data loss redux: thinking organically

Originally posted to Black Cats and Smoke and Mirrors

A little while ago I wrote about DLP, or Data Loss Prevention, and how the term is something of a red herring because, in reality, everything we do is about preventing data loss; ergo, the concept can’t be neatly productized. I still feel that way.

However, a few days after I posted it, I was contacted by a fellow named Pablo Osinaga, who has co-founded a startup called Kormox. He wanted me to see his company’s DLP solution, profiled by SC Magazine.

After reading SC’s blurb on the subject, I was quite intrigued, and arranged a web/phone meeting with Mr. Osinaga. For a little over an hour, we discussed Kormox and the concept of DLP.

As I said, DLP is a very difficult concept to productize. Everyone needs to prevent the loss or leakage of data, but everyone — every enterprise, every business, every organization, even every person — has different data and different types of data that they need to protect. Some organizations are concerned with mobile data; some are concerned with file shares; some are concerned with PII; and so on. No one vendor — no one product — has a fully comprehensive DLP solution because what DLP means is so dependent on each organization’s mission and needs, which not only differs among organizations but can be subject to change within an organization over time.

One of the first things that Mr. Osinaga mentioned, in presenting his company’s solution, was that enterprises have become more organic and less structured. I could not agree more. I have worked for many different security solutions vendors, and I hear over and over about the “special snowflake syndrome”, how every organization thinks they are “different” in some way, but they are really all the same. The trend, with every security vendor I’ve worked with, is to pigeonhole potential and existing customers, to basically tell them that they can’t have what they say they want, to fit them to the solution that the vendor has, in their infinite wisdom, envisioned and created. Yet as time goes on, and as Mr. Osinaga noted, enterprise structure is becoming more fluid, less definable, and less able to be pigeonholed.

Kormox’s solution starts with data classification. It’s so simple, and so logical. Of course you have to classify your data. But it’s not enough to say “I have to protect medical records” or “I have to protect credit card numbers”. In the DLP-productization game, vendors talk about what kind of data you want to protect, and then they talk about how they’re going to protect it, but they don’t really cover the territory of what, exactly, your data means to the people who are using it. That’s your problem.

And that’s how Kormox differentiates itself from the crowd: data classification is a major step, and it involves finding out not only what the data is (as opposed to merely what kind of data), but the flow of the data: where it is, who is using it, how they use it, where it’s going, where it’s been, and so on. All this is part of the classification, and it brings DLP back to the true “asset management” model of Information Security, where the asset is the data itself, not the (often fungible) hardware on which it rests.

After the data has been classified, the product allows the asset owners to implement controls in a similarly organic fashion. In essence, it takes the organization from the situation of “I know I need to protect our data” to “I know where and what all our data is, how it’s used, and what controls are on it” — something that no other DLP solution does.

I’m not laboring under an illusion that this product is perfect; no product could be. But I do think that Kormox is going in a necessary direction with their concept of data flow as a part of classification. At the moment it’s a bit clunky looking, but from what I saw in our meeting, it is definitely worth a look.

I’d like to note that I am in no way compensated for writing about Kormox; I’m writing about it because Mr. Osinaga contacted me as a result of my last DLP article, and so I thought it was only fair to talk about what I found out in our meeting.

  • David Frier

    Sounds more like a differentiation in implementation effort approach. By force of its being part of the methodology they impose, they are getting companies to do what they should know they have to do anyway.

    Won’t any DLP product succeed as well if coupled with this kind of rigorous classification effort up front?

  • Mimi Herrmann

    Sure, but as SC points out, this implementation allows the user to work without having that pre-knowledge.

  • Arik Baratz

    Hello (and hi David!)

    Disclaimer: I work for Websense, one of the DLP vendors.

    The only thing I find incorrect about your article is the assertion that this is the only product that does that. It is not, by far.

    It is impossible to just drop a DLP product into an organization and expect it to “simply work”. You have to understand the data flows in the organization at least to some extent to figure out what the business use of business data over business channels is, and it has to be part of the implementation design from day 1.

    The impact on the actual product is that it has to be flexible enough to accommodate these scenarios and encode that understanding into the rules that govern what is considered a data loss incident and what is just someone doing something legit with data that may well be sensitive.

    I’ll be curious to see what really is different about Kormox’ approach to DLP and how it’s possible to sustain their claim that “preknowledge is not necessary” (from SC magazine).

    – Arik

  • Mimi Herrmann

    Hi Arik,

    I don’t think anyone drops a product in and expects it to “just work”, but I do think that security products make the adaptation the customer’s problem.

    Again, I don’t believe Kormox is the Holy Grail, but I do think that it’s got a refreshing approach. I’d welcome the chance to take a look at your product as well.

  • Jack Gook

    Interesting article, however I must agree with Arik that this simply yet another DLP product working the same way as most others which is to classify or discover or fingerprint stuff so as to mark it for closer scrutiny and hence enhanced security.
    Since all such product require immense amount of time and money to get past the first step of classification any organization will be open to exfiltration for quite some time until the classification has been completed a risk that needs to be dealt with right away.
    I have recently seen a “new” solution that prevents data from leaving the enterprise network without special authorization to do so thus it is transparent to the user and used the network as the boundary to contain data.
    Would this not make more sense at least as a first step, since it can be up and running almost immediately?

  • Mimi Herrmann

    Any organization already IS open to exfiltration, without something in place from Day One to prevent it (which is virtually impossible).

    Again, all I think that is different about this product is the way it goes about classification, in a much more organic manner.

  • LonerVamp

    It’s my opinion that far too many people really *do* purchase a DLP product and expect to drop it in and be done. Data classification and explicitly going over data flows is onerous to so many…I imagine a huge majority of DLP roll-outs involve using the most basic prepackaged data finding rules like CC# or SSN.

    The other flip side is the expectation so many people have that DLP == secure, when in fact it is not. Technical people can find ways around it, but that’s not the point.