In DLP, as in security, one size doesn't fit all. Just because you can't implement a control everywhere in your network doesn't mean it can't add protection in those areas where it makes sense. Maybe restricting USB use globally can't work, but restricting it in the HR department can. For these solutions, I say don't let perfect stand in the way of good enough (or even better). Evaluate whether a quick win can provide added security today and implement it where it will work. This can provide some stopgap protection even as you search for a better solution that can:
- Cover all (or a larger percentage) of the network
- Cover the nodes not protected by some other control
I like to analogize this to the use of a bulletproof vest. Police wear bulletproof vests when on patrol. In fact, policy makers (supervisors, chiefs, etc.) usually force them to be worn. They force their use even though it is well known that they don't cover the entire body. Not only that, but the don't even cover all of the critical areas (groin, head, etc.). To make matters worse, for the areas they do cover, some large caliber and specialty bullets cut right through them! And yet, we would question the judgement of a police chief who said "because this solution isn't perfect and doesn't protect our officers from all potential bullet hits, we refuse to invest the time and money to implement it." Why do we treat our network security controls any differently?