Those declared dead live longer: CSO columnist Jon Oltsik came to the conclusion in 2010 that Data Loss Prevention (DLP) is out of date and basically “can” go away. Nevertheless, the technology has remained in the corporate environment to this day. That’s also because more and more companies are building their business models around data collection and analysis. It is essential to implement appropriate countermeasures to protect this added value at all levels. In this article you will read, among other things, what Data Loss Prevention is, how it works, where it is used and for what purpose.
Data Loss Prevention is originally a marketing term and refers to a set of methods (and products) that protect sensitive or critical company data from being accessed by unauthorized persons. DLP software is primarily intended to prevent unwanted data leakage.
DLP provider Digital Guardian highlights three key areas of application for data loss prevention:
Protection of personal information and compliance with compliance requirements: Many companies sit on massive databases with potentially sensitive content. The outflow of customer data or financial information could do immense damage. Last but not least, there are also legal obligations to protect this data comprehensively – from HIPAA to GDPR and CCPA.
Protection of intellectual property: Almost every company has intellectual property or business secrets that must not fall into the wrong hands. The aim of Data Loss Prevention is to protect this data from industrial espionage or accidental “online publication”.
New insights into databases: If you want to lock your data away, you first need to know where which data is in the IT infrastructure and how it relates. In the age of public and hybrid cloud models, this can become a complex task. DLP tools can help you to solve them, as they provide a higher-level view of the data infrastructure.
The year 2019 is one of the worst in terms of data leaks: More than four billion data records were published online as part of hacks and leaks. According to a study by IBM, the average cost of a data breach in the United States is almost $ 4 million.
In addition to the rising costs and the increased frequency of cyber attacks, Digital Guardian has identified other reasons why more and more companies are using Data Loss Prevention Services: These include, for example, the obligation to meet compliance requirements, but also the increasing strengthening of the role of the CISO , who is in constant communication with the C-Level and gives both IT security issues and data protection the necessary visibility. In addition, DLP software is now often offered as a hosted service, which makes the technology interesting for companies that cannot muster the necessary in-house resources to establish their own data loss prevention guidelines.
As can also be read in this blog post, data loss prevention solutions can be assigned two basic functions: identifying sensitive, sensitive data and preventing its outflow or compromise. As is so often the case, the devil is in the detail, because identifying sensitive data can become a challenge due to the different states within the infrastructure. A distinction is made here:
Data in use: Active data in RAM, cache or CPU registers.
Data in motion: Information that is transmitted using an (internal, secured or also publicly accessible via the Internet) network.
Data at rest: Information stored in databases, file systems or backup solutions.
Enterprise DLP solutions are usually comprehensive tools that protect data in each of these states. Integrated DLP solutions, on the other hand, may focus on only one specific status. The Microsoft Exchange Server, for example, offers DLP functions that are specifically designed to prevent data loss via email. In any case, Data Loss Prevention Software uses small programs (“agents”) to search the underlying data. A variety of DLP techniques are used to determine sensitive data. McAfee’s security blog examines some common techniques. This includes:
Rule-based matching: Using known patterns, data is searched for that corresponds to certain patterns – for example, a 16-digit sequence of numbers usually represents a credit card number.
Database fingerprinting: Specific, known and structured data are searched for.
Exact file matching: Documents are examined based on the hash files assigned to them, not their content.
Partial document matching: On the basis of predefined patterns, files are searched that partially match the criteria. For example, all forms of the same type that have been filled in by different users can be found.
Statistical analysis: Some DLP solutions use machine learning methods or Bayesian statistics to identify sensitive data. Large amounts of data are required to train such a system – the risk of false alarms still remains.
In most cases, data loss prevention software also offers the option of creating your own company-specific search criteria. If a DLP solution has found the corresponding data, it must also be traded. For this purpose, companies should set up a data loss prevention strategy that contains clear rules about how data is handled and what the responsibilities of individual internal and external users in connection with this data look like. Ideally, the balance between data protection and workflow should also be maintained: guidelines that spoil day-to-day business for your workforce are rarely a good idea. This blog post gives you useful tips for developing a sustainable DLP policy in your company.
The specified DLP guidelines and processes form the technical implementation of your data loss prevention strategy. The exact procedure differs depending on the selected product. The corresponding documentation for Exchange shows the procedure for the Microsoft platform. If DLP software detects a violation of the guidelines, DLP security measures are initiated to prevent data loss. For example, if sensitive data is extracted over the network, the software sends an alert to the administrator, who can then cut off access to the network.
As mentioned before, the increasing importance of the CISO role is one reason for the spread of data loss prevention software. And there is hardly anything that looks more attractive to CISOs than hard numbers that provide clear information about how the new security initiative is performing. Of course, IT security is usually relatively difficult to quantify – a blog post wants to remedy this and shows some metrics by which the success of your DLP rollout can be measured:
The number of policy exceptions allowed: If too many exceptions have bee
n approved, this could indicate that your policy is too strict and is hindering the workforce from performing their daily tasks. Or that some employees are undermining your DLP guidelines in an unsafe manner.
The number of false alarms: Ideally, this value is zero – in practice, however, this is difficult to achieve. However, this metric is a good indicator of how well your policies and processes are structured. The number also tells you how well the DLP software analyzes your data.
The response time in the case of an alert: This value shows you how well the data loss prevention solution is integrated into your security network and whether your security team takes DLP alarm messages seriously.
The number of unmanaged devices in the network and the number of non-fingerprinted databases: If one of these numbers is greater than zero, the rollout is not yet complete. If systems have been added after the DLP rollout that have not been recorded, this is an indication that their guidelines are inadequate in terms of integration into the infrastructure.
- Security operations
Analyze immediate threats in real time and coordinate immediate countermeasures in an emergency.
- Cyber risk and intelligence
Stay informed about emerging security threats. Support the board of directors to understand possible security risks due to acquisitions or other business decisions.
- Prevent data loss and fraud
Ensure that employees do not misuse or steal data accidentally, negligently or intentionally.
- Security architecture
Planning, purchasing and commissioning security hardware and software. Ensure that IT and network are modeled using the best security best practices.
- Identity and Access Management (IAM)
Ensure that only authorized personnel have access to sensitive, protected data and systems.
- Program management
Meet emerging security requirements by introducing programs and projects that eliminate risks. This includes regular system patches, for example.
- Troubleshooting and forensics
Find out what went wrong with a data leak, hold those responsible accountable if they came from your own company, and develop plans to prevent similar crises in the future.
Ensure that all of the above initiatives run flawlessly, are adequately funded, and that management understands how important they are.
A comprehensive catalog of all providers of data loss prevention solutions would far exceed the capacity of this article. We have therefore put together a few, but popular solution providers and their unique features for you:
Check Point: DLP functionality meets gateway architecture – including the option of monitoring TLS-encrypted traffic via network gateways;
Digital Guardian: A cloud-based platform that includes endpoint agents and network appliances to monitor on-premises infrastructure;
McAfee: DLP solution including IT forensics options;
Forcepoint: Integrates compliance checks and reporting;
Symantec: Various DLP modules for cloud, email, web, endpoints and storage that can be used individually or in combination;
The analyst house Gartner offers a comprehensive, up-to-date market guide for data loss prevention – and also has other tips in store for you to set up an effective DLP program.
This article is based on an article from our US sister publication CSO Online.