Planning a phased approach

Deployment and Installation Center | Data Security Solutions | Version 7.7.x

Applies to:

In this topic:

Data Security, v7.7.x

Phase 1: Monitoring

Phase 2: Monitoring with notifications

Phase 3: Policy tuning

Phase 4: Enforcing

Phase 5: Discovery

Phase 6: Endpoint deployments

Next, you need to consider the tactics you can employ in protecting your data, how to configure policies, manage incidents and control access.

To assess how to protect your data from compromise, we recommend using Define Product Name Variable in a multi-phased approach. Listed below is just one approach of many.

Phase 1: Monitoring

Start by monitoring data (auditing without blocking). The following steps usually constitute this phase (you may skip some of the steps if they are not relevant):

Step A: Enable regulatory compliance, regional and industry-related predefined policies:

This supplies a solid first stage of DLP (data loss prevention) deployment

It will give you a good picture of what information is being sent out, by whom, to where and how

Step B: Request custom policies from Websense:

Moving forward, you may identify that your enterprise has unique needs in terms of data identification that are not covered by predefined policies; for example, you may want to protect coupons that are issued or catalog numbers.

To request a policy, please apply to Websense technical support. We will escalate your request and engage the research team. The usual turnaround is approximately 3 weeks (the research team will generally provide an estimated time to completion within 3 days of reviewing the request).

Step C: Fingerprint data (can be also part of Phase 2):

Data fingerprinting allows accurate and efficient data identification

Database fingerprinting (PreciseID database technology):

PreciseID database fingerprinting allows accurate and efficient detection of fingerprinted records coming from various sources:

Database tables

Database views

CSV files

Content policies can be flexibly defined on top of data sources. Detection rules can be configured as combinations of columns and thresholds for a given number of matches.

Database fingerprinting can be used in conjunction with PreciseID patterns. While patterns identify a full range of data (for example, all credit cards), database fingerprinting can narrow down the detection only to credit cards of your enterprise customers. You may want to set higher severity on PreciseID database policies than on PreciseID patterns.

Files, directory, and SharePoint fingerprinting (PreciseID files technology)

PreciseID files technology allows identification of unstructured data (free text)

The data that we identify can already be in a different format (e.g., after PDF conversion), different context (excerpt of confidential document that was fingerprinted), and so on

Advanced and efficient algorithms allow detecting fingerprints even on endpoints that have limited resources

Phase 2: Monitoring with notifications

At this stage, we recommend enabling email notifications to various people in the organization when a policy breach is discovered. The options are:

Global security administrator (can be CISO)

Data owners (specified for each policy)

Senders (people that actually leak the information)—some enterprises prefer to use this option to educate users and watch the expected decrease in the amount of incidents over time in the Trends report.

Managers—direct managers of people that leak information (based on data in the directory server).

Phase 3: Policy tuning

(Phase 3 can be ongoing, in parallel to Phases 1 and 2.) Make sure that you keep the amount of incidents manageable and that all incidents are relevant. The options are:

Disable policies that do not bring value to your enterprise

Make sure the selected channels are relevant for application of policies

Identify incidents that are authorized transactions and make appropriate changes in the authorization for specific policies (e.g., allowing sending specific information from certain sources to certain destinations)

Change thresholds to avoid too many incidents from some policies

Phase 3 is also good for making sure that you assign proper incident managers for various types of incidents, and that you create policy category groups in Data Security Manager and assign them to relevant incident managers.

Phase 4: Enforcing

This phase should begin after all the policies were successfully tuned and business owners, data owners and incident managers are trained and ready to handle the incidents:

You can start with the SMTP channel only and then gradually move to HTTP enforcement as well. Or you could enforce FTP through ICAP and/or Websense Content Gateway integrations.

Continue monitoring incidents and identify whether certain policies can be moved back to auditing only. (Consider this efficiency if you release the email regardless of incidents.)

Encryption: As part of SMTP enforcement, you may want to integrate with encryption gateways. Websense can automatically route certain email transactions to be encrypted based on email content and/or policy definitions (actions).

Phase 5: Discovery

Again, this phase can start earlier, in parallel with other phases.

Establish discovery tasks on sensitive corporate servers, databases, Exchange servers, and SharePoint sites that are widely accessed to ensure you know what sensitive information is located where, and who is allowed to access it.

Phase 6: Endpoint deployments

As explained with other phases, this phase can also be instituted earlier in the security process.

Make sure you are controlling data in use (removable media, clipboard operations, file access) by deploying Websense Data Endpoint in your enterprise:

It will allow controlling data in use even if users are disconnected from network

You may decide to install it in stealth (invisible) mode

Local discovery will assist you in getting to the files that network discovery wouldn't reach. (Essentially, local discovery is looking at the drives on a local machine, like a laptop, which can be disconnected from the network.)