What is DLP and How to Implement it in your Organization?
Data loss prevention (DLP) is an approach that seeks to improve information security and protect business information from data breaches. It prevents end-users from moving key information outside the network. DLP also refers to tools that enable a network administrator to monitor data accessed and shared by end users.
You can use DLP solutions to classify and prioritize data security. You can also use these solutions to ensure access policies meet regulatory compliance, including HIPAA, GDPR, and PCI-DSS. DLP solutions can also go beyond simple detection, providing alerts, enforcing encryption, and isolating data.
Other features common in DLP solutions include:
- Monitoring – tools provide visibility into data and system access.
- Filtering – tools can filter data streams to restrict suspicious or unidentified activity.
- Reporting – tools provide logging and reports helpful for incident response and auditing.
- Analysis – tools can identify vulnerabilities and suspicious behavior and provide forensic context to security teams
In this article, you will learn:
- What is DLP?
- DLP use cases
- Trends driving DLP adoption
- Building your data loss prevention policy
- 4 DLP best practices
- Complementing DLP with next-gen security analytics
How does DLP work?
There are two main technical approaches to DLP:
- Context analysis only looks at metadata or other properties of the document, such as header, size, and format.
- Content awareness involves taking a document, reading it and analyzing its content to determine if it includes sensitive information.
Modern DLP solutions combine both of these solutions. At the first stage, DLP looks at the context of a document to see if it can be classified. If context is insufficient, it looks inside the document using content awareness.
There are several techniques commonly used for content awareness:
- Rule-based – analyzing the content of a document using certain rules or regular expressions, for example, looking for credit card numbers or social security numbers. This is very effective as an initial filter, because it is easy to configure and process, but is usually combined with additional techniques.
- Dictionaries – by combining the use of dictionaries, taxonomies, and lexical rules, the DLP solution can identify concepts that indicate sensitive information in unstructured data. This requires careful customization to each organization’s data.
- Exact data matching – creates a “fingerprint” of the data, and searches for exact matches in a database dump or currently running database. The downside of this method is that it requires creating a data dump or accessing live databases, which can affect performance.
- Exact file matching – creates a hash of the entire file, and looks for files that match this hash. This technique is very accurate, but cannot be used for files with multiple versions.
- Partial document match – can identify files where part of the content is a match, for example, the same form filled out by different users.
- Statistical analysis – can use machine learning algorithms for Bayesian analysis to identify content that violates a policy, or which contains sensitive data. These techniques become more effective the more labelled data you can feed to the algorithm for training.
DLP use cases
DLP solutions can be helpful in a variety of use cases, including:
- Ensuring compliance for personal information – if your organization needs to comply with regulations like GDPR or HIPAA, DlP can help identify and classify sensitive information, add required security controls, and help you set up monitoring and reporting to protect the data.
- Data leakage prevention on user endpoints – DLP solutions can protect data stored on mobile devices and laptops, which are at high risk because they connect to unsecured networks, and may be lost or stolen. DLP can identify suspicious events on a device and alert security teams that there is a risk of data loss.
- Data discovery – DLP can discover and classify the organization’s sensitive data on an ongoing basis, whether it is stored on endpoints, storage systems or servers. It can also provide visibility into who is using the data and what actions they are performing.
- Prevent data exfiltration – sophisticated attackers carry out targeted cyber attacks, usually with the aim of stealing sensitive data. In the event of a breach, DLP solutions can prevent data exfiltration, by identifying a suspicious data transfer, blocking it, and alerting security teams.
- Central management of sensitive data – DLP solutions provide central control over all sensitive data assets, making it possible to set policies, grant or revoke access, and generate compliance reports.
Trends driving DLP adoption
- Growth of the CISO role – as organizations appoint chief information security officers (CISOs), they become responsible for leaks, and use a DLP policy as a tool to gain visibility and report on organizational data.
- Evolving compliance requirements – new regulations are introduced all the time, for example GDPR in Europe, and the NYDFS Cybersecurity Regulations in New York State. DLP policies can help comply with these new regulations.
- There are more places to protect your data – businesses today use tools that are difficult to monitor, such as supply chain networks and cloud storage. This makes data protection more difficult. Knowing exactly which data crosses organizational boundaries is critical to preventing misuse.
- Data exfiltration is a growing risk – sensitive data is an attractive target for attackers. The number of attempted and successful breaches at organizations of all sizes is rapidly growing.
- Insider threats – data loss is increasingly caused by malicious insiders, compromised privileged accounts or accidental data sharing.
- Stolen data is worth more – the dark web allows adversaries to buy and sell stolen information. Data theft is a profitable business.
- More data to steal – the scope and definition of sensitive data has grown over time. Sensitive data now covers intangible assets, for example business methodologies and pricing models.
