What is DLP and how to implement it in your organization?

What is DLP and how to implement it in your organization?

January 15, 2019

Resha Chheda

In this post you will learn:


Data loss prevention (DLP) is an approach that seeks to improve information security and protect business information from data breaches. It prevents end-users from moving key information outside the network. DLP also refers to tools that enable a network administrator to monitor data accessed and shared by end users.

You can use DLP solutions to classify and prioritize data security. You can also use these solutions to ensure access policies meet regulatory compliance, including HIPAA, GDPR, and PCI-DSS. DLP solutions can also go beyond simple detection, providing alerts, enforcing encryption, and isolating data.

Other features common in DLP solutions include:

  • Monitoring—tools provide visibility into data and system access.
  • Filtering—tools can filter data streams to restrict suspicious or unidentified activity.
  • Reporting—tools provide logging and reports helpful for incident response and auditing.
  • Analysis—tools can identify vulnerabilities and suspicious behavior and provide forensic context to security teams.

DLP solutions can be helpful in a variety of use cases, including:

  • Security policy enforcement—DLP tools can help you identify deviations from policy making it easier to correct misconfigurations.
  • Meeting compliance standards—DLP tools can compare current configurations to compliance standards and provide proof of measures taken.
  • Increasing data visibility—DLP tools can provide visibility across systems, helping you ensure that data is secure no matter where it’s stored.

Trends Driving DLP Policy Adoption

  • Growth of the CISO role—as organizations appoint Chief Information Security Officers (CISO), they become responsible for leaks, and use a DLP policy as a tool to gain visibility and report on organizational data.
  • Evolving compliance requirements—new regulations are introduced all the time, for example GDPR in Europe, and the NYDFS Cybersecurity Regulations in New York State. DLP policies can help comply with these new regulations.
  • There are more places to protect your data—businesses today use tools that are difficult to monitor, such as supply chain networks and cloud storage. This makes data protection more difficult. Knowing exactly which data crosses organizational boundaries is critical to preventing misuse.
  • Data exfiltration is a growing risk—sensitive data is an attractive target for attackers. The number of attempted and successful breaches at organizations of all sizes is rapidly growing.
  • Insider threats—data loss is increasingly caused by malicious insiders, compromised privileged accounts or accidental data sharing.
  • Stolen data is worth more—the Dark Web allows adversaries to buy and sell stolen information. Data theft is a profitable business.
  • More data to steal—the scope and definition of sensitive data has grown over time. Sensitive data now covers intangible assets, for example business methodologies and pricing models.
  • Security talent shortage—many businesses are finding it difficult to fill security-related roles. In recent surveys by ESG and ISSA, 43% of organizations surveyed were affected by the talent shortage. This makes automated tools like DLP more attractive.

Building Your Data Loss Prevention Policy—How to Develop a DLP Strategy

Individuals in organizations are privy to company information and can share this information, which can lead to accidental or intentional data loss. The distributed nature of today’s computer systems magnifies the problem.

Modern storage can be accessed from remote locations and through cloud services; laptops and mobile phones contain sensitive information and these endpoints are often vulnerable. It is becoming increasingly difficult to ensure that data is secure, making a data loss prevention strategy so important.

3 Reasons for Implementing a Data Loss Prevention Policy

1. Compliance
Businesses are subject to mandatory compliance standards imposed by governments (such as HIPAA, SOX, PCI DSS). These standards often stipulate how businesses should secure Personally Identifiable Information (PII), and other sensitive data A DLP policy is a basic first step to compliance, and most DLP tools are built to address the requirements of common standards.

2. Intellectual property and intangible assets
An organization may have trade secrets, other strategic proprietary information, or intangible assets such as customer lists, business strategies, and so on. Loss of this type of information can be extremely damaging, and accordingly, it is directly targeted by attackers and malicious insiders. A DLP policy can help identify and safeguard critical information assets.

3. Data visibility
Implementing a DLP policy can provide insight into how stakeholders use data. In order to protect sensitive information, organizations must first know it exists, where it exists, who uses it and for what purposes.

