{"id":2409,"date":"2012-12-10T06:20:47","date_gmt":"2012-12-10T00:50:47","guid":{"rendered":"https:\/\/www.qadit.com\/blog\/?p=2409"},"modified":"2012-12-10T06:20:47","modified_gmt":"2012-12-10T00:50:47","slug":"dlp-discover-first-or-monitor-first","status":"publish","type":"post","link":"https:\/\/qadit.com\/blog\/dlp-discover-first-or-monitor-first\/","title":{"rendered":"DLP: Discover First or Monitor First?"},"content":{"rendered":"<p>Should I <strong>DISCOVER<\/strong> where sensitive\/regulated data resides in my environment OR <strong>DETECT<\/strong> when it is being leaked? Storage DLP first or network DLP first? Data-at-rest (DAR) first or Data-in-motion (DIM) first? What is more important, knowing WHAT can be stolen and from where OR WHAT is being sent out today?<\/p>\n<p>Sorry, but \u201cIT DEPENDS.\u201d As many tough questions in life, this one has no single right answer. Successful data protection projects, whether for regulated data or corporate secrets, often start from a discovery sweep of an internal network. Looking for PANs, SSNs, known secret documents, customer records or whatever else allows the DLP conversation to start and the \u201clay of the data land\u201d to become more clear. At the same time, they also often start from observing sensitive and regulated data flows out of your environment via email, FTP, web uploads, etc. This helps jumpstart the DLP discourse and creates a sobering realization of \u201cWhaaaat!? This is going on RIGHT NOW!!?\u201d Both are common and reasonable.<\/p>\n<p>So, why discover first?<\/p>\n<ul>\n<li>Learn the extent of <a href=\"https:\/\/www.gartner.com\/resId=2037915\">sprawl<\/a> of a particular type of data <\/li>\n<li>Assess the complexity of the upcoming data protection effort <\/li>\n<li>Gather ammunition for identifying and then engaging the data owners <\/li>\n<li>Learn what to include in monitoring policies next <\/li>\n<\/ul>\n<p>Why monitor first?<\/p>\n<ul>\n<li>Observe (and, then, hopefully, stop) the most blatant and obvious leaks <\/li>\n<li>Assess the priority of needed data protection efforts based on ongoing data movement <\/li>\n<li>Easily get a taste of content-aware DLP technology without too much hard work (!) <\/li>\n<li>Learn what to include in discover scans next <\/li>\n<\/ul>\n<p>As a side note, few organizations would venture into \u201cenforce first\u201d as you need to know BEFORE you can act. Control comes after visibility (and, by the way, in some domain it never really comes\u2026). One can discover first and then reduce, secure, monitor and protect what is discovered. One can also monitor first and then evolve to reduce the exposure. A sole exception I\u2019ve seen is about enforcing something trivial like \u2018block all USB access on endpoints\u2019 which is hardly at the core of content-aware DLP. <\/p>\n<p>Finally, if you\u2019d absolutely push me to the wall and make me give a simple answer to a complex question, then go do network monitoring first\u2026 mostly because it is easier (= the most similar to netsec technologies) and often produces nasty (and thus deeply motivating) surprises. <\/p>\n<p>P.S. this discussion does not remove the requirement to understand what you are trying to do with DLP and with data security in general. The real FIRST action is always \u2018think\u2019, not \u2018buy\u2019 or \u2018deploy\u2019. Don\u2019t get those ideas <img decoding=\"async\" src=\"https:\/\/blogs.gartner.com\/anton-chuvakin\/wp-includes\/images\/smilies\/icon_smile.gif\" alt=\":-)\"><\/p>\n<p><b>Related posts:<\/b><\/p>\n<ul>\n<li>\n<a href=\"https:\/\/blogs.gartner.com\/anton-chuvakin\/2012\/11\/30\/on-dlp-and-pci-dss\/\">On DLP and PCI DSS<\/a> <\/li>\n<li>\n<a href=\"https:\/\/blogs.gartner.com\/anton-chuvakin\/2012\/11\/09\/on-dlp-and-ip-theft\/\">On DLP and IP Theft<\/a> <\/li>\n<li>\n<a href=\"https:\/\/blogs.gartner.com\/anton-chuvakin\/2012\/11\/01\/dlp-andorforvs-data-security\/\">DLP and\/or\/for\/vs Data Security<\/a> <\/li>\n<li>\n<a href=\"https:\/\/blogs.gartner.com\/anton-chuvakin\/2012\/10\/25\/on-dlp-processes-or-no-dlp-for-dummies\/\">On DLP Processes or \u201cNo DLP For Dummies\u201d<\/a> <\/li>\n<li>\n<a href=\"https:\/\/blogs.gartner.com\/anton-chuvakin\/2012\/10\/19\/on-dlp-research\/\">On DLP Research<\/a> <\/li>\n<\/ul>\n<p><\/p>\n<hr>\n<p>Original news article at <a href=\"https:\/\/blogs.gartner.com\/anton-chuvakin\/2012\/12\/07\/dlp-discover-first-or-monitor-first\/\">https:\/\/blogs.gartner.com\/anton-chuvakin<\/a> on December 07, 2012 at 10:15PM<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Should I DISCOVER where sensitive\/regulated data resides in my environment OR DETECT when it is being leaked? Storage DLP first or network DLP first? Data-at-rest (DAR) first or Data-in-motion (DIM) first? What is more important, knowing WHAT can be stolen and from where OR WHAT is being sent out today? Sorry, but \u201cIT DEPENDS.\u201d As &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/qadit.com\/blog\/dlp-discover-first-or-monitor-first\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;DLP: Discover First or Monitor First?&#8221;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[1],"tags":[4],"class_list":["post-2409","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-it-security"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p9AH7Q-CR","_links":{"self":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts\/2409","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/comments?post=2409"}],"version-history":[{"count":0,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts\/2409\/revisions"}],"wp:attachment":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/media?parent=2409"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/categories?post=2409"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/tags?post=2409"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}