Data Loss Prevention Solutions: Making Your Choice

What are DLP Solutions?

Data Loss Prevention (DLP) software categorizes the sensitive and confidential information of a business and recognizes policy breaches. DLP software often comes pre-built with policies suitable for compliance with standards such as GDPR, HIPAA, or PCI-DSS.

Once DLP software identifies a breach in policy, protective measures are taken, such as alerts and data encryption. DLP software also monitors endpoint movement, and safeguards data at rest, in motion and in use.

In this article, you will learn:

• What are DLP solutions?
• Data Loss Prevention Software Features
• Which Type of DLP Solution is Right for Your Organization?
  • Network DLP
  • Storage DLP
  • Endpoint DLP
• Popular DLP Tools
• 6 Metrics for Evaluating the Effectiveness of Your DLP Solution
• Complementing DLP with Next-Gen Security Analytics

Data Loss Prevention Software Features

DLP software commonly contains the following capabilities:

• Central policy management – lets you define company policies to protect sensitive data and comply with specific compliance regulations. The DLP solution is a central interface for creating, executing and managing policies.
• Incident response – notifies administrators of policy violations in real time, and provides tools to help them to manage these incidents.
• Data discovery – identifies where sensitive data is located, using context analysis and content awareness techniques.
• Data classification – categorizes data based on confidentiality and applies policies such as who can access the data and what can be done with the data.
• Integration – include pre-built integrations with user directories, email providers, data applications, and other systems where company data is stored.
• Reports – provides pre-built reporting templates and customizable reports, which can be used to demonstrate compliance to regulators and auditors, and can be leveraged for forensic investigation or incident response.

Which Type of DLP Solution is Right for Your Organization?

Network DLP

• Protects an organization’s network processes, such as web application, email and FTP.
• Lives in the company’s network, and monitors data as it moves throughout the network.
• Maintains a database which provides details as to which data is being used and who is using the data.
• Provides visibility into all data in transit on their network.

Storage DLP

• Provides information about files stored and shared by users of an organization’s network.
• Enables viewing sensitive files shared and stored on the network.
• Provides visibility into information stored via on-premise storage equipment and cloud-based storage.

Endpoint DLP

• Monitors workstations, servers, and mobile devices such as laptops, mobile phones, external hard-drives and USB disks.
• Installed as an agent on endpoint equipment and prevents data leakage from the endpoints.
• Provides visibility into data stored on endpoints physically located inside and outside the organization.

Popular DLP Tools

Symantec DLP

Symantec DLP gives businesses the ability to see how and where information is kept in an organization. It is a scalable software suite that can monitor mobile, cloud and multiple endpoints. This system is effective even when employees are offline.

McAfee DLP

McAfee’s DLP solution (a part of Intel Security) protects intellectual property, and helps compliance efforts by protecting sensitive information. Monitors data on premises, in the cloud, or at endpoints.

Check Point DLP

Check Point DLP educates businesses and individuals so that they can act efficiently and quickly to prevent data loss. It offers a centralized management console and provides preconfigured rules for easier implementation.

Digital Guardian DLP

Digital Guardian DLP is compatible with Mac, Windows and Linux endpoints and can manage a large number of workstations. Available as a cloud-based or on-premise system.

6 Metrics for Evaluating the Effectiveness of Your DLP Solution

Like any complex, mission critical system, it’s essential to evaluate your DLP solution and measure how much value you are deriving from it, and whether that value is gradually improving over time or declining. Here are six simple metrics that can help you catch issues with your DLP implementation or the underlying DLP policies.

1. Percentage of policy exceptions

Exceptions can be explained as one-off permissions given to individuals or groups via the DLP tool, with regard to data access or transfer. Exceptions indicate organizations data that is used outside the DLP policy and may be vulnerable. Monitor the number of exceptions, as a percentage of all data-related events, to see the extent to which the DLP policy is enforced.

2. Percentage of false positives

DLP systems generate a large number of alerts, and many of those turn out not to be real security incidents, which places a burden on security teams. The percentage of false positives of all alerts measures the effectiveness of your DLP tool at filtering out irrelevant alerts and identifying real data issues.

3. Alert response time

Measures the mean time taken to respond to DLP alerts (excluding false positives). In many cases, due to the large volume of alerts, security teams might respond to critical DLP alerts late, or even ignore some alerts altogether. Measuring alert response time can help you identify problems in the DLP implementation or process, which are preventing security staff from responding to critical data alerts.

4. Number, type and storage size of unmanaged devices

You must keep track of the amount of unmanaged devices that contain sensitive information. Such devices might include endpoints, servers, removable storage and cloud storage (depending on what is managed by your DLP system). All of these can act as departure points for sensitive information. Your DLP implementation should keep the number of unmanaged devices to a minimum, and if the number increases, consider switching to a solution which can manage more devices.

5. Percentage of databases which are fingerprinted

DLP solutions create a digital fingerprint of a relational database, which allows for tamper detection, traitor tracing (identifying the source of a leak), and validates the integrity of the data. Measure the percentage of databases which are fingerprinted at any given time to ensure you have solid control of sensitive data sources.

6. Data classification success rate

The initial action in any Data Loss Prevention solution is data classification. Data classification helps you identify and isolate sensitive information, and understand its context. DLP solutions have various techniques for automatically or semi-automatically classifying data. Measure the percentage of erroneous classifications to see how much sensitive data your DLP may be leaving behind.

Complementing DLP with Next-Gen Security Analytics

DLP solutions are great at monitoring data flows and securing against known threat patterns. However, malicious insiders and sophisticated attackers can act in ways that do not match any known pattern, or cannot be captured by DLP security rules. A category of security tools called User and Entity Behavioral Analytics (UEBA) can help.

UEBA tools establish a behavioral baseline for individual users, applications, network devices, IoT devices, or peer groupings of any of these. Using machine learning, they can identify abnormal activity for a specific entity or group of entities, even if it doesn’t match any known threat or pattern. This can complement traditional DLP solutions, alerting security teams of data-related incidents that have slipped past DLP rules.

For an example of a UEBA system that can help prevent data breaches due to unknown threats, learn more about Exabeam Advanced Analytics.
See how Exabeam’s advanced behavioral analytics can help identify data breaches faster and prevent data loss.