Legacy data loss prevention (DLP) was designed to protect sensitive data for compliance requirements. This required organizations to perform discovery, pre-classify all data, and build granular rules to dictate what actions could be taken with each class of data by each class of users. Once all the data discovery and classification were completed (often months after starting) and rules were in place, legacy DLP merely monitored the data. When a rule was violated, an alert was generated. Context around users, data, and devices was absent.
Today’s security and IT teams still need to meet compliance requirements and, additionally, worry about insider risks and threats. Since legacy DLP performs poorly when the adversary is an employee or partner with legitimate access to sensitive data, many organizations deployed insider risk management (IRM) solutions to focus on user behavior. These solutions detect anomalous actions such as accessing new data stores or common data stores outside of normal working hours and downloading an unusually high number of files. IRM was often an HR project and lacked the technical controls and linkages needed to stop data loss before it happened.
The Convergence of DLP and Insider Risk Management
Insider threats can be more challenging to stop as the user has authorized access to the protected data and may even be creating the data. From a practical standpoint, external and internal actors can be impossible to differentiate. An external attacker using stolen credentials will appear to be an insider and work hard to behave “normally” and not reveal themself.
From a defensive standpoint, an organization’s goal is to protect data, irrespective of whether the adversary is an employee or a hacker. In essence, the boundary between DLP and IRM is rapidly fading. To protect data, one must observe and analyze user activity and worry less about the purported identity of the person working with the data. The goal is to identify anomalous actions and block an attack before it becomes a breach.
A New Challenge Requires a New Approach
Legacy DLP and IRM solutions were designed for an environment where users operated within the corporate network, and applications were run on endpoints. In today’s cloud-first, work-from-anywhere world, these solutions must compromise effectiveness to accommodate web and mobile apps, browser-based communications, and remote workers.
Reveal employs machine learning on the endpoint to overcome the deficiencies of legacy solutions. This automated approach allows Reveal to identify and classify data as it is accessed and created, eliminating the need to pre-classify everything within the enterprise before protection can begin. It is cloud-native with smart agents that interact with the OS and browser. It protects data on and off the corporate network and across SaaS, messaging, and video conferencing apps.
Machine Learning on Endpoints Allows for Policy-Free Protection
Machine learning on the endpoint enables Reveal to baseline activity for each user and device in days, not months. Autonomous behavior analysis on the endpoint minimizes the requirement for granular policies and the resulting false positives. This “policy-free” approach understands acceptable behavior for each user, identifies anomalous behavior based on the users, data, and actions, and reports on risks to data without preset rules. Many organizations augment this policy-free approach for risk discovery with some policies for known data types and risks.
Integrating DLP and IRM in a Single Solution
Using Reveal to integrate DLP and insider threat management allows organizations to create a more comprehensive and effective security framework. Reveal combines the strengths of both disciplines, leveraging content inspection, data monitoring, behavior analytics, and incident response to effectively detect external and internal threats while safeguarding sensitive data from unauthorized access or disclosure.
HR and Security functions both get the insights they need from the unified Reveal platform. When employees give notice or a new employee starts, HR can ensure that acceptable use policies are followed. If they are not, Security teams can configure Reveal to implement more restrictive controls, such as isolation of an endpoint if warranted.
Whether the activities are considered insider risk or data loss events, Reveal displays them in a single view, letting analysts correlate these actions to get a comprehensive view of the actions.