Tips for Creating a Successful DLP Policy

  • Classifying and interpreting data—Identify which information needs to be protected, by evaluating risk factors and how vulnerable it is. Invest in classifying and interpreting data, because this is the basis for implementing a suitable data protection policy.
  • Allocate roles—clearly define the role of each individual involved in the data loss prevention strategy.
  • Begin by securing the most sensitive data—start by selecting a specific kind of information to protect, which represents the biggest risk to the business.
  • Automate as much as possible—the more DLP processes are automated, the broader you’ll be able to deploy them in the organization. Manual DLP processes are inherently limited in its scope and the amount of data they can cover.
  • Use anomaly detection—some modern DLP tools use machine learning and behavioral analytics, instead of simple statistical analysis and correlation rules, to identify abnormal user behavior. Each user and group of users is modeled with a behavioral baseline, allowing accurate detection of data actions that might represent malicious intent.
  • Involve leaders in the organization—management is key to making DLP work, because policies are worthless if they cannot be enforced at the organizational level.
  • Educate stakeholder—putting a DLP policy in place is not enough. Invest in making stakeholders and users of data aware of the policy, its significance and what they need to do to safeguard organizational data.
  • Documenting DLP strategy—documenting the DLP policy is required by many compliance standards. It also provides clarity, both at the individual and organizational level, as to what is required and how the policy is enforced.
  • Establish metrics—measure DLP effectiveness using metrics like percentage of false positives, number of incidents and Mean Time to Response.
  • Don’t save unnecessary data—a business should only use, save and store information that is essential. If information is not needed, remove it; data that was never stored cannot go missing.

4 Best Practices for Implementing a DLP

1. Data Classification Must Be Central to DLP Execution

Before you implement a DLP solution, pay special attention to the nature of sensitive information, and determine how it flows from one system to another. Identify how information is transferred to its consumers—this will reveal transmission paths and data repositories. Use labels or categories such as “employee data”, “intellectual property”, and “financial data” to classify sensitive data.

Make sure to investigate and record all data exit points. Organizational processes may not be documented, and not all data movement is the outcome of a routine practice.

2. Establish Policies Upfront

Engage IT and business staff in the early stages of policy development. This stage of the process should include identifying:

  • Data categories that have been singled out
  • Steps that need to be implemented to combat malpractice
  • Future growth of the DLP strategy
  • Steps that need to be taken if there is an abnormal occurrence.

Before the DLP strategy is put into practice, it is essential to establish incident management processes and ensure they are practical for every data category.

3. How to Start

Start DLP implementation by monitoring organizational data. This lets you fine-tune and anticipate the effect that the DLP may have on organizational culture and operations. By jumping the gun, and blocking sensitive information too soon, you may harm central business activities.

You’ll find that DLP provides a lot of information, such as the transmission path and location of all sensitive information, which can be overwhelming. You may be tempted to try to solve all data protection issues at once, but this is not a good approach.

A good DLP implementation should start with low hanging fruits, establish rules, and ensure they are continually considered and improved. Involve all relevant stakeholders, and ensure they provide feedback on new data types, formats, or transmission paths that are not listed in the current DLP strategy, or not currently protected.

4. Know that DLP technology has its limitations

  • Encryption—DLP tools can only examine encrypted information that they initially decrypt. If users encrypt data with keys that are not available to the DLP system operators, the information is invisible.
  • Rich media—DLP tools are generally not useful when working with rich media such as images and video, because they cannot parse and classify their content.
  • Mobile—DLP solutions cannot track all types of modern mobile communication, for example messages sent from a user’s private mobile devices.

What is DLP Software?

Data Loss Prevention (DLP) software categorizes the sensitive and confidential information of a business and recognizes policy breaches. DLP software often comes pre-built with policies suitable for compliance with standards such as GDPR, HIPAA, or PCI-DSS.

Once DLP software identifies a breach in policy, protective measures are taken, such as alerts and data encryption. DLP software also monitors endpoint movement, and safeguards data at rest, in motion and in use.

