Next-generation DLP systems and the problems they solve
Wed 4 Nov 2020 | David Balaban
David Balaban chronicles the evolution of Data Loss Prevention systems and the new features available to the enterprise
The acronym DLP (Data Loss Prevention) conveys an unambiguous clue about the specific task this type of system is intended to solve: to thwart leaks of valuable information. Whereas this explains the general gist of such systems, the concept has embraced extra implications over time. Not only do the next-generation DLP solutions prevent intentional and accidental leaks, but they also help businesses tackle several additional security challenges.
Broadly speaking, there are three different types of modern DLP systems:
- Full-fledged DLP that provides organisations with a complete spectrum of options to monitor and block unauthorised data transfer and analysis.
- Systems with partial DLP functionality that can track data movement but do not stop leaks.
- Security solutions that fall under other categories but come with a built-in DLP module.
Different types of these tools address different tasks. To get a better understanding of this hierarchy, let us go over the main milestones in the evolution of DLP systems.
The DLP market emerged in response to the growingly rigid legal requirements regarding data protection. This compliance problem gained momentum when regulators started paying close attention to information leaks in the enterprise sector and introduced a number of laws along with industry standards focused on protecting data against different forms of exposure. To overcome this nontrivial InfoSec hurdle, vendors came up with a special tool – the DLP system.
The second stage of DLP development boiled down to protecting trade secrets. Previously, organisations had been deploying these systems as a way to secure the personal and financial data of their customers. Later, executives in these companies realised that they additionally needed to safeguard their proprietary commercial information. This caused DLP providers to repurpose their solutions into more complex systems for maximum control of data transmission channels.
The next milestone was the emergence of DLP that reduced internal security threats. In addition to preventing data leaks, such a system made it possible to analyse information in-depth and identify various even relatively insignificant security incidents. The capabilities of such DLPs were partially supplemented by other kinds of InfoSec systems, such as incident investigation platforms and even security operations center (SOC) solutions.
This is a relatively new class of DLP, and therefore there are not many vendors on the market that can provide customers with the ability to fully analyse data and cybersecurity events.
As a cluster of information security solutions, DLP does not pay off immediately, and businesses may question the cost-efficiency and practicability of these systems. As a result, vendors are stepping up their competence in order to provide something more than a tool that prevents information leakage.
It is morphing into a solution that addresses specific business problems and brings visible results at the early deployment stages, for example, by identifying corporate felonies both in real-time and retrospectively.
Next-Generation DLP – Fighting Corporate Fraud
After full-blown DLPs matured in terms of their analytical capabilities to detect security incidents and malware, vendors turned their attention to using the system to combat fraud in enterprise environments, including economic crimes. Collecting data about users, analysing employee activities, and providing information security specialists with a complete range of tools they need – these are the main vectors of next-generation DLP development. This brings us to the features such a system should embrace.
Comprehensive Log of Files, Events, and Incidents
First and foremost, such systems maintain a complete archive of files that are stored and transmitted, as well as events and incidents. This is a big step forward compared to the previous generations of DLP that only recorded cases of non-compliance with security policies.
Owing to the system’s ability to record and save such detailed information, security teams can see the big picture regarding the state of the organisation’s security. This allows white hats to thoroughly investigate internal security incidents by retrieving a dossier on any employee and his or her social circles.
Management and Investigation
The ease of system management and extensive incident investigation capabilities are among the most important hallmarks of a modern DLP. This feature involves a multifunctional web interface that comes with options to generate various reports, ranging from employee records that reflect their interactions with other users – to custom reports for top executives.
System administration can be a bit tedious despite the rapid evolution of these tools. Some admins are still having a hard time managing multiple consoles with different settings for each DLP module.
Although the installation process used to be fairly complicated and time-consuming, it is gradually becoming more streamlined. For instance, some vendors provide installation servers that allow customers to easily specify group policies and independently manage the implementation, updates, and maintenance of the system without involving the IT department.
User Behavior Analytics (UBA)
Present-day DLP systems combine basic features for intercepting and blocking data transmission with functionalities of other information security instruments such as user behavior analytics (UBA). Vendors are growingly leveraging tools that identify standard employee behavior and take immediate action in response to deviations from these patterns.
At some point, DLP providers concluded that such functionality would be a worthwhile addition to the system as it could facilitate the ongoing transformation into a solution for total user control. However, the implementation of this feature is a work in progress, and there are not many products delivering full-fledged behavior analytics so far.
In addition to analysing the behavior of your employees, you can monitor their emotional state. The system analyses a specific user’s messages sent via email, instant messengers, and social media. The analysis relies on a special built-in vocabulary encompassing “emotional” words commonly used in day-to-day business communication and colloquial speech.
The lexical data is structured according to the types of emotions such as joy, trust, expectation, sadness, frustration, fear, surprise, and anger. By keeping tabs on the emotional condition dynamics, the system can pinpoint employees who may be up to no good and should be supervised more scrupulously.
There is a long-running debate about the most effective type of DLP. The dilemma is whether a DLP agent or a DLP gateway system yields the best results. The truth is, either option has its advantages and drawbacks.
A reasonable trade-off in this “double-edged sword” paradigm is to adopt a mixed architecture that combines data control components at the level of email, network gateways, and workstations, with an archiving solution and a module for discovering repositories of sensitive information.
Because the internal networks and business processes of different companies are arranged differently, a modern DLP needs to be flexible in terms of installation and integration. This can be facilitated by modular architecture and the availability of control components at different layers of the network.
This feature is about content-aware encryption. DLP can enforce the encryption of files as they are being copied to removable media, depending on the previously specified security policies. Such functionality helps avoid the common leak scenario where employees lose flash drives with confidential data or if such devices are stolen and used by third parties.
Advanced Activity Monitoring Capabilities
Amassing a large amount of information about users, analysing the actions of employees, and providing security teams with a maximum amount of data about users are the key vectors of DLP development in the coming years. Therefore, extended capabilities for monitoring employee behavior is an important trait of any modern DLP system.
Although these workflows engage fairly simple activity monitoring techniques, they can greatly assist in investigating a serious incident. The mainstream methods include keystroke logging, recording sounds via the microphone of a company-managed computer, and taking pictures with the front-facing webcam.
Some vendors provide an unorthodox technology that raises a red flag whenever a snoop tries to take photos of the computer screen. The feature detects the rogue device, automatically reports the event to security personnel, and saves details about this incident, including the exposed computer and the time the reconnaissance attempt took place.
Such a tool is in high demand primarily among organisations from the finance sector and companies working with large amounts of customer data that may be stolen by third parties.
All-in-One Protection Platform
The basic DLP mechanisms reached a high level of sophistication a while ago, and now vendors are focused on improving the usability of their systems and on fine-tuning incident investigation options. With that said, customers’ requirements are not the only driving force behind DLP evolution. New insider threats and fraudulent schemes in the enterprise ecosystem pose additional challenges that cause vendors to mastermind new features.
Nowadays, the most rapidly advancing area in DLP development is the ability to prevent fraud. This is achieved by creating a unified platform for analytics, full-fledged incident investigation, and the protection of both confidential data and financial assets.