November 2, 2016 by Eleanor Ajala

The Evolution Of DLP

According to a recent Gartner forecast analysis, by 2018, ninety percent of organizations will implement at least one form of integrated data loss prevention (DLP), up from 50 percent today:

 “Organizations have been deploying DLP to address regulatory compliance, intellectual property (IP) protection and data visibility and monitoring. Newer solutions that include user entity and behavior analytics, image analysis, machine learning, and data-matching techniques are being used to augment existing solutions.”

DLP has been a challenge for most organizations, failing to fully realize the promise of protecting sensitive data. At best, point-based DLP solutions only deliver a fraction of the value that they promised. When you enable mass policies, i.e. signatures, you get data overload. Most deployments have resorted to using only a handful of policies to reduce the noise. Therefore, you are only looking at a very limited set of risks.

There are several reasons why traditional DLP has been ineffective at stopping the major breeches that have been highly publicized. First, they are signature-based only, which limits their threat detection capabilities to known-threats. Second, when deployed with a high volume of policies enabled, they create far too much noise to be useful. Finally, they don’t work well in organizations that do not document and classify all of their data at a very detailed level. As a result, we are seeing DLP capabilities being integrated into other technologies such as endpoint solutions, web and email proxy solutions. When you couple those capabilities with new analytic technologies like user and entity behavior analytics (UEBA), you reduce the noise, get better visibility, detect signature-less threats and protect your data from insider threats, cyber risk and fraud.

Igor Baikalov, Chief Scientist at Securonix had this to add:

“Let’s admit it, DLP was only ever good for regulatory compliance and data visibility. The rest is hype that never materialized. Exact data matching (EDM) and traditional regex-based approaches can only detect accidental leakage. Any determined insider who is intelligent enough to copy data from one place to another can figure out a dozen ways to encrypt, obfuscate, or simply encode the data to evade DLP controls. What is much more difficult to do is to hide the volume of data transmitted, a unusual destination it goes to, and many other small, tell-tale signs that differentiate malicious intent from legitimate activity. That’s why UEBA with mature machine-learning capabilities is a very effective technology for detecting and potentially preventing data loss caused by both external attackers and malicious insiders.

The fundamental flaw of traditional DLP tools is that they are designed as a negative control, implementing blacklist-like protection, and detecting only known patterns or values. This approach could only work in the cyber security age of innocence – pre-CardSystems, definitely pre-Snowden – when active evasion of DLP controls was not anywhere near the top of the threat list. Why are we still using it? Because positive security is very hard: it requires heavy lifting such as data classification, fine-grained access control and business rules integration. And to be really effective, it requires continuous user monitoring to detect any evasion attempts and changes in behavior that might be indicative of malicious intent – the bread and butter of UEBA.

According to a September 2016 McAfee Labs Threats Report, part of the problem is that as the target of data theft changes, data loss prevention tools have failed to adapt:

“The desirable data for theft is shifting to personally identifiable information, protected health information, and intellectual property. As a result, industries that tend to have less mature systems, such as healthcare and manufacturing, are at significant risk…. [Additionally,] some organizational activities can increase the number of incidents, because they suggest the existence of something new or improved that has not yet been adequately protected. New projects and products, reorganizations, and strategic planning activities top the list of activities that can cause an increase in security incidents.”

But most organization’s data loss prevention practices don’t address these critical risks.

“Many are not monitoring data movement in the right places. Close to 40 percent of data losses involve some type of physical media; but endpoint monitoring, including user activity and physical media, is used by only 37 percent of companies… Nearly 60 percent of respondents have deployed cloud-based applications, but only 12 percent have implemented visibility into data activity in the cloud.”

average

DLP must evolve beyond the compliance-driven technology we have known for many years into a real-time data protection capability. Our perimeters are porous, our networks hard to defend, and as such, our data is at great risk. Changing the focus to protection of the data and utilizing tools that can find unknown threats and abnormal behavior of that data, or any entity touching that data, is the best chance we have to protect it before it leaves our environment. A DLP solution that is only configured to monitor files written to removable media will miss someone printing sensitive information and walking out the door with the data. Without proper classification on all data, DLP solutions can miss critical information being sent out to things like personal email and file sharing sites. Protecting data in real-time is where UEBA solutions shine. UEBA solutions can eliminate these risks because they are not limited to policy-based decisioning. Behavior profiles on all data and entities accessing that data can be built to provide protection over data that may not be properly classified.

Whether you’re looking to bump up ROI in the existing legacy DLP solution, or build a next-generation DLP program from scratch, you ought to give UEBA prime consideration. According to MarketsandMarkets, major drivers for the global user and entity behavior analytics market include increasing need to prevent insider threats posed by users, growing requirement for real-time analytics by various organizations, and shortage of trained security professionals. Innovations in machine learning technology and data analysis techniques are also driving the global UEBA market.

Securonix, the market leader in the UEBA space, applies behavior analytics, machine learning and hierarchical threat modeling technology to adapt to the changing risks to your data. Data loss can be tracked far more affectively using endpoint logs, proxy data, application and cloud events in a UEBA technology to alert to abnormal use or behavior for your data. This eliminates the noise generated by DLP solutions, provides signature-less protection from new threats and can even protect data that you may not have properly classified.