Which Type of DLP Solution is Right for Your Organization?

Network DLP

  • Protects an organization’s network processes, such as web application, email and FTP.
  • Lives in the company’s network, and monitors data as it moves throughout the network.
  • Maintains a database which provides details as to which data is being used and who is using the data.
  • Provides visibility into all data in transit on their network.

Storage DLP

  • Provides information about files stored and shared by users of an organization’s network.
  • Enables viewing sensitive files shared and stored on the network.
  • Provides visibility into information stored via on-premise storage equipment and cloud-based storage.

Endpoint DLP

  • Monitors workstations, servers, and mobile devices such as laptops, mobile phones, external hard-drives and USB disks.
  • Installed as an agent on endpoint equipment and prevents data leakage from the endpoints.
  • Provides visibility into data stored on endpoints physically located inside and outside the organization.

Popular DLP Tools

Symantec DLP
Symantec DLP gives businesses the ability to see how and where information is kept in an organization. It is a scalable software suite that can monitor mobile, cloud and multiple endpoints. This system is effective even when employees are offline.

Symantic DLP
McAfee DLP
McAfee’s DLP solution (a part of Intel Security) protects intellectual property, and helps compliance efforts by protecting sensitive information. Monitors data on premises, in the cloud, or at endpoints.

McAfee DLP
Check Point DLP
Check Point DLP educates businesses and individuals so that they can act efficiently and quickly to prevent data loss. It offers a centralized management console and provides preconfigured rules for easier implementation.

Check Point DLP
Digital Guardian DLP
Digital Guardian DLP is compatible with Mac, Windows and Linux endpoints and can manage a large number of workstations. Available as a cloud-based or on-premise system.

Digital Guardian DLP

6 Metrics for Evaluating the Effectiveness of Your DLP Solution

Like any complex, mission critical system, it’s essential to evaluate your DLP solution and measure how much value you are deriving from it, and whether that value is gradually improving over time or declining. Here are six simple metrics that can help you catch issues with your DLP implementation or the underlying DLP policies.

1. Percentage of policy exceptions

Exceptions can be explained as one-off permissions given to individuals or groups via the DLP tool, with regard to data access or transfer. Exceptions indicates organizations data that is used outside the DLP policy and may be vulnerable. Monitor the number of exceptions, as a percentage of all data-related events, to see the extent to which the DLP policy is enforced.

2. Percentage of false positives

DLP systems generate a large number of alerts, and many of those turn out not to be real security incidents, which places a burden on security teams. The percentage of false positives of all alerts measures the effectiveness of your DLP tool at filtering out irrelevant alerts and identifying real data issues.

3. Alert response time

Measures the mean time taken to respond to DLP alerts (excluding false positives). In many cases, due to the large volume of alerts, security teams might respond to critical DLP alerts late, or even ignore some alerts altogether. Measuring alert response time can help you identify problems in the DLP implementation or process, which are preventing security staff from responding to critical data alerts.

4. Number, type and storage size of unmanaged devices

You must keep track of the amount of unmanaged devices that contain sensitive information. Such devices might include endpoints, servers, removable storage and cloud storage (depending on what is managed by your DLP system). All of these can act as departure points for sensitive information. Your DLP implementation should keep the number of unmanaged devices to a minimum, and if the number increases, consider switching to a solution which can manage more devices.

5. Percentage of databases which are fingerprinted

DLP solutions create a digital fingerprint of a relational database, which allows for tamper detection, traitor tracing (identifying the source of a leak), and validates the integrity of the data. Measure the percentage of databases which are fingerprinted at any given time to ensure you have solid control of sensitive data sources.

6. Data classification success rate

The initial action in any Data Loss Prevention solution is data classification. Data classification helps you identify and isolate sensitive information, and understand its context. DLP solutions have various techniques for automatically or semi-automatically classifying data. Measure the percentage of erroneous classifications to see how much sensitive data your DLP may be leaving behind.

