[On-demand webinar] CISO Series: Decoding Cybersecurity Language with Adam Shostack

Watch now
April 7, 2020

3 reasons why DLP fails to protect from insider threats

So how can you protect against insiders? Cyberhaven’s Data Behavior Analytics (DaBA) solution can help you gain visibility into your organization’s data sprawl with factual data risk based on where your sensitive data resides.

We surveyed security professionals on top challenges they have with DLP:

  • 27% of respondents believe that it’s difficult to keep policies up to date at the rate of business needs.
  • 27% have limited data/file visibility
  • 23% too many false positives
  • 23% policies impede on employee productivity and collaboration

In our latest webinar, we deep dived into “3 reasons why DLP” struggles to prevent insider threats.


Not only do policies take time, but they enable you to only protect what you know. With DLP, you need to know what data you want to protect and how you want to protect it.

Security leaders create policies from experience, best practices, or guesswork – NOT actual data that shows where you need to put controls in place. With increased collaboration and cloud applications, it’s harder than ever to know where your data is and what policies will ensure it’s protected. The only way you know you have a missing policy is if an agency comes knocking on your door, or your competitor gets their hands on confidential information. You need a way to uncover what you don’t know before it gets exfiltrated, and DLP can’t help with that.


DLP focuses on content to identify sensitive data. DLP was designed to recognize pattern matches or exact matches, specifically for compliance (such as preventing Credit Cards and Security Cards from leaking). However, now, content is always changing, which makes it susceptible to malicious manipulation to avoid detection. But relying just on content isn’t enough to protect against insiders (whether malicious or careless). The key to identifying insider threats is intent. Understanding the file origin, location, access, movement, changes, and metadata is critical to identifying if a user is malicious or just careless. If you have visibility to the data journey then that lets you take the appropriate actions to remediate.


DLP provides limited insight into valuable file activity information. DLP inspects only at the point of egress. Pre-egress activity like file download, open, save, move, copy, etc., will always outnumber egress events – often at a rate of 10 to 1 or higher. In addition to pre-egress events outnumbering egress events, they also include arguably the most interesting and meaningful activity to help with data protection. And in the vast majority of environments, pre-egress events go completely undetected by DLP.

Some scary pre-egress scenarios might include:

  • Sally downloads all customer records from Salesforce
  • John downloads IP – he’s in accounting
  • Steve copy/pastes IP into a new file, renames file, zips and password-protects
  • Jane downloads 1000s files to personal device or cloud share
  • Dennis saves a sensitive file to a public folder

Most DLP implementations cannot stop these scenarios from happening. The blindspots can be easily exploited by motivated malicious insiders. And unfortunately, careless employee acts can be equally costly to organizations when coupled with outsider threats like phishing.

The webinar explores these scenarios in detail and highlights the many ways they create risk.


So how can you protect against insiders? Cyberhaven’s Data Behavior Analytics (DaBA) solution can help you gain visibility into your organization’s data sprawl with factual data risk based on where your sensitive data resides. We record all file activity and movement of your data. Now you can address threats before data egress and highlight insider threats. We work with or without existing DLP technology to deliver visibility to your critical assets and understand if your employees are putting your data at risk.

Watch Webinar

See our product in action