I’ve been looking into the correlation between identity monitoring and data loss prevention technologies. Can you clarify if these two go hand-in-hand and if so, the best ways to use them to get maximum efficiency?
Many companies are examining the relationship between identity monitoring and data loss prevention (DLP), driven by the need to know who is on the network, what data are they seeing, and which actions are they taking with that data. This need to know comes from the confluence of several trends: the increase in the number of insider threats, the increase in monitoring for compliance purposes, and the adoption of identity management technologies.
Identity monitoring is about correlating the user information stored in identity management systems with user information stored elsewhere in the enterprise, then connecting that single user view with the broad activities that the person actually performs. Why is this hard to do? Consider the typical identity and access management application.
It is well-suited for controlling and tracking access to Web applications.
It is just okay at controlling and tracking access to packaged applications. It is pretty bad at controlling access to legacy custom applications, and it is unable to control access to desktops, file shares, print servers, and the many other systems that a typical user touches each day. Identity monitoring uses the very broad collection and correlation abilities of SIEM products, plus the role and rights modeling of identity management products, to create a comprehensive view of user activity.
Now, how does DLP fit in? In some ways, the term data loss prevention is a misnomer. DLP products often do not block sensitive data from leaving the premises. Instead, these products are designed to identify sensitive or confidential data, either in place or as it moves around the network. These products use a variety of methods to identify data, such as pattern matching (e.g. do the rows in this e-mail appear to contain something that looks like a Social Security Number, i.e. XXX-XX-XXXX?), dictionary lookups (e.g. does this e-mail contains words related to common medical conditions?), and file fingerprinting (e.g. does a hash of this file substantially match a hash of a file on a protected file server?).
If identity monitoring tells us who is on the network and which actions they are taking, then DLP allows us to understand what type of data they are viewing. In practical terms, this means that a DLP system sends verdicts to the identity monitoring system; a particular file, message, or other data is judged to be confidential or not. If the DLP system tells the identity monitoring system that the file a user accessed is confidential and contains credit card numbers, the identity monitoring system correlates that action with the user’s other activities. For example, the user might then attach the file to a Web e-mail, print the numbers, and so forth, and this triggers an alert in the security operations center.
Interest in these identity- and data-driven monitoring scenarios is growing fast. The most interesting aspect of this type of monitoring is that it does not require any technology magic; the pieces exist and are often in place. Identity management, SIEM, and DLP products are well understood and deployed in many organizations. The trick now is to tie them together in ways that are useful and provide high value while solving business challenges in a connected world.