So Suzie office worker finds a "free" USB drive in the parking lot and plugs it into her computer.
Allowing uncontrolled USB drives is a big security concern. And a policy saying you can only use company ones is useless because policies don't stop the thing from happening once someone breaks the policy.
-
@Dashrender said in DLP (Data Loss Prevention) solution:
@scottalanmiller said in DLP (Data Loss Prevention) solution:
@Dashrender said in DLP (Data Loss Prevention) solution:
@scottalanmiller said in DLP (Data Loss Prevention) solution:
@Dashrender said in DLP (Data Loss Prevention) solution:
Ultimately the client decided it wasn't worth the hassle of buying/deploying DLP just so they could use USB sticks.
Instead - they will email or OD4B or Slack the files around that they neeSo in this case, it seems like the insurance requirement turned out to be a good thing. Pushed them to do things in a controlled, logical way rather than a crufty, silly, legacy way.
yes - sure, that's true, but come on, we both know that's not what the real intention of this request is/was - or at least I personally don't believe that someone at the insurance company has a personal vendetta against USB storage - but really, they are trying to prevent insurance data from being leaked... and when they were considering how things get leaked - they crazily started and stopped with USB storage.
Well, I don't know. Let's think about it... USB sticks being allowed is an extremely weird thing to want to keep. It's a super dangerous activity with little reason to be allowed in the modern world. So anyone doing it is likely to be doing loads of risky, stupid things because the reason to want to do it is almost certainly a bad one.
The goal is easily to heavily punish bad behaviour and/or encourage rethinking bad decisions. It's isolated, but it worked. Something risky and dumb turned into something modern and practical in a pretty predictable way. The insurance company pushed them to fix a process that you as IT alone could not do.
Do assume insurance companies are dumb when they do something that turns out really smart. They do their homework.
Their stated reason for wanting no USB was - "so our data doesn't walk out of your company." So while what you say has merit - it's not ever been a reason given for it's discontinued use... and hell, if it had.... if they had said - "you know, USB is legacy and carries the risk of passing infections along much more easily than say - emailing the data to someone, or using Dropbox, etc, so we'd much rather you share our data via those processes than via USB - and we'd like you to disable USB because reasons already mentioned" then the client would have likely gone that way from the start.
They can most likely track where the data was leaked through email or something else like Dropbox. That's almost impossible with USB drives without something like DLP. So yes while it doesn't necessarily stop someone from leaking data that way, it's at least somewhat traceable.
-
We're using Dell Data Protection. Without the encryption they don't work on any of our workstations. Doctors don't care enough about security until they have to pay fines. @Dashrender you're still in the medical field right?
-
@wirestyle22 said in DLP (Data Loss Prevention) solution:
Doctorsdon't care enough about security until they have to pay fines. @Dashrender you're still in the medical field right?No one
FTFY
-
@DustinB3403 said in DLP (Data Loss Prevention) solution:
@wirestyle22 said in DLP (Data Loss Prevention) solution:
Doctorsdon't care enough about security until they have to pay fines. @Dashrender you're still in the medical field right?No one
FTFY
My mother in law is the litmus test. She "cares about security" but is not willing to do anything about it
-
Also I just realized how I turned that into broken English, sorry about that. . .
-
@stacksofplates said in DLP (Data Loss Prevention) solution:
@Dashrender said in DLP (Data Loss Prevention) solution:
@scottalanmiller said in DLP (Data Loss Prevention) solution:
@Dashrender said in DLP (Data Loss Prevention) solution:
@scottalanmiller said in DLP (Data Loss Prevention) solution:
@Dashrender said in DLP (Data Loss Prevention) solution:
Ultimately the client decided it wasn't worth the hassle of buying/deploying DLP just so they could use USB sticks.
Instead - they will email or OD4B or Slack the files around that they neeSo in this case, it seems like the insurance requirement turned out to be a good thing. Pushed them to do things in a controlled, logical way rather than a crufty, silly, legacy way.
yes - sure, that's true, but come on, we both know that's not what the real intention of this request is/was - or at least I personally don't believe that someone at the insurance company has a personal vendetta against USB storage - but really, they are trying to prevent insurance data from being leaked... and when they were considering how things get leaked - they crazily started and stopped with USB storage.
Well, I don't know. Let's think about it... USB sticks being allowed is an extremely weird thing to want to keep. It's a super dangerous activity with little reason to be allowed in the modern world. So anyone doing it is likely to be doing loads of risky, stupid things because the reason to want to do it is almost certainly a bad one.
The goal is easily to heavily punish bad behaviour and/or encourage rethinking bad decisions. It's isolated, but it worked. Something risky and dumb turned into something modern and practical in a pretty predictable way. The insurance company pushed them to fix a process that you as IT alone could not do.
Do assume insurance companies are dumb when they do something that turns out really smart. They do their homework.
Their stated reason for wanting no USB was - "so our data doesn't walk out of your company." So while what you say has merit - it's not ever been a reason given for it's discontinued use... and hell, if it had.... if they had said - "you know, USB is legacy and carries the risk of passing infections along much more easily than say - emailing the data to someone, or using Dropbox, etc, so we'd much rather you share our data via those processes than via USB - and we'd like you to disable USB because reasons already mentioned" then the client would have likely gone that way from the start.
They can most likely track where the data was leaked through email or something else like Dropbox. That's almost impossible with USB drives without something like DLP. So yes while it doesn't necessarily stop someone from leaking data that way, it's at least somewhat traceable.
oh? how is that more traceable through email or Dropbox? Unless you're saying those things HAVE logs.. what if they don't?
