
Implementation of a DLP system on the example of retail
“I apologize,” a familiar voice spoke firmly, but very quietly, from the darkness. Looking around, I saw the silhouette of a stranger smoothly moving in my direction. “Are you late?” He continued. “Perhaps,” I replied, quickly scrolling through all the options for a potential dialogue, comparing the person’s appearance with the variations of his possible requests that came to mind.
He was a grandfather of about seventy, with a neat gray mustache and gray hair swaying slightly in the wind. He was wearing glasses, wearing a gray suit common to all people of this age, and a dazzlingly bright blue shirt. He seemed dressed clumsy and catchy, given the fact that we were in one of the sleeping areas of Moscow. After my reply, he glanced at his watch and also firmly, but already with a grin said: "Then I may have already been late." “Why you?” - not fully understanding what was happening, I asked. “But because, I don’t know how long your“ maybe ”lasts,” replied Grandfather with a sly smile on his face. “Time, time, it cannot be discounted, you have been saying these“ maybe ”to us for a long time, we are all waiting,” he continued without a smile. "A lot of letters, write an article on Habr, deadlines are running out," said grandfather, and I woke up ...
As it turned out, it was a dream, an iconic dream. In order not to annoy Nikita Mikhalkov from my dream, I, a young guy from LANIT Integration , wrote an article on the introduction of a DLP system using retail as an example.

What is a DLP system? Suppose you already know what it is, and you can write: "Yes, DLP years, like a mammoth," "Che tell there?", "This is not news." I will answer right away: the article contains a story about an important part of the implementation of the system - analytics, because techies do not know what information is really important. In addition, it should be noted that there are a lot of articles about DLP, but how it is implemented, and why integrators do the work, no. And yes, there will be a brief descriptive excursion about DLP, other people, not you, may not know. Maxim from LANIT takes care of the readers. Let's go!
DLP (Data Leak Prevention) - Data Leak Prevention. The work of the system is to analyze information circulating within the organization, and going outside. That is, this time accounting will not do mass mailing of information about your salary. Thanks to sets of certain rules defined by the system, it is possible to block the transfer of confidential information or to notify that confidential information may be transferred to the wrong hands.

The descriptive excursion is over, we are moving on.
Do you have a corporate network? Does it handle sensitive information? Are you afraid that someone other than you will use your confidential information?
"YES! YES! YES! ”, A well-known retail company answered these questions impulsively and convulsively, like Agutin hitting a button, and was not mistaken.

Our customer understood that the threat of leakage of confidential information in the overwhelming part lies in the current and former employees of the company. Therefore, it was important to reduce the risk of a potential incident of the type “employee and his friends”. Yes, you can say: “Take normal employees” or “You do not trust employees, why should they trust you?” The answer is simple - there is a “crank” with the letter “m” everywhere, and its “eccentricity” may not appear immediately, but this is a risk.
But even in an ideal situation, one cannot be sure that a reliable and professional employee will not make a mistake. For such employees, the system works like a life jacket and at some point asks: “Maybe not?”.
Three major implementation steps:
Before the introduction of any system, it is necessary to conduct an examination of the object of future work. Therefore, our engineers and information security consultants set off on the first plane to find out everything about the customer.

What we discussed:
After the examination, we, together with the customer, began to consider all possible options for a future technical collage. Having compiled a list of customer needs, we selected two domestic and two foreign vendors. By comparing the solutions, the most suitable product was selected. After approval of the decision, they started piloting.
Pilot testing took place within one month. As a result, we made sure that the chosen solution covers all the requirements of the customer. Having developed the report and protecting it, we proceeded to the next stage.
After the pilot, we started implementation. The first thing we started with was the creation of a system architecture covering all departments, divisions and branches. Next is the approval of the implementation plan. It looks like a bottle broken on a ship. We needed to explain to all employees what we are implementing, how it works, what goals we pursue. Thanks to the briefings held on the DLP system and its purpose, we gained understanding from the staff and were ready to continue to stick to our plan.
The next step was to implement iron, configure software, and develop policies.

