Data Loss Prevention
Data is an organization’s most valuable resource.
The information in an organization’s possession – including customer data, intellectual property, and more – is essential to its ability to compete effectively in the marketplace. The value of this data also makes it a prime target for threat actors.
What is data loss prevention?
For a threat – internal or external – to derive value from stolen data, they need to be able to remove it from an organization’s systems and network. Data loss prevention (DLP) tools are designed to prevent this.
Why is DLP important?
Data loss prevention is vital to an organization because the theft or misuse of corporate data can harm the organization in a variety of different ways. A DLP solution has three primary goals:
- Prevent end users from accidentally or maliciously misusing data
- Meet compliance and regulatory standards
- Monitor critical file movement
A failure to meet these goals can cause significant harm to an organization. Theft of corporate data by a departing employee – which 63% of employees admit to doing – can cause an organization to lose its competitive advantage.
Failing to properly protect sensitive data can result in regulatory penalties or legal action. A massive data breach hurts company image and customer trust.
How does DLP work?
Many organizations have DLP solutions in place; however, multiple data breaches happen each day. An understanding of how traditional DLP works and its limitations explains why 69% of organizations breached by insider threats had a DLP solution in place.
Legacy data loss prevention techniques
Traditional DLP systems are policy-driven. By defining exactly what is considered legitimate use of data and what is not, an organization should theoretically be able to prevent any data misuse and potential data breaches.
However this approach to data loss prevention is more difficult than it seems. With legacy data loss prevention tools, an organization needs to:
- Classify all its data: Organizations have multiple different types of sensitive data, including customer data, intellectual property, and more. Traditional DLP systems require all data to be properly labeled for security policies to be effective.
- Define policies for data access and use: Policy-driven DLP solutions need clear definitions of acceptable and unacceptable data usage. These should be based on regulatory requirements, corporate policy, and other data protection standards.
- Set up permissions for all users: Different users require different levels of permissions to sensitive data. User accounts should be defined based on least privilege to block unauthorized access to data.
Properly configuring a policy-driven DLP solution is complicated. Organizations’ rapidly expanding caches of data make manual data labeling an unscalable solution. Additionally, defining, reviewing, and updating DLP policies is an unending job.
In the end, two-thirds of companies say that DLP solutions block legitimate use of data, even if they are within policy.
Where traditional DLP falls short
The policy-based approach to data protection used by traditional DLP solutions has a number of weak points, including:
- Label Complexity: A DLP system may have automatic labeling and built-in policies for certain types of data protected by regulations, such as payment card data or personally identifiable information (PII). However, this accounts for a fraction of the sensitive data in a company’s possession, forcing it to label and create policies for intellectual property and other sensitive data manually.
- Data Mislabeling: Traditional DLP relies on data labeling by the same employees that it is trying to protect against. Employees may intentionally mislabel data to make it easier to do their jobs or to enable them to take data with them to their next position.
- Exfiltration Vector Coverage: Digital transformation means that the number of methods by which data can be shared and exfiltrated are constantly growing. As a result, it is difficult or impossible to keep up with the need to define policies to address new potential use cases.
These limitations make legacy DLP solutions ineffective at protecting against attempted data exfiltration. Limiting an organization’s cybersecurity risk requires a different approach to data security.
Best practices for successful data loss protection
A prevention-focused approach to addressing potential data leaks is fundamentally flawed and has numerous limitations that result in daily breaches of sensitive data.
Instead, organizations should focus on data loss protection by following these best practices:
- Assume all data is important: Attempting to label all of an organization’s data is unscalable and prone to error. If sensitive data is mislabeled – intentionally or unintentionally – or overlooked, an organization is at risk of an expensive and damaging data breach. Additionally, multiple low-sensitivity pieces of data may aggregate to data of a higher classification. Treating all data as important is a more scalable and secure approach to data loss protection.
- Acknowledge incidents will happen: Traditional DLP solutions are focused on prevention, which leaves them unprepared for when an attempted data leak successfully evades their policies. Assuming that data leaks will occur and focusing on detection and response better prepares an organization for when something does go wrong.
- Detect when something risky is happening: Different uses of data carry different levels of risk. Some legitimate uses of data carry high risk, while some unauthorized data usage is much less risky to the organization. Instead of attempting to define policies that govern “legitimate” and “illegitimate” use of data, focusing on monitoring for high-risk activities and determining whether or not they are legitimate.
- Respond quickly to solve the problem: After a potential data leak is identified, rapid response is essential to minimizing the cost and damage caused by the incident. Organizations should have processes and solutions in place to quickly terminate the leak and the visibility required to identify the scope of the incident and respond accordingly.
Code42 believes that organizations should focus on data loss protection rather than data loss prevention. To learn more, check out this article on the perception of data loss prevention versus what is reality.
Data Loss Prevention vs Reality
Learn where there is a disconnect between the traditional prevention tools and reality when it comes to data security and insider threats.