What is Data Loss Prevention…

and is there a better way?

Data Loss Prevention (DLP) solutions bring a unique perspective to information security that puts the focus on what ultimately matters the most - an organization’s most sensitive data. At the highest level, these tools classify and apply policies to enterprise data in order to prevent data breaches, leaks, and other forms of data misuse.


And like any type of security, DLP solutions are constantly evolving to keep pace with the changing demands and risks facing modern enterprises. With that in mind, let’s take a closer look at what DLP is and how it is changing to meet new challenges.

DLP Covers Many Types of Enterprise Risk

The ultimate goal of security is to protect an organization's data and assets from risk. Most endpoint and network security tools do this indirectly by looking for malware or exploits. Data-centric tools such as DLP take a more direct approach by putting the focus on the enterprise data and assets themselves. This not only provides an ideal complement to threat-based tools, it also enables organizations to address risks that don’t involve malicious elements such as malware. For example, a modern DLP can apply to the following risks:

  • External Threats

    77% of all ransomware attacks now include threats to leak stolen data, putting virtually any type of data or intellectual property at risk. Data-focused security provides an additional layer of protection that can prevent an attacker from misusing or exfiltrating sensitive data.

  • Insider Threats

    Most security tools fail to control trusted insiders and employees, who may steal data for personal financial gain. By shifting controls to the data itself, DLP tools can safeguard sensitive content even from trusted internal users.

  • Insider Errors

    Many data breaches are completely unintentional, with recent studies showing that up to 88% of all breaches are due to user mistakes. Whether due to a momentary lapse in judgment or a user rushing to meet a deadline, DLP tools can rein in these risks that are virtually invisible to threat-based security products.

The Growing Need for DLP

Modern organizations are increasingly defined by their data and intellectual property, and the pressure on security teams has never been greater to ensure that these assets remain protected. However, a variety of business and technology trends have put this key data at unprecedented risk. The challenge is that many of these changes both increase the need for data protection, but can simultaneously pose challenges to many of the traditional approaches to DLP.

  • More Data and More Diverse Data
    Today organizations generate more data than ever before. However, the vast majority of enterprise data today is unstructured data that doesn’t conform to the strict, predictable signatures that DLP tools have historically relied on.
    Read More

    Organizations increasingly need to protect a wide array of intellectual property that could include company source code, design documents, launch schedules, images, or documents, presentations, and spreadsheets that are constantly being modified. Security teams need to be able to safeguard any and all types of data that would pose a risk to the organization if they were exposed.

  • More Applications and More Collaboration
    Today users have far more ways of sharing data, and while this enables faster, easier work, it also creates new opportunities for loss.
    Read More

    In the past, organizations simply focused on securing their corporate email. Today, DLP must apply to virtually any application including an employee’s personal webmail, messaging applications, cloud storage apps, developer tools, as well as a variety of corporate-approved collaboration apps. Many of these applications can encrypt their content by default, which can make it even harder for security teams to track the flow of sensitive data.

  • Extended and Distributed Enterprise
    Organizations have become far more decentralized with applications increasingly hosted in the cloud, and end-users working remotely or collaborating externally with partners, vendors, and contractors.
    Read More

    Many traditional security tools have yet to adapt to the reality of a distributed enterprise, which can lead to serious blind spots and enterprise risk.

Technical Approaches to DLP

DLP tools can come in several forms and can specialize in identifying and controlling data in various states such as data at rest on a device, in use by an application, or in motion over a network. At a high level, DLP tools can be categorized into two main technical approaches -- endpoint DLP analysis and network DLP analysis. Both of these strategies can be delivered as a standalone DLP solution or integrated as part of other security tools or services.

  • Endpoint DLP

    As the name implies, endpoint DLP tools leverage an agent deployed on a protected machine in order to analyze content on the device. This approach is often needed in order to protect data at rest on a device that would not be visible over the network. Endpoint DLP can also inspect content and enforce controls before it is shared such as preventing an end-user from emailing a sensitive document.

  • Network DLP

    Network DLP will inspect content as it is transmitted through the network in much the same way that an IPS will inspect traffic for threats. While the network-based approach does not require an agent, it is largely limited to addressing data in motion since it does not see into data at rest or in use within a device.

  • Enterprise DLP vs Integrated DLP

    Both of these approaches can be deployed as a purpose-built DLP solution (often known as Enterprise DLP) or as additional functionality in an existing security product (known as Integrated DLP). Integrated DLP functionality often includes a more basic set of features and is often found in antivirus products, email security gateways, next-generation firewalls, and a variety of cloud services.

Both endpoint and network-based DLP tools inspect content and try to match it to predefined signatures and rules. Alternatively, staff may preemptively apply tags to sensitive content that can be used to identify and enforce policy on the files. In either case, security teams will need to do some setup work before DLP policies can be put into action. Teams will first need to identify the data that is to be protected, find all the locations where that data resides in the enterprise, and develop signatures or tagging strategies to track the data over time. The effort required for these tasks can vary considerably based on the various types of content that an organization needs to protect.

Challenges of Traditional DLP

While DLP has a longstanding history in the enterprise, it also has well-known limitations that have been exacerbated in recent years.

 

These limitations translate to bad outcomes both from a security and business perspective.
DLP tools are well-known for generating false positives that can disrupt end users and create unnecessary work for security teams. On the other hand, if security teams set more The more lax policies are, the more likely that sensitive data will be exposed. Even when problems are detected, it is often up to security staff to perform slow, manual investigations in order to validate an incident.

  • Limits of Content Inspection

    Content inspection can be valuable, but it also has its limitations. First, it lacks important contexts that could help identify whether a file is sensitive or not. For example, a publicly available financial statement would have almost identical content to financial projections that have yet to be announced. Secondly, a DLP that only relies on content inspection is rendered useless if the content itself is obscured. This is an increasingly common scenario as applications encrypt content by default, or as users encrypt content to avoid security policies.

  • Limits of Signatures (Regular Expressions)

    Content-based regular expressions only work for certain types of data that are highly structured and predictable such as content in a traditional database. However, it does not work well for unstructured data or data that is constantly evolving such as a Word file that multiple users need to collaborate on.

  • Limits of Tagging

    Tagging requires security staff to predefine all the content that needs to be controlled and then often rely on end-users to appropriately apply the tags as content is created. This not only leads to many opportunities for mistakes, it also relies on staff to fully predict what data will need to be protected.

A Better Way to Protect Your Data: Data Detection and Response (DDR)

Data Detection and Response (DDR) revolutionizes data protection in much the same way that Endpoint Detection and Response (EDR) has revolutionized endpoint security.
DDR is a new, modern approach to data protection. Security teams can protect any type of data that has value or carries risk to the organization. Instead of relying on signatures, sensitive data is automatically identified and protected based on business-relevant contexts such as lineage, application, and creator, as well as content. Risk and
Data Detection and Response (DDR) revolutionizes data protection in much the same way that Endpoint Detection and Response (EDR) has revolutionized endpoint security.
DDR is a new, modern approach to data protection. Security teams can protect any type of data that has value or carries risk to the organization. Instead of relying on signatures, sensitive data is automatically identified and protected based on business-relevant contexts such as lineage, application, and creator, as well as content. Risk and