- Security talent shortage – many businesses are finding it difficult to fill security-related roles. In recent surveys by ESG and ISSA, 43% of organizations surveyed were affected by the talent shortage. This makes automated tools like DLP more attractive.
Building your data loss prevention policy
Individuals in organizations are privy to company information and can share this information, which can lead to accidental or intentional data loss. The distributed nature of today’s computer systems magnifies the problem.
Modern storage can be accessed from remote locations and through cloud services; laptops and mobile phones contain sensitive information and these endpoints are often vulnerable. It is becoming increasingly difficult to ensure that data is secure, making a data loss prevention strategy so important.
3 reasons for implementing a data loss prevention policy
Businesses are subject to mandatory compliance standards imposed by governments (such as HIPAA, SOX, PCI DSS). These standards often stipulate how businesses should secure Personally Identifiable Information (PII), and other sensitive data. A DLP policy is a basic first step to compliance, and most DLP tools are built to address the requirements of common standards.
- Intellectual property and intangible assets
An organization may have trade secrets, other strategic proprietary information, or intangible assets such as customer lists, business strategies, and so on. Loss of this type of information can be extremely damaging, and accordingly, it is directly targeted by attackers and malicious insiders. A DLP policy can help identify and safeguard critical information assets.
- Data visibility
Implementing a DLP policy can provide insight into how stakeholders use data. In order to protect sensitive information, organizations must first know it exists, where it exists, who uses it and for what purposes.
Tips for creating a successful DLP policy
- Classifying and interpreting data – Identify which information needs to be protected, by evaluating risk factors and how vulnerable it is. Invest in classifying and interpreting data, because this is the basis for implementing a suitable data protection policy.
- Allocate roles – clearly define the role of each individual involved in the data loss prevention strategy.
- Begin by securing the most sensitive data – start by selecting a specific kind of information to protect, which represents the biggest risk to the business.
- Automate as much as possible – the more DLP processes are automated, the broader you’ll be able to deploy them in the organization. Manual DLP processes are inherently limited in their scope and the amount of data they can cover.
- Use anomaly detection – some modern DLP tools use machine learning and behavioral analytics, instead of simple statistical analysis and correlation rules, to identify abnormal user behavior. Each user and group of users is modeled with a behavioral baseline, allowing accurate detection of data actions that might represent malicious intent.
- Involve leaders in the organization – management is key to making DLP work, because policies are worthless if they cannot be enforced at the organizational level.
- Educate stakeholders – putting a DLP policy in place is not enough. Invest in making stakeholders and users of data aware of the policy, its significance and what they need to do to safeguard organizational data.
- Documenting DLP strategy – documenting the DLP policy is required by many compliance standards. It also provides clarity, both at the individual and organizational level, as to what is required and how the policy is enforced.
- Establish metrics – measure DLP effectiveness using metrics like percentage of false positives, number of incidents and Mean Time to Response.
- Don’t save unnecessary data – a business should only use, save and store information that is essential. If information is not needed, remove it; data that was never stored cannot go missing.
4 data loss prevention best practices
1. Data classification must be central to DLP execution
Before you implement a DLP solution, pay special attention to the nature of sensitive information, and determine how it flows from one system to another. Identify how information is transferred to its consumers – this will reveal transmission paths and data repositories. Use labels or categories such as “employee data”, “intellectual property”, and “financial data” to classify sensitive data.
Make sure to investigate and record all data exit points. Organizational processes may not be documented, and not all data movement is the outcome of a routine practice.
2. Establish policies upfront
Engage IT and business staff in the early stages of policy development. This stage of the process should include identifying:
- Data categories that have been singled out
- Steps that need to be implemented to combat malpractice
- Future growth of the DLP strategy
- Steps that need to be taken if there is an abnormal occurrence.
Before the DLP strategy is put into practice, it is essential to establish incident management processes and ensure they are practical for every data category.
3. How to start
Start DLP implementation by monitoring organizational data. This lets you fine-tune and anticipate the effect that the DLP may have on organizational culture and operations. By jumping the gun, and blocking sensitive information too soon, you may harm central business activities.
You’ll find that DLP provides a lot of information, such as the transmission path and location of all sensitive information, which can be overwhelming. You may be tempted to try to solve all data protection issues at once, but this is not a good approach.
A good DLP implementation should start with low hanging fruits, establish rules, and ensure they are continually considered and improved. Involve all relevant stakeholders, and ensure they provide feedback on new data types, formats, or transmission paths that are not listed in the current DLP strategy, or not currently protected.
4. Know that DLP technology has its limitations
- Encryption – DLP tools can only examine encrypted information that they initially decrypt. If users encrypt data with keys that are not available to the DLP system operators, the information is invisible.
- Rich media – DLP tools are generally not useful when working with rich media such as images and video, because they cannot parse and classify their content.