After the installation and deployment, we needed to clearly understand what we would protect and how to configure our DLP according to the necessary policies. Often the company has no idea about confidential information. One person will never say what information is confidential for the whole company, moreover, in our case we are talking about an international organization with thousands of employees.
Therefore, it is necessary to conduct interviews. Moreover, interviews should be held with key information holders, i.e. with people with certain competencies and an understanding of what information is confidential in their field, because it is the heads of departments that are business consumers of the DLP functionality. Information about the leak after processing by the security officer is sent to the manager, who makes a further decision on what to do with this incident.
Source
To determine the owners of the information we need, we studied the organizational structure, experienced consultants made a proposal, and the responsible person finally determined the list of interviewees. It is worth noting that an interview can only be useful if the head of the department fully understands what and how is functioning in his department. The higher management can not guess about subtleties of this or that sphere.
From the interview it became clear to us which information is confidential for the company. From each department you can get all types of confidential information, which should only find a specific addressee.
For further customization, we needed sample documents containing the protected information. The respondent indicated to us where it is stored and in what way it is transmitted. We need all these analytical subtleties to configure certain system rules and to understand how to protect this information.
After that, the policies were written and agreed upon in a form that is convenient for transferring to the system.
Typically, a DLP system operates according to the following algorithm:

How to teach the system to analyze the information that it receives?
Here are some types of privacy documentation analysis:
After commissioning, we began to conduct preliminary tests:
Upon receipt of data, the number of false positives, not exceeding 30%, is considered an ideally tuned DLP system. The explanation lies in the fact that more than 100,000 events can occur per day, because this percentage is acceptable. But even with an initially huge amount of LPS (false response rate), there were also events requiring attention from the security officer.
The role of the integrator is:
Although this is not all the points, it’s already clear how the purchase of iron with wiring differs from the targeted purchase of equipment and its settings for specific tasks.
Integrate with love.
LANIT

P.S. Car sold))
He was a grandfather of about seventy, with a neat gray mustache and gray hair swaying slightly in the wind. He was wearing glasses, wearing a gray suit common to all people of this age, and a dazzlingly bright blue shirt. He seemed dressed clumsy and catchy, given the fact that we were in one of the sleeping areas of Moscow. After my reply, he glanced at his watch and also firmly, but already with a grin said: "Then I may have already been late." “Why you?” - not fully understanding what was happening, I asked. “But because, I don’t know how long your“ maybe ”lasts,” replied Grandfather with a sly smile on his face. “Time, time, it cannot be discounted, you have been saying these“ maybe ”to us for a long time, we are all waiting,” he continued without a smile. "A lot of letters, write an article on Habr, deadlines are running out," said grandfather, and I woke up ...
As it turned out, it was a dream, an iconic dream. In order not to annoy Nikita Mikhalkov from my dream, I, a young guy from LANIT Integration , wrote an article on the introduction of a DLP system using retail as an example.

1. What is a DLP system
What is a DLP system? Suppose you already know what it is, and you can write: "Yes, DLP years, like a mammoth," "Che tell there?", "This is not news." I will answer right away: the article contains a story about an important part of the implementation of the system - analytics, because techies do not know what information is really important. In addition, it should be noted that there are a lot of articles about DLP, but how it is implemented, and why integrators do the work, no. And yes, there will be a brief descriptive excursion about DLP, other people, not you, may not know. Maxim from LANIT takes care of the readers. Let's go!
DLP (Data Leak Prevention) - Data Leak Prevention. The work of the system is to analyze information circulating within the organization, and going outside. That is, this time accounting will not do mass mailing of information about your salary. Thanks to sets of certain rules defined by the system, it is possible to block the transfer of confidential information or to notify that confidential information may be transferred to the wrong hands.

The descriptive excursion is over, we are moving on.
2. What motivated the implementation
Do you have a corporate network? Does it handle sensitive information? Are you afraid that someone other than you will use your confidential information?
"YES! YES! YES! ”, A well-known retail company answered these questions impulsively and convulsively, like Agutin hitting a button, and was not mistaken.

Our customer understood that the threat of leakage of confidential information in the overwhelming part lies in the current and former employees of the company. Therefore, it was important to reduce the risk of a potential incident of the type “employee and his friends”. Yes, you can say: “Take normal employees” or “You do not trust employees, why should they trust you?” The answer is simple - there is a “crank” with the letter “m” everywhere, and its “eccentricity” may not appear immediately, but this is a risk.
But even in an ideal situation, one cannot be sure that a reliable and professional employee will not make a mistake. For such employees, the system works like a life jacket and at some point asks: “Maybe not?”.
3. Stages of work
Three major implementation steps:
- formation of requirements
- design and installation
- analytics and system setup.
Formation of requirements
Before the introduction of any system, it is necessary to conduct an examination of the object of future work. Therefore, our engineers and information security consultants set off on the first plane to find out everything about the customer.

