In this post you will learn:
- What is DLP and How Does it Work?
- Trends driving data loss prevention adoption
- How to build your data loss prevention policy
- Best practices for implementing DLP
- Types of DLP solutions
- What are DLP software solutions
- Which type of DLP solution is right for you
- Popular DLP tools
- Metrics for evaluating the effectiveness of DLP solutions
What is DLP and How Does it Work?
Data loss prevention (DLP) is an approach that seeks to protect business information. It prevents end-users from moving key information outside the network. DLP also refers to tools that enable a network administrator to monitor data accessed and shared by end users.
You can use DLP solutions to classify and prioritize data security. You can also use these solutions to ensure access policies meet regulatory compliance, including HIPAA, GDPR, and PCI-DSS. DLP solutions can also go beyond simple detection, providing alerts, enforcing encryption, and isolating data.
Other features common in DLP solutions include:
- Monitoring—tools provide visibility into data and system access.
- Filtering—tools can filter data streams to restrict suspicious or unidentified activity.
- Reporting—tools provide logging and reports helpful for incident response and auditing.
- Analysis—tools can identify vulnerabilities and suspicious behavior and provide forensic context to security teams.
DLP solutions can be helpful in a variety of use cases, including:
- Security policy enforcement—DLP tools can help you identify deviations from policy making it easier to correct misconfigurations.
- Meeting compliance standards—DLP tools can compare current configurations to compliance standards and provide proof of measures taken.
- Increasing data visibility—DLP tools can provide visibility across systems, helping you ensure that data is secure no matter where it’s stored.
Trends Driving DLP Policy Adoption
- Growth of the CISO role—as organizations appoint Chief Information Security Officers (CISO), they become responsible for leaks, and use a DLP policy as a tool to gain visibility and report on organizational data.
- Evolving compliance requirements—new regulations are introduced all the time, for example GDPR in Europe, and the NYDFS Cybersecurity Regulations in New York State. DLP policies can help comply with these new regulations.
- There are more places to protect your data—businesses today use tools that are difficult to monitor, such as supply chain networks and cloud storage. This makes data protection more difficult. Knowing exactly which data crosses organizational boundaries is critical to preventing misuse.
- Data exfiltration is a growing risk—sensitive data is an attractive target for attackers. The number of attempted and successful breaches at organizations of all sizes is rapidly growing.
- Insider threats—data loss is increasingly caused by malicious insiders, compromised privileged accounts or accidental data sharing.
- Stolen data is worth more—the Dark Web allows adversaries to buy and sell stolen information. Data theft is a profitable business.
- More data to steal—the scope and definition of sensitive data has grown over time. Sensitive data now covers intangible assets, for example business methodologies and pricing models.
- Security talent shortage—many businesses are finding it difficult to fill security-related roles. In recent surveys by ESG and ISSA, 43% of organizations surveyed were affected by the talent shortage. This makes automated tools like DLP more attractive.
Building Your Data Loss Prevention Policy—How to Develop a DLP Strategy
Individuals in organizations are privy to company information and can share this information, which can lead to accidental or intentional data loss. The distributed nature of today’s computer systems magnifies the problem.
Modern storage can be accessed from remote locations and through cloud services; laptops and mobile phones contain sensitive information and these endpoints are often vulnerable. It is becoming increasingly difficult to ensure that data is secure, making a data loss prevention strategy so important.
3 Reasons for Implementing a Data Loss Prevention Policy
Businesses are subject to mandatory compliance standards imposed by governments (such as HIPAA, SOX, PCI DSS). These standards often stipulate how businesses should secure Personally Identifiable Information (PII), and other sensitive data A DLP policy is a basic first step to compliance, and most DLP tools are built to address the requirements of common standards.
2. Intellectual property and intangible assets
An organization may have trade secrets, other strategic proprietary information, or intangible assets such as customer lists, business strategies, and so on. Loss of this type of information can be extremely damaging, and accordingly, it is directly targeted by attackers and malicious insiders. A DLP policy can help identify and safeguard critical information assets.
3. Data visibility
Implementing a DLP policy can provide insight into how stakeholders use data. In order to protect sensitive information, organizations must first know it exists, where it exists, who uses it and for what purposes.
Tips for Creating a Successful DLP Policy
- Classifying and interpreting data—Identify which information needs to be protected, by evaluating risk factors and how vulnerable it is. Invest in classifying and interpreting data, because this is the basis for implementing a suitable data protection policy.
