December 15, 2020

Full Context Incident Response

Most DLPs just send an alert when there has been a potential data violation, but Cyberhaven's data tracing technology provides the full context of everything that was done on the data.

In the first post in this series, we explored the differences between DLP and UBA and how and when they should be used for effective data protection. In the second, we looked at why it can be difficult to realize a short time to value when dealing with standard DLP solutions. In this post, we’ll focus on DLP alert triage and the importance of accuracy and context when it comes to resolving issues in a timely fashion.

In data protection, any action during which private company data or records may have been exposed triggers a notification of a “security incident” or a “security event.” Most DLP tools offer a variety of alerting options, including email, and a choice of whether to alert the person who performed the action of potential violations. Some can also send administrators a text message over SMS, or generate a more traditional syslog event to send to a log management or security event and information management system (SEIM). In addition to alerting functions, some DLP tools can act as a basic workflow system to respond, escalate or ignore alerts, or integrate into a more robust ticketing system for change management or monitoring.

The key, when it comes to evaluating and responding to such security events, is that data only might have been exposed. As you might expect, security events occur frequently. Some companies, depending on their size and notoriety, experience thousands of events per day. These can range from a minor content inspection match in the body of an email to something more serious, like a user moving 10,000 sensitive files to a USB drive.

Time-consuming investigations

Processing these alerts to determine the severity of the event is not a quick process. Security analysts often have to copy them from SOC email inboxes and paste them into spreadsheets. Next, analysts deduplicate alerts, sometimes by comparing timestamps, so that single events aren’t represented by multiple notifications. Then analysts examine the individual alerts, looking for signs of malicious behavior. Investigating a single alert may require hours or even days of a security analyst’s time.

One shortcoming of alerts coming from standard DLP products is that they monitor and detect only egress events, such as email with an attachment being sent to an external address. They don’t evaluate actions up to that point, or in the cloud. An alert triggered by an egress action is missing the history of the data leading up to the event. This is why respondents to the 2020 Insider Threat Report from Cybersecurity Insiders cited limited data and file visibility as one of the top 5 challenges with implementing DLP.

What it means for security analysts investigating the alert is that they are missing necessary context. Where did the file originate—not just its “last known location,” but what’s the full provenance? How did the user get access to the file? Are there other copies of the file? Having the answers to these and other questions is what makes it possible to respond to and resolve an incident in minutes instead of days, weeks, or months.

All your data has a story behind it, and you can think of that story as being told in sentences. Traditional DLP is all about fingerprinting important nouns via signatures or tagging. There are lots of problems with this fingerprinting approach—it’s hard, it’s invasive, and it’s often wrong. And as far as understanding your data’s story, all you know is that something happened involving an important noun.

Cyberhaven takes a fundamentally different approach. Our data tracing understands the whole sentence — subject -> verb -> object. How did the content move? How was it changed? Where did it come from, and where did it go? The important part is that now you get to see the activity that has taken place around that important noun and you always have the full context for the story.

This is a critical difference, for a number of reasons. First, the verbs are literally where the action is, in terms of both the analogy and real data loss. If you want to stop loss, you had better understand all the activity surrounding your data, not just what was done with it at an egress point.

Secondly, by understanding the full context around your data, you don’t have to invasively scan the data. This is massively important because now you can get security without giving up privacy or raising compliance issues. You track the data — you know what is important, how it moves, and how it changes, but you don’t have to stop, open, and test every piece of content every time someone handles it.

By default, Cyberhaven tracks all data origins and paths and transforms every user data action into an auditable event, providing incident response teams with a contextual history and digital chain of custody for rapid incident remediation. The result is effective data protection without impeding employee productivity and dramatically reduced incident investigation time and cost.

 

Start tracing your data