What we discussed:
- organizational and administrative documentation related to the security and classification of information,
- list of information resources,
- network circuits
- data flow schemes
- organizational structure.
After the examination, we, together with the customer, began to consider all possible options for a future technical collage. Having compiled a list of customer needs, we selected two domestic and two foreign vendors. By comparing the solutions, the most suitable product was selected. After approval of the decision, they started piloting.
Pilot testing took place within one month. As a result, we made sure that the chosen solution covers all the requirements of the customer. Having developed the report and protecting it, we proceeded to the next stage.
Design and Installation
After the pilot, we started implementation. The first thing we started with was the creation of a system architecture covering all departments, divisions and branches. Next is the approval of the implementation plan. It looks like a bottle broken on a ship. We needed to explain to all employees what we are implementing, how it works, what goals we pursue. Thanks to the briefings held on the DLP system and its purpose, we gained understanding from the staff and were ready to continue to stick to our plan.
The next step was to implement iron, configure software, and develop policies.
You can spend millions on the delivery and implementation of the system, but without its proper configuration, the result will not be achieved. The out-of-box DLP system is not efficient and does not function properly.

System analytics and tuning
After the installation and deployment, we needed to clearly understand what we would protect and how to configure our DLP according to the necessary policies. Often the company has no idea about confidential information. One person will never say what information is confidential for the whole company, moreover, in our case we are talking about an international organization with thousands of employees.
Therefore, it is necessary to conduct interviews. Moreover, interviews should be held with key information holders, i.e. with people with certain competencies and an understanding of what information is confidential in their field, because it is the heads of departments that are business consumers of the DLP functionality. Information about the leak after processing by the security officer is sent to the manager, who makes a further decision on what to do with this incident.

To determine the owners of the information we need, we studied the organizational structure, experienced consultants made a proposal, and the responsible person finally determined the list of interviewees. It is worth noting that an interview can only be useful if the head of the department fully understands what and how is functioning in his department. The higher management can not guess about subtleties of this or that sphere.
From the interview it became clear to us which information is confidential for the company. From each department you can get all types of confidential information, which should only find a specific addressee.
For further customization, we needed sample documents containing the protected information. The respondent indicated to us where it is stored and in what way it is transmitted. We need all these analytical subtleties to configure certain system rules and to understand how to protect this information.
After that, the policies were written and agreed upon in a form that is convenient for transferring to the system.
Typically, a DLP system operates according to the following algorithm:
- interception of information (the system captures the file - received, sent, open, etc.);
- analysis of information (the system determines where the document is sent and, using the configured labels, determines the nature of the information in it, understands what kind of document it is);
- blocking or notification of an incident (the system determines how legitimate the operation on the document is (processing according to the configured policies)).

How to teach the system to analyze the information that it receives?
Here are some types of privacy documentation analysis:
- Form / blank detector
Allows you to detect forms / blanks containing confidential information such as tax, medical, insurance forms, etc. - Digital fingerprints
Applies fingerprinting methods for documents to detect confidential information stored in unstructured data, including Microsoft Office documents, PDF files; and binary files such as JPEG, CAD, and multimedia files. IDM also detects “derived” content, such as text copied from a source document to another file. - Mapping
Discovers content by identifying structured data sources, including databases, directory servers, or other structured data files.
We prescribed the necessary policies, we had to carry out final activities before the delivery of work.
4. Summary
After commissioning, we began to conduct preliminary tests:
- DLP tests for operability and compliance with the formulated requirements;
- troubleshooting and making changes to the documentation.
Upon receipt of data, the number of false positives, not exceeding 30%, is considered an ideally tuned DLP system. The explanation lies in the fact that more than 100,000 events can occur per day, because this percentage is acceptable. But even with an initially huge amount of LPS (false response rate), there were also events requiring attention from the security officer.
The role of the integrator is:
- in carefully selecting a system for specific tasks, comparing all possible options,
- staff training
- analysis of the processed information,
- system setup
- individual approach
- expertise.
Although this is not all the points, it’s already clear how the purchase of iron with wiring differs from the targeted purchase of equipment and its settings for specific tasks.
Integrate with love.
LANIT

P.S. Car sold))