- Allocate roles—clearly define the role of each individual involved in the data loss prevention strategy.
- Begin by securing the most sensitive data—start by selecting a specific kind of information to protect, which represents the biggest risk to the business.
- Automate as much as possible—the more DLP processes are automated, the broader you’ll be able to deploy them in the organization. Manual DLP processes are inherently limited in its scope and the amount of data they can cover.
- Use anomaly detection—some modern DLP tools use machine learning and behavioral analytics, instead of simple statistical analysis and correlation rules, to identify abnormal user behavior. Each user and group of users is modeled with a behavioral baseline, allowing accurate detection of data actions that might represent malicious intent.
- Involve leaders in the organization—management is key to making DLP work, because policies are worthless if they cannot be enforced at the organizational level.
- Educate stakeholder—putting a DLP policy in place is not enough. Invest in making stakeholders and users of data aware of the policy, its significance and what they need to do to safeguard organizational data.
- Documenting DLP strategy—documenting the DLP policy is required by many compliance standards. It also provides clarity, both at the individual and organizational level, as to what is required and how the policy is enforced.
- Establish metrics—measure DLP effectiveness using metrics like percentage of false positives, number of incidents and Mean Time to Response.
- Don’t save unnecessary data—a business should only use, save and store information that is essential. If information is not needed, remove it; data that was never stored cannot go missing.
4 Best Practices for Implementing a DLP
1. Data Classification Must Be Central to DLP Execution
Before you implement a DLP solution, pay special attention to the nature of sensitive information, and determine how it flows from one system to another. Identify how information is transferred to its consumers—this will reveal transmission paths and data repositories. Use labels or categories such as “employee data”, “intellectual property”, and “financial data” to classify sensitive data.
Make sure to investigate and record all data exit points. Organizational processes may not be documented, and not all data movement is the outcome of a routine practice.
2. Establish Policies Upfront
Engage IT and business staff in the early stages of policy development. This stage of the process should include identifying:
- Data categories that have been singled out
- Steps that need to be implemented to combat malpractice
- Future growth of the DLP strategy
- Steps that need to be taken if there is an abnormal occurrence.
Before the DLP strategy is put into practice, it is essential to establish incident management processes and ensure they are practical for every data category.
3. How to Start
Start DLP implementation by monitoring organizational data. This lets you fine-tune and anticipate the effect that the DLP may have on organizational culture and operations. By jumping the gun, and blocking sensitive information too soon, you may harm central business activities.
You’ll find that DLP provides a lot of information, such as the transmission path and location of all sensitive information, which can be overwhelming. You may be tempted to try to solve all data protection issues at once, but this is not a good approach.
A good DLP implementation should start with low hanging fruits, establish rules, and ensure they are continually considered and improved. Involve all relevant stakeholders, and ensure they provide feedback on new data types, formats, or transmission paths that are not listed in the current DLP strategy, or not currently protected.
4. Know that DLP technology has its limitations
- Encryption—DLP tools can only examine encrypted information that they initially decrypt. If users encrypt data with keys that are not available to the DLP system operators, the information is invisible.
- Rich media—DLP tools are generally not useful when working with rich media such as images and video, because they cannot parse and classify their content.
- Mobile—DLP solutions cannot track all types of modern mobile communication, for example messages sent from a user’s private mobile devices.
What Type of DLP Solution is Right for Your Organization?
There are three main types of DLP solutions:
- Network DLP—attached to the corporate network’s data points. Network DLP traces, monitors and reports on all information flowing through ports and protocols used on the network.
- Storage DLP—provides control over information that employees retain and share, and alerts businesses if their information can easily be attained by outsiders. Useful for monitoring data stored in the cloud.
- Endpoint DLP—there is a huge proliferation of endpoints within organizations, such as workstations, laptops, mobile phones and tablets—And also standalone storage devices like USBs and external hard drives. Endpoints, especially mobile ones, are especially vulnerable and can lead to data leakage. Endpoint DLP provides agents installed on all workstations and devices used by company employees, to monitor and prevent transfer of sensitive information.
What is DLP Software?
Data Loss Prevention (DLP) software categorizes the sensitive and confidential information of a business and recognizes policy breaches. DLP software often comes pre-built with policies suitable for compliance with standards such as GDPR, HIPAA, or PCI-DSS.
Once DLP software identifies a breach in policy, protective measures are taken, such as alerts and data encryption. DLP software also monitors endpoint movement, and safeguards data at rest, in motion and in use.
Which Type of DLP Solution is Right for Your Organization?
