Back to Blog
Minute Read

Why Cyberhaven is the only day-zero DLP solution available for macOS Big Sur

Volodymyr Kuznetsov

The upcoming release of macOS 11.0 Big Sur marks one of the biggest updates to Apple's iconic operating system in years.

In this article

How to keep your data safe without worrying about the OS

The upcoming release of macOS 11.0 Big Sur marks one of the biggest updates to Apple’s iconic operating system in years. And while there are plenty of shiny new features in store, Big Sur also comes with potential headaches for IT and security teams, specifically in terms of support for their DLP products.

Big Sur nixes the old DLP mode

In order to deliver a better, more stable experience for users and a more secure environment against growing cybersecurity threats, Apple is no longer allowing 3rd party applications to use kernel extensions or KEXTs, which allow applications to run inside the OS kernel. This is a great move for end users since applications running in kernel space have inexorably led to crashes and compatibility problems and will help close security gaps that could be exposed by hackers.

The problem is that these kernel extensions are at the heart of most traditional DLP products which need to analyze every file on every egress. As a result, many DLP vendors are rushing to port their products to run in user space where traditional applications are run. Customers will need to deploy new agents to all their protected endpoints. If users or IT teams accidentally schedule the OS upgrade before the agent is updated, the affected devices will likely lose DLP protections.

Cyberhaven: User space from the beginning

As security and development veterans, Cyberhaven’s founders were well aware of the problems caused by applications running in the kernel. Not only did the team set out to build a radically different approach to DLP, one that isn’t dependent on manually classifying and tagging all of your data and follows the full lineage of data to cut through the noise of false positives, Cyberhaven was designed to run in user space on both Mac and Windows from the beginning. This means Cyberhaven has native, out-of-the-box support for Big Sur, giving Mac and Windows customers get the following benefits:

  • Better stability and compatibility for users – Cyberhaven’s user space architecture avoids the crashes and bluescreens that have dogged DLP tools for years. Additionally, Cyberhaven avoids the conflicts created when multiple agents are running in the kernel.
  • Less work for IT and security teams – Cyberhaven is not only ready for Big Sur, but is naturally more compatible with future OS updates and changes. Instead of worrying about each new OS release, enterprise teams can know that their DLP will just work.
  • Better performance – Traditional DLP is often a significant performance drain on the endpoint, and the problem could easily get worse as they are forced to move to user space. Cyberhaven’s unique approach based on data tracing allows for a much more lightweight approach to the agent, which keeps the system impact to less than 0.1% of CPU usage.
  • User space support for Windows – Cyberhaven provides the same benefits for the Windows operating system as well. This also means that customers will be ready if Microsoft follows suit and restricts 3rd party applications’ kernel access in the future.

Just one part of a better DLP

Cyberhaven’s native support for Big Sur is just one benefit of a better overall approach to DLP that is far more accurate, less invasive, and more performant, all while reducing friction with end users.

Traditional DLP used kernel access for a good reason – they work by constantly intercepting and scanning every file each time data leaves the environment. This is an intensive operation that needs to be performed as quickly as possible.

Cyberhaven takes a different approach that is both far more accurate and efficient. Instead of scanning every file on egress, Cyberhaven only needs to analyze files once. Sensitive files can be identified automatically based on their provenance, content, and users. The solution then maintains a real-time genealogy of the file (and all its descendants) on the host, across the network, and in the cloud. Content is continually tracked using OS and application logs even if files are renamed, copied, zipped, or content is copy/pasted into other apps and documents. Instead of continually scanning and rescanning the same file hundreds or thousands of times, Cyberhaven does the heavy lifting once then traces all following behavior. This has the following benefits:

  • Better DLP accuracy – Traditional DLP often relies on security teams to manually define content patterns, or on end users to apply accurate tags. If they make mistakes and misclassify content, then the DLP fails to do its job. Cyberhaven makes it easy to find where important content is located, track such content and its derivatives, and enforce policies on it without manual tagging.
  • Prevent DLP evasion – Cyberhaven tracks the history of files and content even when the content can’t be seen. For example, if a user hides a file in a protected zipped archive, traditional DLP may not be able to scan it, while Cyberhaven will know the archive’s contents. If an employee pastes data into a chat application, Cyberhaven sees it.
  • Fewer false positives – Traditional DLP must make decisions solely based on the content of the file. Since many types of sensitive content are unstructured, these tools have a high rate of false positives. Cyberhaven uses multiple contexts such as user information, source of the content (e.g. GitHub, Financial folders, etc) and others to identify sensitive information with much higher fidelity.
  • Low performance impact on the device – Since Cyberhaven spends most of its time tracking files and only analyzing file metadata, the solution is able to keep performance requirements very low – typically less than 0.1% of CPU capacity.
  • Better user experience – DLP traditionally scans files at the time of egress causing users to have to wait until the analysis is complete, which can lead to longer wait times as file sizes enlarge. Since Cyberhaven already knows the file’s contents and only has to analyze the metadata of the file, the process is fast and transparent to end users unless a policy needs to be enforced.

These are just some of the ways that Cyberhaven is reinventing DLP. Schedule a demo or data risk assessment today.