Complementing DLP with Next-Gen Security Analytics

DLP solutions are great at monitoring data flows and securing against known threat patterns. However, malicious insiders and sophisticated attackers can act in ways that do not match any known pattern, or cannot be captured by DLP security rules. A category of security tools called User and Event Behavioral Analytics (UEBA) can help.

UEBA tools establish a behavioral baseline for individual users, applications, network devices, IoT devices, or peer groupings of any of these. Using machine learning, they can identify abnormal activity for a specific entity or group of entity, even if it doesn’t match any known threat or pattern. This can complement traditional DLP solutions, alerting security teams of data-related incidents that have slipped past DLP rules.

For an example of a UEBA system that can help prevent data breaches due to unknown threats, learn more about Exabeam Advanced Analytics.

See how Exabeam’s advanced behavioral analytics can help identify data breaches faster and prevent data loss.

Learn More About DLP

Data Loss Prevention Policy Template

Today, data is more available, transferable and sensitive than ever. The best way to stop data leaks is to implement a Data Loss Prevention (DLP) solution. DLP enforces an automated corporate policy, which can identify and protect data before it exits your organization

Many tools, including dedicated DLP tools, email servers and general purpose security solutions, offer data loss prevention policy templates. These templates can help you easily create DLP policies that define which organizational content should be protected by a data loss policy. For example, DLP can ensure content identified by the policy is not transmitted to external individuals, modified or deleted.

Read more: Data Loss Prevention Policy Template

Data Loss Prevention Tools

Gartner estimates the size of the data loss prevention (DLP) market grew to $670 million in 2013. This represents a 25% increase since 2012. With many different data loss protection tools providers available, learning about the top offerings in the field is a good starting point. In this post, we define DLP and describe why data loss prevention tools are essential.

Read more: Data Loss Prevention Tools

Security Breaches: What You Need to Know

It seems every day new security breaches are announced, some of which affect millions of individuals. These breaches are about more than just data loss; they can impact the overall availability of services, the reliability of products and the trust that the public has in a brand. Read on to learn about security breaches and where you can start to minimize the chance that a breach occurs in your organization.

Read more: Security Breaches: What You Need to Know

See our Additional Guides on Information Security

For more in-depth guides on additional information security topics such as data breaches, see below:

Cyber Security Threats Guide

Cyber security threats are intentional and malicious efforts by an organization or an individual to carry out attacks on another organization or individual.

See top articles in our cyber security threats guide

SIEM Security Guide

SIEM security refers to the integration of SIEM with security tools, network monitoring tools, performance monitoring tools, critical servers and endpoints, and other IT systems.

See top articles in our siem security guide

User and entity behavior analytics Guide

UEBA stands for User and Entity Behavior Analytics which is a category of cybersecurity tools that analyze user behavior, and apply advanced analytics to detect anomalies.

See top articles in our User and Entity Behavior Analytics guide

Insider Threat Guide

An insider threat is a malicious activity against an organization that comes from users with legitimate access to an organization’s network, applications or databases.

See top articles in our insider threat guide

Security Operations Centers Guide

A security operations center (SOC) is traditionally a physical facility with an organization, which houses an information security team.

See top articles in our security operations center guide

Incident Response Guide

Incident response is an approach to handling security breaches.

See top articles in our incident response guide

Regulatory Compliance Guide

See top articles in our regulatory compliance guide

Recent DLP Articles

Understanding Cloud DLP: Key Features and Best Practices

Read More

Data Exfiltration Threats and Prevention Techniques You Should Know

Read More

Recent Ransomware Attacks Raise the Stakes for Data Exfiltration

Read More

Security Breaches: What You Need to Know

Read More

Data Loss Prevention Tools

Read More

Recent Information Security Articles

Introducing the XDR Alliance!

Read More

Dazed and Confused by the XDR Telenovela?

Read More

Calling all SOC Warriors: Announcing The 2021 Exabeam Cybersecurity Excellence Awards!

Read More

Detecting the Exploitation of Pentesting Tools: Gaining Power Over PowerShell

Read More

Helping Retailers Deliver a Secure Omnichannel Experience

Read More