Back to Blog
Security best practices
3 reasons why DLP needs to be done on the client
In this blog, we analyze network and endpoint DLP to show how Cyberhaven’s fundamentally different approach provides clarity for why DLP done on the client is the best possible solution for users.
In this article
From the earliest days of information security, pundits have debated which is better—an endpoint-based approach to security or a network-based approach. In most cases, this is a false dilemma. Both approaches have their strengths and ultimately end up complementing one another.
However, there is also no doubt that one approach can be clearly better when it comes to a specific job. There are several reasons that I think the endpoint approach is considerably better when it comes to DLP, particularly in light of Cyberhaven’s unique approach. Let’s briefly take a look at some of the challenges of network-based DLP and how Cyberhaven addresses them.
1. Secure apps can break the DLP
Network DLP solutions naturally need to be able to inspect traffic on the wire in order to function. Since most traffic today is protected by TLS or SSL, network-based DLP can only see the traffic via an MITM decryption process. However, the same “conference of trust” that makes in-line decryption possible can and has been used by attackers to perform malicious MITM attacks, as seen in the notorious DigiNotar and Comodo hacks.
To address this risk, applications began using a process called certificate pinning. In short, instead of trusting an intermediate certificate simply because it was signed by a valid CA, certificate pinning requires that the TLS handshake match the specific cert (or public key) of the target application. If a user tries to connect to Evernote, for example, then the connection only works if a specific Evernote certificate is returned. Quite simply, this breaks the MITM at the heart of SSL decryption, and by extension it breaks network DLP.
This is not an edge case. Just as a reference, the following Zscaler support page provides a list of apps that use certificate pinning, including Office 365, Google Drive, Facebook Messenger, Apple iMessage, and many more.
By contrast, Cyberhaven knows the full history, context, and content of every file before the user ever tries to send one. Whether the app is encrypted or uses certificate pinning is irrelevant to Cyberhaven. This means policies can be enforced consistently regardless of the application and even tailored to ensure users only use approved applications to handle sensitive content.
2. Users can avoid network DLP
When it comes to preventing data loss, few things are as important as the user who is doing the sending. And while most users want to do the right thing from a security standpoint, there are a variety of very common reasons why we can’t afford to blindly trust them. The user could be malicious, compromised by malware, or simply in a big hurry. For example, if a user is on a tight deadline and gets blocked by DLP when sending files to a partner, the first reaction could easily be to try to send the file via another app or using a VPN instead of opening a ticket with IT.
And whether the motivation is malicious or not, there are many ways that users can avoid DLP inspection at the network level. They could encrypt the content or simply drop it in a password-protected zip file. They could protect their connections with a personal VPN or use a proxy to evade inspection. They could intentionally seek out any of the many applications described above that can not be inspected. These are just a few examples, but the key point is that the user (or malware) can take any number of actions on the client machine that will allow it to avoid inspection on the wire.
Cyberhaven sees everything that happens on the client side as well as the full history of that content. If content is dropped into an encrypted archive, the solution still knows what’s inside. If content is copy/pasted into an encrypted application, Cyberhaven knows and enforces policy appropriately.
3. Analysis is constrained and expensive
Many of the network-based approaches to DLP are offered by vendors that provide other types of network inspection such as intrusion prevention (IDS/IPS) or URL filtering. However, DLP content inspection is dramatically more resource-intensive than these other types of analysis. Unlike an IPS signature that only needs to look at a few bytes of input code for markers of an exploit, a DLP rule must analyze all the content in the payload. And since network DLP products only get to see the content when it hits the wire, they have a massive amount of work to do in a very short period of time. For these reasons, security appliances that can handle tens or hundreds of thousands of IPS signatures can only handle a handful of DLP rules.
This translates to analysis that ends up being very expensive (both computationally and financially) and is arbitrarily constrained. For example, this Palo Alto Networks support page states that the DLP solution is limited to 10 data profiles for blocking or 50 for alerting, and the maximum supported file size is 20 MB. This puts hard limits on what types of content can be protected. Additionally, the network DLP analysis can directly introduce latency for the user, during which time applications may be hung as the transfer waits to complete.
And to be clear, this is not a problem unique to a particular network vendor. It is simply a trait of DLP content inspection in general. While many vendors are moving this functionality to the cloud, it doesn’t solve the core problem. DLP inspection is resource-intensive and will require more cloud resources for the cloud provider, which will ultimately need to be passed on to the consumer. Likewise, all network DLP solutions have file size limitations, and end users will still be stuck waiting for analysis to complete.
This problem is also not solely a network DLP problem—client-side DLP rules are also notorious resource hogs as well. Cyberhaven solves this problem in a unique way. Instead of delaying all analysis to the time of egress, Cyberhaven continuously tracks and analyzes all content all the time. So instead of waiting for the user to press Send to start its analysis, Cyberhaven already knows the answer.
These are some of the most fundamental challenges facing network-based DLP. However, it is far from an exhaustive list. The task of writing rules and signatures for network DLP can be challenging, and staff can spend countless hours trying to balance detection accuracy against the performance impacts of their rules. Likewise, even discounting the challenges of certificate pinning, staff will often need to expend considerable effort installing certificates on each client and keeping up with new browser and application releases that can break the SSL decryption process.
Cyberhaven provides a fundamentally different approach to both network-based DLP and even the endpoint-based DLP solutions that have come before it. Analysis is not put off until the last second at the point of egress. The full history of each piece of file is maintained in terms of provenance, user contexts, and the content itself. This analysis remains consistent regardless of the application, and context is maintained even if the user or malware tries to obscure the content. In the end, Cyberhaven spends far more time analyzing and thinking, but the heavy lifting is done prior to egress. This ensures a far more accurate answer with less waiting and friction for the user.