- Protects an organization’s network processes, such as web application, email and FTP.
- Lives in the company’s network, and monitors data as it moves throughout the network.
- Maintains a database which provides details as to which data is being used and who is using the data.
- Provides visibility into all data in transit on their network.
- Provides information about files stored and shared by users of an organization’s network.
- Enables viewing sensitive files shared and stored on the network.
- Provides visibility into information stored via on-premise storage equipment and cloud-based storage.
- Monitors workstations, servers, and mobile devices such as laptops, mobile phones, external hard-drives and USB disks.
- Installed as an agent on endpoint equipment and prevents data leakage from the endpoints.
- Provides visibility into data stored on endpoints physically located inside and outside the organization.
Popular DLP Tools
Symantec DLP gives businesses the ability to see how and where information is kept in an organization. It is a scalable software suite that can monitor mobile, cloud and multiple endpoints. This system is effective even when employees are offline.
McAfee’s DLP solution (a part of Intel Security) protects intellectual property, and helps compliance efforts by protecting sensitive information. Monitors data on premises, in the cloud, or at endpoints.
Check Point DLP educates businesses and individuals so that they can act efficiently and quickly to prevent data loss. It offers a centralized management console and provides preconfigured rules for easier implementation.
Digital Guardian DLP is compatible with Mac, Windows and Linux endpoints and can manage a large number of workstations. Available as a cloud-based or on-premise system.
6 Metrics for Evaluating the Effectiveness of Your DLP Solution
Like any complex, mission critical system, it’s essential to evaluate your DLP solution and measure how much value you are deriving from it, and whether that value is gradually improving over time or declining. Here are six simple metrics that can help you catch issues with your DLP implementation or the underlying DLP policies.
1. Percentage of policy exceptions
Exceptions can be explained as one-off permissions given to individuals or groups via the DLP tool, with regard to data access or transfer. Exceptions indicates organizations data that is used outside the DLP policy and may be vulnerable. Monitor the number of exceptions, as a percentage of all data-related events, to see the extent to which the DLP policy is enforced.
2. Percentage of false positives
DLP systems generate a large number of alerts, and many of those turn out not to be real security incidents, which places a burden on security teams. The percentage of false positives of all alerts measures the effectiveness of your DLP tool at filtering out irrelevant alerts and identifying real data issues.
3. Alert response time
Measures the mean time taken to respond to DLP alerts (excluding false positives). In many cases, due to the large volume of alerts, security teams might respond to critical DLP alerts late, or even ignore some alerts altogether. Measuring alert response time can help you identify problems in the DLP implementation or process, which are preventing security staff from responding to critical data alerts.
4. Number, type and storage size of unmanaged devices
You must keep track of the amount of unmanaged devices that contain sensitive information. Such devices might include endpoints, servers, removable storage and cloud storage (depending on what is managed by your DLP system). All of these can act as departure points for sensitive information. Your DLP implementation should keep the number of unmanaged devices to a minimum, and if the number increases, consider switching to a solution which can manage more devices.
5. Percentage of databases which are fingerprinted
DLP solutions create a digital fingerprint of a relational database, which allows for tamper detection, traitor tracing (identifying the source of a leak), and validates the integrity of the data. Measure the percentage of databases which are fingerprinted at any given time to ensure you have solid control of sensitive data sources.
6. Data classification success rate
The initial action in any Data Loss Prevention solution is data classification. Data classification helps you identify and isolate sensitive information, and understand its context. DLP solutions have various techniques for automatically or semi-automatically classifying data. Measure the percentage of erroneous classifications to see how much sensitive data your DLP may be leaving behind.
Complementing DLP with Next-Gen Security Analytics
DLP solutions are great at monitoring data flows and securing against known threat patterns. However, malicious insiders and sophisticated attackers can act in ways that do not match any known pattern, or cannot be captured by DLP security rules. A category of security tools called User and Event Behavioral Analytics (UEBA) can help.
UEBA tools establish a behavioral baseline for individual users, applications, network devices, IoT devices, or peer groupings of any of these. Using machine learning, they can identify abnormal activity for a specific entity or group of entity, even if it doesn’t match any known threat or pattern. This can complement traditional DLP solutions, alerting security teams of data-related incidents that have slipped past DLP rules.
For an example of a UEBA system that can help prevent data breaches due to unknown threats, learn more about Exabeam Advanced Analytics.
See how Exabeam’s advanced behavioral analytics can help identify data breaches faster and prevent data loss.