- Mobile – DLP solutions cannot track all types of modern mobile communication, for example messages sent from a user’s private mobile devices.
Complementing DLP with next-gen security analytics
DLP solutions are great at monitoring data flows and securing against known threat patterns. However, malicious insiders and sophisticated attackers can act in ways that do not match any known pattern, or cannot be captured by DLP security rules. A category of security tools called user and entity behavior analytics (UEBA) can help.
UEBA tools establish a behavioral baseline for individual users, applications, network devices, IoT devices, or peer groupings of any of these. Using machine learning, they can identify abnormal activity for a specific entity or group of entities, even if it doesn’t match any known threat or pattern. This can complement traditional DLP solutions, alerting security teams of data-related incidents that have slipped past DLP rules.
For an example of a UEBA system that can help prevent data breaches due to unknown threats, learn more about Exabeam Advanced Analytics.
See how Exabeam’s advanced behavioral analytics can help identify data breaches faster and prevent data loss.
Learn more about DLP
Data loss prevention policy template
Today, data is more available, transferable and sensitive than ever. The best way to stop data leaks is to implement a data loss prevention (DLP) solution. DLP enforces an automated corporate policy, which can identify and protect data before it exits your organization
Many tools, including dedicated DLP tools, email servers and general purpose security solutions, offer data loss prevention policy templates. These templates can help you easily create DLP policies that define which organizational content should be protected by a data loss policy. For example, DLP can ensure content identified by the policy is not transmitted to external individuals, modified or deleted.
Read more: Data Loss Prevention Policy Template
Data loss prevention tools
Gartner estimates the size of the data loss prevention (DLP) market grew to $670 million in 2013. This represents a 25% increase since 2012. With many different data loss protection tools providers available, learning about the top offerings in the field is a good starting point. In this post, we define DLP and describe why data loss prevention tools are essential.
Read more: Data Loss Prevention Tools
Security breaches: what you need to know
It seems every day new security breaches are announced, some of which affect millions of individuals. These breaches are about more than just data loss; they can impact the overall availability of services, the reliability of products and the trust that the public has in a brand. Read on to learn about security breaches and where you can start to minimize the chance that a breach occurs in your organization.
Read more: Security Breaches: What You Need to Know
Understanding cloud DLP: Key features and best practices
Data loss prevention (DLP) practices and tools help protect data at rest, in-transit, and on endpoints. The goal is to reduce and eliminate risks such as data theft and data leakage.
Cloud DLP enables organizations to protect data residing in the cloud, but capabilities and practices vary between solutions. Discover key features and practices.
See our additional guides on information security
Cybersecurity threats guide
Cybersecurity threats are intentional and malicious efforts by an organization or an individual to carry out attacks on another organization or individual.
See top articles in our cybersecurity threats guide
- Information Security Threats and Tools for Addressing Them
- Drive By Downloads: What They Are and How to Avoid Them
- Cyber Crime: Types, Examples, and What Your Business Can Do
SIEM security guide
SIEM security refers to the integration of SIEM with security tools, network monitoring tools, performance monitoring tools, critical servers and endpoints, and other IT systems.
See top articles in our siem security guide
- 7 Open Source SIEMs: Features vs. Limitations
- SIEM Solutions: How They Work and Why You Need Them
- Combating Cyber Attacks With SOAR
User and entity behavior analytics guide
UEBA stands for user and entity behavior analytics which is a category of cybersecurity tools that analyze user behavior, and apply advanced analytics to detect anomalies.
See top articles in our User and Entity Behavior Analytics guide
- What Is UEBA and Why It Should Be an Essential Part of Your Incident Response
- User Behavior Analytics (UBA/UEBA): The Key to Uncovering Insider and Unknown Security Threats
- Behavioral Profiling: The Foundation of Modern Security Analytics
Insider threat guide
An insider threat is a malicious activity against an organization that comes from users with legitimate access to an organization’s network, applications or databases.
See top articles in our insider threat guide
- Fighting Insider Threats with Data Science
- Insider Threat Indicators: Finding the Enemy Within
- How to Find Malicious Insiders: Tackling Insider Threats Using Behavioral Indicators
Security operations centers guide
A security operations center (SOC) is traditionally a physical facility with an organization, which houses an information security team.
See top articles in our security operations center guide
- How to Build a Security Operations Center for Small Companies
- Security Operations Center Roles and Responsibilities
- SecOps: 7 Steps to : Taking DevOps One Step Further
Incident response guide
Incident response is an approach to handling security breaches.
See top articles in our incident response guide
- The Complete Guide to CSIRT Organization: How to Build an Incident Response Team
- How to Quickly Deploy an Effective Incident Response Policy
- Incident Response Plan 101: How to Build One, Templates and Examples
Regulatory compliance guide
See top articles in our regulatory compliance guide