-
@wirestyle22 said in DLP (Data Loss Prevention) solution:
We're using Dell Data Protection. Without the encryption they don't work on any of our workstations. Doctors don't care enough about security until they have to pay fines. @Dashrender you're still in the medical field right?
Yes I do, and of course you're right, they don't.
They already complain how 'hard' their job is with regulation.. and we just 'want to make it harder'. -
@wirestyle22 said in DLP (Data Loss Prevention) solution:
@DustinB3403 said in DLP (Data Loss Prevention) solution:
@wirestyle22 said in DLP (Data Loss Prevention) solution:
Doctorsdon't care enough about security until they have to pay fines. @Dashrender you're still in the medical field right?No one
FTFY
My mother in law is the litmus test. She "cares about security" but is not willing to do anything about it
I think you meant - clearly she doesn't care about security, because she's unwilling to do anything about it.
-
@Dashrender said in DLP (Data Loss Prevention) solution:
@wirestyle22 said in DLP (Data Loss Prevention) solution:
@DustinB3403 said in DLP (Data Loss Prevention) solution:
@wirestyle22 said in DLP (Data Loss Prevention) solution:
Doctorsdon't care enough about security until they have to pay fines. @Dashrender you're still in the medical field right?No one
FTFY
My mother in law is the litmus test. She "cares about security" but is not willing to do anything about it
I think you meant - clearly she doesn't care about security, because she's unwilling to do anything about it.
Yes, she's a typical user
-
@wirestyle22 said in DLP (Data Loss Prevention) solution:
@Dashrender said in DLP (Data Loss Prevention) solution:
@wirestyle22 said in DLP (Data Loss Prevention) solution:
@DustinB3403 said in DLP (Data Loss Prevention) solution:
@wirestyle22 said in DLP (Data Loss Prevention) solution:
Doctorsdon't care enough about security until they have to pay fines. @Dashrender you're still in the medical field right?No one
FTFY
My mother in law is the litmus test. She "cares about security" but is not willing to do anything about it
I think you meant - clearly she doesn't care about security, because she's unwilling to do anything about it.
Yes, she's a typical user
As are most!
Though - I did training for 3 new users yesterday - and much to my amazement and delight, two of the three were actually pretty excited to learn about LastPass.
-
@SmithErick said in DLP (Data Loss Prevention) solution:
Threatlocker? Leaves MacOS out though.
https://www.threatlocker.com/products/threatlocker-storage-control/Always has... that's what I told them it is not enterprise yet.
-
@Dashrender said in DLP (Data Loss Prevention) solution:
@stacksofplates said in DLP (Data Loss Prevention) solution:
@Dashrender said in DLP (Data Loss Prevention) solution:
@scottalanmiller said in DLP (Data Loss Prevention) solution:
@Dashrender said in DLP (Data Loss Prevention) solution:
@scottalanmiller said in DLP (Data Loss Prevention) solution:
@Dashrender said in DLP (Data Loss Prevention) solution:
Ultimately the client decided it wasn't worth the hassle of buying/deploying DLP just so they could use USB sticks.
Instead - they will email or OD4B or Slack the files around that they neeSo in this case, it seems like the insurance requirement turned out to be a good thing. Pushed them to do things in a controlled, logical way rather than a crufty, silly, legacy way.
yes - sure, that's true, but come on, we both know that's not what the real intention of this request is/was - or at least I personally don't believe that someone at the insurance company has a personal vendetta against USB storage - but really, they are trying to prevent insurance data from being leaked... and when they were considering how things get leaked - they crazily started and stopped with USB storage.
Well, I don't know. Let's think about it... USB sticks being allowed is an extremely weird thing to want to keep. It's a super dangerous activity with little reason to be allowed in the modern world. So anyone doing it is likely to be doing loads of risky, stupid things because the reason to want to do it is almost certainly a bad one.
The goal is easily to heavily punish bad behaviour and/or encourage rethinking bad decisions. It's isolated, but it worked. Something risky and dumb turned into something modern and practical in a pretty predictable way. The insurance company pushed them to fix a process that you as IT alone could not do.
Do assume insurance companies are dumb when they do something that turns out really smart. They do their homework.
Their stated reason for wanting no USB was - "so our data doesn't walk out of your company." So while what you say has merit - it's not ever been a reason given for it's discontinued use... and hell, if it had.... if they had said - "you know, USB is legacy and carries the risk of passing infections along much more easily than say - emailing the data to someone, or using Dropbox, etc, so we'd much rather you share our data via those processes than via USB - and we'd like you to disable USB because reasons already mentioned" then the client would have likely gone that way from the start.
They can most likely track where the data was leaked through email or something else like Dropbox. That's almost impossible with USB drives without something like DLP. So yes while it doesn't necessarily stop someone from leaking data that way, it's at least somewhat traceable.
oh? how is that more traceable through email or Dropbox? Unless you're saying those things HAVE logs.. what if they don't?
I guess you could possibly find a service that doesn't? I mean I didn't say it was guaranteed that there were, just that it's likely.
-
I'm confused why you would need DLP if they are encrypted drives like you were asking about earlier.
-
@stacksofplates said in DLP (Data Loss Prevention) solution:
I'm confused why you would need DLP if they are encrypted drives like you were asking about earlier.
The idea of encrypting the drives was dropped - notice this thread never mentioned that...
The idea of a solution that could somehow require all USB attached storage to somehow magically be encrypted is farfetched at best... so we dropped that way of looking.... Upon doing so, the insurance company said "apply DLP to anything written to USB storage".... so the start of this thread.
But continuing in this thread and conversations with my client we've totally changed tactics again - all USB storage access will be removed. File transfers will happen through OneDrive for Business and Email. So we've dropped any discussion of DLP at this point.