Table 7. Expanding DLP to Other Data Channels

Next Article

Appendix B: References

Data  Implementation

Channel Specification Considerations

 Network Implement through Switched Port Analyzer ports from egress network points or through Internet Content Applica�on Protocol on web proxies.  If online, prevent the leakage of unencrypted sensitive data based upon predefined thresholds (e.g., files that contain > 100 records of PHI).  If out of band, activate IR procedures to contain data leakages that occur through the network.

Sub-Practices for Large Organizations

4.L.A Advanced Data Loss Prevention NIST FRAMEWKORK REF:

PR.DS-5 After implementing basic DLP controls, you should consider expanding your DLP capabilities to monitor other common data access channels. Table 7 recommends methods for your consideration.

Table 7. Expanding DLP to Other Data Channels

Data Implementation Channel Specification Considerations

Cloud storage  Use cloud access security broker systems to monitor data flows into cloud systems.  Label data identified as sensitive. Implement digital rights and encryption to limit access to sensitive data.  Ensure that cloud-based file storage and sharing systems do not expose sensitive data in an “open sharing” construct without authentication (i.e., do not permit the use of sharing data through a simple URL link).

49

Data Implementation Channel Specification Considerations

Onsite le storage Point discovery scanning systems at known file servers or other large data repositories.  Conduct regular DLP scans against the file systems to scan and identify sensitive data.  Query security access permissions for each file that contains sensitive data. Define thresholds for excessive access and set alerts if these are crossed. Forward alerts to the SOC for response, as described in Cybersecurity

Practice #8: Security Operations Center and Incident

Response.  Determine staleness of records with sensitive data.

Consider executing data destruction practices for records that have not been opened or viewed for an extended duration.  Determine data ownership of sensitive files identified in file storage systems, leveraging automated tools. Establish workflow options that allow data owners to provide input into access permission reviews of their sensitive files.

 onduct a “spearing” exercise, which is similar to methods deployed by search engines. Compare files and results posted on websites against DLP matching policies and respond quickly to any sensitive data that are exposed.  Conduct manual searching activities on a periodic basis over exposed websites. Look for files that may contain large amounts of sensitive data (e.g., xls(x), csv, txt and pdf).

Web-based scanning Configure DLP systems to crawl known public websites for sensi�ve informa�on.

4.L.B Mapping Data Flows NIST FRAMEWKORK REF:

ID.AM-3, DE.AE-1

After data business practices are defined, it is advisable to describe these processes in a data map. Data maps should include the following components:  Applications that house sensitive data  Standard direction movement of data  Users of applications and data  Methods used to store and transmit data

50

Conducting this type of mapping, and potentially adding it to a larger enterprise architecture reference, enables an organization to identify data protection and monitoring requirements.

Threats Mitigated

1. Ransomware attacks 2. Loss or theft of equipment or data 3. Insider, accidental or intentional data loss

Suggested Metrics

 Number of encrypted e-mail messages, trended by week. The goal is to establish a baseline of encrypted messages sent. Be on the lookout for spikes of encryption (which could indicate data exfiltration) and no encryption (which could indicate that encryption is not working properly).  Number of blocked e-mail messages, trended by week. The goal is to detect large numbers of blocked messages, which could indicate potential malicious data exfiltration or user training.  Number of files with excessive access on the file systems, trended by week. The goal is to enact actions that limit access on the file storage systems to sensitive data, create tickets, and deliver to access management  Number of unencrypted devices with access attempts, trended by week. The goal is to use this information to educate the workforce on the risks of removable media.

51