Once upon a time, protecting critical data assets meant keeping printed confidential information in locked boxes labeled top secret. As long as these boxes were kept in secured areas, all was well. Today, information has no such physical boundaries. Network perimeters and firewalls have become the new walls, and data classification schemas are the new box labels. This shift led to an evolution in how companies protected their data from leaving their environments. Where video surveillance and locks were used in the past and still provide some value, the virtual equivalents of these protection mechanisms now apply – one of which is Data Loss Prevention (DLP).
What is DLP?
Data loss prevention is a set of cyber security tools aimed to protect against the loss of valuable information from a company’s network or assets. As defined by Gartner, enterprise DLP provides visibility into the location and usage of data across a company, applies policies based on content and context, and then enables companies to respond before any data exfiltration occurs. Discovered threats, whether accidental or intentional actions by users, can be addressed through blocking, filtering or execution of other measures that prevent data loss.
How does it work?
The ultimate goal is to completely prevent any type of data loss. Within organizations, data can be categorized into three modes: At rest within the network, in transit, and at rest outside of the network. DLP solutions provide visibility into each of these use cases by focusing on network activity, endpoints, virtual storage areas, and cloud implementations.
At the endpoint level, DLP monitors data leaving devices whether through USB exfiltration, applications that can be used to share data, and more. At the storage level, DLP monitors sensitive information located within files stored on the network giving organizations insight into who has access to and what’s being done with data. At the network level, DLP monitors data in use or in transit on the corporate network. Typically, through network TAPs, the technology scans content traversing the network over various ports and provides insight on such activities. At the cloud level, companies are opting for an extension of traditional DLP capabilities into their cloud environment through cloud access security broker (CASB) solutions.
Why do companies implement DLP solutions?
Generally, DLP can help prevent unauthorized or sensitive information from leaving the organization through human error, malicious insider threats, and other means, but there are a few additional benefits:
- Policy enforcement: Having an information security policy is a fundamental best practice for every organization, but policy alone will not prevent the loss of data. DLP solutions help enforce those policies by enabling companies to detect and act on data being transferred to unauthorized entities or stored in insecure areas.
- Compliance support: DLP can support compliance efforts. Several regulations, such as GDPR, require identification and protection of sensitive information. Companies need to know what data assets they have and where they are. DLP can help automate the audit process, produce metrics, and support reporting needs.
- Risk identification and reduction: DLP can shed light on broken or insecure processes within the organization. Companies often, through DLP, discover “Shadow IT” or rogue process where someone is obliviously sending or storing sensitive information where they shouldn’t. It’s an opportunity to identify these risks, fix the processes, and educate users on the correct ways to send and store sensitive information. DLP can also support identification and tracking of insider threats within the company, as well as employee forensic investigations.
- Visibility and contextual awareness: The evolution and inclusion of contextual awareness capabilities are increasing the value of DLP technology. Historically, DLP solutions have focused on the identification of sensitive data through traditional data strings. For example, a tool may search for content that looks similar to a credit card number or social security number. Businesses could also opt to search for keywords that could identify confidential information. Albeit a reasonable start for the industry, these methods often produced many false positives and some false negatives. Traditional methods provided visibility but lacked context.
Furthermore, new regulations and shifting attacker priorities are driving an evolution of how sensitive data is defined and classified. Credit card numbers and social security numbers are still sought after and should be protected, but the intellectual property (IP) is becoming a more highly sought after data type as ransomware attacks and methods that impact core business models arise. While known strings are easy to detect, accurately identifying and protecting IP from leaving the network is a more significant challenge. IP is different for every company and also requires context to manage accurately.
The integration of artificial intelligence and machine learning in DLP solutions is paramount to solving these challenges. By analyzing mass amounts of content, applying context, and continually fine-tuning the technology for each organization, next-generation DLP solutions are enabling greater loss prevention capabilities.
What are DLP best practices?
- Ensure your DLP strategy is comprehensive. Early on, the most common approach to DLP was to conduct network analysis and focus on preventing data from leaving a defined environment. Modern strategies span beyond network analysis to include protection of sensitive data on all endpoints and devices.
- Data definition and classification, in the beginning, are critical. You need to know what’s sensitive to configure the solution to detect and respond to potential loss effectively.
- Like many solutions, DLP technology has grown but still needs context. False positives and false negatives require fine-tuning, but the solutions that are integrating artificial intelligence and machine learning can adapt and make changes more quickly and effectively.
- Make sure you are setting the right policies for your organization, and also look beyond your traditional information security policy for configurations that can better prevent data loss. Over time, intelligent solutions can learn to provide insights that your traditional policy may omit.
- Think carefully about response and action settings. Consider the best way to take action and prevent data loss without completely disrupting or downgrading the user experience.
Conclusion
DLP technology has become an integral part of having an effective cyber security strategy. It’s helping companies detect and stop sensitive data from leaving their networks and endpoints by monitoring data at rest within the network, in transit, and at rest outside of the network where possible. The technology has shown continuous improvement since its inception and, as the value of IP grows, artificial intelligence and machine learning are enabling DLP solutions to apply much-needed context to identification and protection of critical data.
Insider Risk – How Prepared Are You?
Not every company is equally prepared to deal with insider risk. This report outlines the four stages of insider risk maturity and explores how to improve your insider risk preparedness.