Security Experts:

Data Loss Prevention: From Hero to Goat and Back Again

Over a decade ago, as the digital economy was getting its legs, data loss prevention (DLP) technology was seen as the savior for companies fearing exposure of sensitive internal and customer data.  In the intervening years, DLP has gone from hero to goat and back again. 

In the classic, “be careful what you wish for” scenario, enterprises turned on DLP and suddenly found their businesses paralyzed and their DLP administrators overwhelmed with alerts.  This was the result of initial implementers not realizing the impact of DLP technology on day-to-day business processes, nor did they imagine the volume of “violations” the tool’s policies would raise to responders. 

To make matters worse, many of the alerts ended up being false positives, wasting analysts’ and investigators’ time chasing fires that didn’t exist and increasing everybody’s blood pressure. 

Computer in Data CenterFrustrated buyers most often tuned down their DLP policies to prevent it from hindering the business, which also reduced the benefit gained from the technology.  Others hired boatloads of analysts to do their best to cut through the noise and catch the bad guys. The rest never completed their implementations in the first place, leaving parts of their organizations or certain exfiltration vectors (i.e. USB ports, email gateways, etc.), unprotected.  Regardless of any one company’s approach, the aggregate result was data loss protection technology getting a bad name, to the point where it was almost verboten to mention.

That was then, this is now.  Many factors have led to a resurgence in DLP technology and practices as a means of protecting sensitive data. One is a series of high profile incidents of sensitive data theft. Thre is nothing like board members and business executives asking CISOs what they are doing to prevent their company from becoming the next front-page story. 

Another is the explosion of cloud application usage, mobile computing and remote connectivity. Data is far less contained than it was just a few years ago when cloud and mobile were just beginning to get their footing. 

Finally, the straw that broke the camel’s back, are regulatory requirements that include mandates about sensitive data protection, and carry significant fines and penalties for not doing so. 

Top of mind among those regulations is the European Union’s upcoming Global Data Protection Regulation (GDPR).  GDPR focuses on protecting the rights of citizens of the EU when it comes to protecting their data.  It includes a broad set of requirements, as well as a penalty of up to four percent of global revenue.  Underlying much of the regulation is to ensure that sensitive data is not exposed to those who do not need to see or process it, especially outside the “GDPR countries.” 

DLP is the obvious technology for that job, but is not enough by itself.  The convergence of these factors in addition to significant advancements in DLP and related technologies makes its implementation more important, practical and effective. The result – DLP is the comeback kid. 

DLP technology has improved significantly in both its ability to catch data exfiltration events across multiple channels like the cloud, as well as its ability to inspect a broader range of formats like images.  These new capabilities make its detection more reliable across more scenarios, resulting in better protection, but has not solved the challenge of the overwhelming number of resulting events.  

Enter user and entity behavior analytics (“UEBA”).  The advent of UEBA technology has enabled DLP to be more effective by paring down the endless mountain of incident level alerts to a more manageable list of suspicious users for investigation. 

Using techniques like “peer analysis,” which compares a person’s behavior to those with the same manager and the same organization, UEBA is able to minimize false positives and accelerate the human analyst’s job. UEBA continues to evolve alongside DLP, and can now integrate many user activity vectors like authentication, proxy and CASB, as well as data sources like threat intelligence to improve identification of communication with known bad destinations and indicators of attack/compromise that may lead to the identification of compromised accounts.  This evolution has led to a more risk based view that takes into account the potential motivation of the user and the riskiness of the events occurring on the computer endpoints they use. 

DLP and UEBA technology are leaps and bounds ahead of where they were just a few years ago.  The cyber analytics ecosystem of which they are a part continues to evolve quickly, synthesizing additional data sources and improving the accuracy of machine learning algorithms.  

These continued developments will improve their capabilities and reduce human involvement in the process of identifying and mitigating insider threats. 

The challenge of data protection is not going away.  Even without the ever-improving tactics of the bad guys, data sprawl has made it difficult for those just trying to do their jobs.  DLP will continue to be the keystone of protecting sensitive data and preventing its unauthorized exposure. Comeback complete.

view counter
Steven Grossman is VP of Strategy and Enablement at Bay Dynamics, where he is responsible for ensuring our clients are successful in achieving their security and risk management goals. Prior to Bay Dynamics, he held senior positions at consultancies such as PriceWaterhouseCoopers and EMC, where he architected and managed programs focused on security, risk, business intelligence, big data analytics, enterprise program management offices, corporate legal operations, data privacy, cloud architecture and business continuity planning for global clients in the financial services and health care industries. Steven holds a BA in Economics and Computer Science from Queens College and has achieved his CISSP certification.