Legacy Data Loss Prevention (DLP) solutions work as one might expect from technology that is decades old. First, administrators classify data either manually or by regular expressions (text strings for social security numbers, credit cards, phone numbers, or fields in a database). Next, they group users by role. Finally, they create granular rules to dictate which users may access, copy, and move each class of data – and with whom they may share it.
The rules are often focused on data loss. For example, a rule may block a user in sales from downloading a file classified as containing Personally Identifiable Information while allowing that action for a user in human resources. Another rule may prohibit emailing a sensitive financial document to a user outside of finance. A third rule may prohibit moving sensitive information of any kind to a removeable storage device.
Legacy DLP’s Dirty Secret
While granular rules can work with a small set of data and users, as both grow it becomes unwieldy. Administrators must constantly modify existing rules and create new ones to accommodate new data types, new roles and users, and unanticipated use cases. The inevitable false positives result in alert fatigue in the SOC and impede legitimate workflow.
Pushback from security analysts and users leads many organizations to use legacy DLP solutions in “monitor mode.” This turns off blocking of actions and allows users – including malicious users – to use data as they wish while logging all activity. Administrators continue to receive alerts for unauthorized activity for analysis and response. Without blocking capabilities, legacy DLP’s primary value is post-breach forensics.
How to Account for the Human Factor in DLP
Legacy DLP rules are data centric, concentrating on points of data egress and attempting to identify and block attacks as the user exfiltrates data. Careless insiders and malicious attackers are humans. While rules are an important part of DLP, they are poorly suited – by themselves – to understand how a sophisticated threat actor behaves. A better approach is to understand actions that could anticipate a threat. What are the steps an attacker or malicious insider takes as they conduct their attack?
Legacy DLP vendors designed their rules to detect and prevent data exfiltration. However, there are many actions an attacker will take before exfiltration. They must find the data they want and gather it together, or aggregate it, of course. A desire to escape detection will lead to activities designed to hide their activity. A malicious insider with knowledge of an organization’s defenses may “test” defenses with small, seemingly innocent violations. Stopping an adversary at any of these steps blocks a data breach.
Building a Security-positive Culture
Humans are the first line of defense in data loss protection. This starts with teaching and promoting good cyber hygiene and building a security-positive culture. An organization’s information security policy is a critical cornerstone in guiding employee behavior. However, annual training exercises are quickly forgotten.
Learning is a process. Consistent information security training - as employees work with data - helps employees maintain awareness and understanding of actions that can put data at risk and:
Reduce the number of security incidents.
Comply with regulatory requirements, international standards, and best practices in information security.
Address management concerns over the security of its information and systems.
Reveal enables organizations to understand employee behaviors that present risk to sensitive data, on and off the corporate network. When actions violate IT policy, it presents the end-user with pop-up messages and adaptive training in real time. To protect the user privacy and eliminate bias, all metadata is pseudonymized so administrators will never know a user’s identity until circumstances warrant a deeper investigation.
Next DLP’s Reveal allows organizations to predict and enforce data protection without hampering legitimate business activity. It promotes a security-positive culture through consistent training and corrections. Our behavioral analytics understand the human factor in data loss prevention and provide context to actions users take with sensitive data. Alerting on Indicators of Data Compromise allows teams to prioritize investigations and stop attacks earlier, limiting or eliminating damages.
