Understanding Cyberhaven’s

Data Detection and Response Platform

Data Detection and Response (DDR) is a new, transformative approach to the protection of enterprise data and intellectual property, enabling organizations to address risk in ways that were never possible before.

DDR First Principles

Legacy DLP tools rely on obsolete concepts like signatures (regular expressions) and network perimeters. DDR provides a fundamentally new approach based on big data graph analytics of all user interactions with data over time and across the enterprise.

  • Collect All Data-Related Events
    DLP is as useless as the DVR because it’s impossible to predict the sensitive data you need to protect (or the shows you want to watch).
    Read More

    For decades DLP tools have had only one criterion for making decisions: content analysis. Judgments are based on whether content matches patterns of sensitive data or has been tagged as sensitive beforehand. However, sensitive data comes in many forms and is often changing, making content matching difficult and unreliable. Content can also be obscured due to encryption or other obfuscation, making content analysis impossible.

    DDR can also analyze content, but that is only one of many contexts. In contrast, the Cyberhaven DDR platform collects and analyzes every data-related event. This could be a user uploading a document, copy/pasting data from one file to another, renaming a file, writing a file to a thumb drive, sending data over a chat session, and dozens of other events. This is metadata is captured for all data all the time, even data that hasn’t been previously defined as being sensitive. It is also important to note that this approach can be applied to any type of data, even unstructured or non-text data like images and videos. The goal is to ensure that all subsequent analysis and policy enforcement are based on the most complete view of the data lifecycle.

  • Build Complete Historical and Enterprise Context
    Data lineage is every organization’s most powerful tool to combat data leakage and IP theft.
    Read More

    Next, the Cyberhaven DDR platform turns all of the data-related events into an actionable security context. The solution brings together all the data from all users to build a dynamic graph database that tells the full story of every piece of data. This establishes a complete lineage for every piece of data beginning with when it was originally created, in what application, and by whom. The solution analyzes the full chain of events related to that data including every time it was modified, copied, or shared across any number of users or locations.

    The Cyberhaven DDR platform maintains this context across the entire enterprise. Instead of simply trying to perform a DLP-like enforcement at the perimeter, our solution continuously tracks data as it moves between hosts, across file shares, and into the cloud. This allows organizations to proactively track the sprawl of their data and address latent risk before a data loss can occur.

  • Enforce Risk-Based Security Policies
    With the precision and accuracy of a DDR platform, security teams can confidently enforce policies without impeding users.
    Read More

    With full context lineage and insight into their data, organizations can approach policies and enforcement in new ways based on the unique needs and risks of the business. Instead of manually defining or tagging data, DDR policies can identify risky data based on its provenance and proactively enforce policies to ensure that data is only accessed or shared via appropriate channels.

    Just as importantly, security teams can proactively find and manage previously unseen pockets of risk. For example, perhaps your organization is developing a proprietary manufacturing process, and that data is stored in a protected enclave. A DDR solution could not only enforce policies to protect that data, it could also identify and control any copies of that data that may have been shared with unauthorized users or to unsecured locations. Security policies can ensure sensitive data is only shared through appropriate channels or applications.

Cyberhaven DDR revolutionizes data protection in much the same way that EDR has revolutionized endpoint security.
Collectively, these concepts enable a new, modern approach to data protection. Security teams can protect any type of data that has value or carries risk to the organization. Instead of relying on signatures, sensitive data is automatically identified and protected based on business-relevant contexts such as lineage, application, and creator, as well as content. Risk and policy is assessed continually based on every action across all areas of the enterprise, whether locally in the network or in the cloud.
Cyberhaven DDR revolutionizes data protection in much the same way that EDR has revolutionized endpoint security.
Collectively, these concepts enable a new, modern approach to data protection. Security teams can protect any type of data that has value or carries risk to the organization. Instead of relying on signatures, sensitive data is automatically identified and protected based on business-relevant contexts such as lineage, application, and creator, as well as content. Risk and policy is assessed continually based on every action across all areas of the enterprise, whether locally in the network or in the cloud.

In their own words

“False positives have been the gating factor for our data protection policies. Cyberhaven has changed that completely with blocking that is accurate and reliable."

Lance Wright VP Information Security and Privacy, Bazaarvoice

Key Benefits

Cyberhaven’s DDR platform establishes an omniscient view into data that lets organizations turn the old data security model on its head:

  • All of Your Sensitive Data Can Be Protected

    Cyberhaven can use data lineage and other enterprise context to identify and track sensitive data whether the content is unstructured, modified, or even encrypted. Non-text data, source code, csv files, instant messages, design files, ML models, and virtually any other type of content can be protected.

  • Find and Classify Data Even in Unknown Locations

    DLP tools require you to scan and tag data and then build a moat around it. However, if copies of that data live in other locations that are unmonitored or encrypted, you are exposed to undue risk. Cyberhaven’s DDR platform automatically discovers and classifies sensitive data even when it’s in unexpected locations.

  • Policy Is Simple, Straightforward, and Adaptable

    Instead of arcane content signatures, Cyberhaven can define policies in terms consistent with the business and as situations change data can be included or excluded on the fly. For example, quarterly financial results can be tightly controlled until they are announced publicly, then easily marked as no longer being sensitive.

  • Investigations Are Fast and Focused

    Rather than wasting time manually correlating events from multiple systems and chasing down false positives due to the fundamentally broken DLP classification methods, your security staff can instantly see where a piece of data came from, how it’s been shared and modified, and all the associated risks.

Start tracing your data