Three Reasons Your DLP Strategy Needs to Evolve
For anyone who has worked in cybersecurity, the term “DLP” is a very familiar one. DLP, data loss prevention (or protection), became a must-have security tool decades ago and, since that time, has evolved into a blanket term covering all types of software. Everything from Identity Access Management (IAM) to time-tracking, EDR to CRM adds DLP to their list of features and benefits. It’s no surprise that many may also assume that the all-purpose “DLP software” can address their insider risk concerns. However, there are a number of weaknesses to bear in mind when considering DLP as a possible solution for insider risk and improving your overall security stance.
#1 – DLP Leaves Unanswered Questions
DLP tools are highly focused on identifying files and data and alerting when conditions affecting these files are met. These alerts, no matter how complete and straightforward, are limited in the data they report, typically containing user/machine information, the documents’ source or location, contents, processes involved, etc. Yet, what is missing is the most critical data points – the “how and why.”
Why was the user handling this data?
Why or how did the data end up in this location?
How did we miss the contextual cues that may have been present before or after this incident
How do we stop this from happening again?
How has this impacted my compliance, company reputation, or employee well-being?
As incidents become more complex, these critical clues are necessary to fully assess a risk and to understand the full extent of the issue at hand.
#2 – DLP Tagging Leaves Gaps
While there are many varieties of DLP products, many rely on file tagging, flagging, categorization, or other similar means of identifying data or files of interest. This logic seems ideal at first blush – apply tags or categories to your data (automatically or manually) and the data is protected. In fact, file tags can be easily compromised and appear less critical or even non-existent by knowledgeable users. File tags can also be stripped away entirely during format changes or file changes, both of which may happen routinely over a typical user’s day. In addition, many DLP products rely on the end user to tag or categorize newly created data or emails with their proper sensitivity level which often does not happen as intended. This results in unintentionally vulnerable data that leaves a massive blind spot for organizations that believe they are fully protected. Moreover, this can put the company in an even more precarious security posture of “we don’t know what we don’t know,” and the impossibility of being fully aware of what data is being traced successfully and what data is untraceable.
#3 – DLP Misses Vital Cues That Lead to Incidents
Understanding small signals and changes in trends can be the difference in a single action causing a significant breach. In rare cases these trends could evolve solely within the realm of data loss, however, more often than not, incidents also include signals such as changes in behavior, unusual access patterns, unapproved web usage, or contacting third parties via chat or email. Depending on the data involved, the applications used, the end-user’s technical skill and how well the organization has implemented their DLP solution, many signs of an impending incident could be completely invisible without broader visibility.
To illustrate, let’s review the real-life progression of one of the most common intentional insider incidents: the departing employee. Up to 45% of employees admit that they take data when they leave a position. Worse, the average departing employee starts the process of data collection, casually exfiltrating data, and searching for relevant data up to 90 days before they depart an organization.
The end result of the disgruntled exiting employee? For an organization relying solely on traditional DLP, this user has left to a competitor with significant amounts of account information and proprietary information ready for use in his next position. Had other methods of employee monitoring been in place, the user’s patterns of use, job hunting, unapproved chats, and other information would have likely been exposed within day one, allowing time for reconciliation, remediation, or ongoing monitoring to take place.
Successfully Closing DLP Gaps
While DLP is, and probably always will be, a vital part of the IT security toolbox, it can prove counter-productive if not implemented with proper procedures and visibility. It’s limited focus and visibility lack the ability to track the complex risks that are evolving within organizations, termed as the Insider Threat. When implemented correctly, these data point should work in tandem with data analysis feeding into behavior trends and behavior data feeding into more effective data analysis. With these tools in place, the above scenario of the departing employee as well as hundred of other similar scenarios would be detected quickly and effectively before harm is done.
In order to close the gaps caused by DLP-only solutions, organizations must have enhanced monitoring in place which includes user-based monitoring, activity tracking, workflow visibility, and data tracking. By gaining this more holistic view of how employees’ access and use data and how these patterns change, risks can be detected and addressed quickly. innerActiv has been designed with the innovation necessary to identify modern risks to data and information regardless of whether those employees and data reside onsite within network or offsite. innerActiv’s targeted insider risk monitoring provides real-time tag-free DLP, user activity metrics, process management, and full forensics to gain instant understanding of your data risk.
