How it works

Simple explainer video of Cyberhaven's Dynamic Data Tracing technology (run time 2:30).

Cyberhaven architecture

Cyberhaven endpoint sensors monitor various events on a user’s machine.

For example, they monitor file system logs to detect copying or moving of files; running applications to detect opening, editing, or saving of files; the web browser to detect uploads and downloads; email agents to detect sending or receiving emails or attachments. Unlike legacy DLP tools, Cyberhaven's lightweight sensor requires less than 5MB of bandwidth per day per endpoint and utilizes less than 0.1% CPU.

Whenever an event like this happens, the sensor obtains additional information about the event along with its source and destination and sends it to the Cyberhaven analysis engine.

For example, when a user copy/pastes from Excel to PowerPoint, the sensor checks which files are currently being edited in Excel and PowerPoint and records the identities of these files as the source and destination of the event.

The Cyberhaven analysis engine analyzes hundreds of attributes for each event to look up the event sources and destinations in our purpose-built scalable graph database and connects them to form the data flow graphs.

For example, when a user copy/pastes a table from a spreadsheet that contains company’s salary data to a PowerPoint presentation, Cyberhaven remembers that the presentation now contains company’s salary data too.

Cyberhaven then traverses millions of these graphs in parallel to identify any data flows containing sensitive data that violate policies, and triggers the appropriate alerts.

For example, if a flow has the company's salary data as one of its sources and personal email as its eventual destination, the analysis engine triggers an alarm and a response.

Start tracing your data