Protecting a company’s network against data leaks is the first priority of any security officer.
However, this task is becoming more complex because of strong competition and the popularity
of Bring Your Own Device policies. Though there are a wide variety of cybersecurity solutions on
the market, choosing the wrong system may lead to security gaps.

Data leak prevention (DLP) systems are one of the oldest types of data protection software. But
are they a time-tested solution or an outdated practice? Let’s find out the main pros and cons of
data leak prevention systems.

What is a DLP solution?

A data leak prevention (or data loss prevention) system is software that defines, discovers, and
monitors sensitive data and prevents it from leaving the local environment. Implementation of a DLP
solution is required by such industry security standards as HIPAA, GLBA, PCI DSS, SOX, and FISMA.

A DLP solution provides you with active or passive monitoring. There are three major active DLP
types depending on their deployment environment: network, endpoint, or cloud.

• A network DLP is deployed on a server or comes as a physical box and controls everything going
on inside the network.

• An endpoint DLP is deployed on each endpoint and monitors only one machine.

• A cloud DLP is deployed on a virtual server and controls an organization’s activity inside a private
cloud.

All three types scan the environment (network, endpoint, or cloud server) to detect sensitive data.
Each DLP solution has its own detection algorithm based on a data classification policy. This policy
defines data types and formats considered sensitive for a particular organization. DLP software
searches for such types of data and monitors them.

Some DLP solutions are able to identify common types of sensitive information (e.g., credentials,
credit card and social security numbers, personally identifiable information) on their own. On the
one hand, such a solution provides you with a thorough network scan. On the other hand, it may
leave sensitive data undetected.

A passive DLP solution monitors and records network activity instead of monitoring data. It provides
administrators with extensive logs of all actions within the network. Such solutions are useful for
activity monitoring, incident investigation, and troubleshooting issues inside the network.

NIST outlines the following types of data loss covered by a DLP solution:

  1. Data leakage – The most common type of data loss, a data leak is a breach of confidentiality,
    when sensitive data becomes publicly available. It usually happens when hackers post
    confidential company data on the internet.
  2. Data disappearance – This is when information is deleted from a company’s servers. For
    example, a disgruntled employee with a privileged account may erase important data.
  3. Data damage – This is when information is modified or encrypted. The most common scenario
    for this form of data loss is an encrypting ransomware attack.

According to NIST documentation, a DLP protects data in one of these states:

• At rest – data stored on a hard drive, server, database, etc.

• On an endpoint – data used by employees on their devices

• In motion – data sent outside the company network using any method of communication

Advantages of a DLP system

Standard security measures include a firewall, intrusion detection system, and antivirus software.
These are mechanisms that guard computers against inside and outside attacks.

Adding a DLP solution to your cybersecurity system provides you with the following advantages:

  1. A DLP is effective for outsider and insider threat detection. It uses a firewall to limit outside
    access to the internal network. Outside attacks can be detected by DLP software via antivirus
    scans to find Trojans installed on endpoints and malware that enters a company’s network
    through email attachments. It mitigates insider threats through continuous data monitoring,
    detecting cases of malicious insiders disrupting data. It also encrypts all data copied to USB
    devices or sent outside the network.
  2. DLP solutions prevent attempts to copy or send sensitive data without authorization.
    Information that’s classified as sensitive can be determined by using exact data matching,
    structured data fingerprinting, rule and regular expression matching, plus conceptual definitions
    and keywords.
  3. DLP systems provide corporations with visibility into what’s going out of the building. They stop
    users from sending out sensitive data. With a DLP system in place, you can see who’s trying to
    send out information and possibly stop a data breach before it can cause too much damage.
  4. Some DLPs use machine learning algorithms to identify new sensitive data. A continuous
    analysis of internal content helps to pinpoint all data that needs to be protected. The same
    technology allows for detecting unusual access requests and data exchanges between
    employees. However, it’s best to use a dedicated user activity monitoring or user and entity
    behaviour analytics solution for that.

Disadvantages of a DLP system

It sounds like a good idea to have a DLP system in place to prevent data breaches caused by insiders
as well as outside hackers. However, if your company has DLP software, there’s a risk that it may
leave gaps in your corporate security. You may feel that everything is protected so there’s no need
to put in place other security measures; but this feeling may actually be a false sense of security.

When using a DLP solution, watch out for the following:

  1. A DLP system will do your company no good if you don’t know where your data is stored. You
    need to take inventory of both classified and unclassified data. Then list who has access to
    classified data. Some DLP solutions offer automated scanning and detection of sensitive data
    inside the corporate network. But due to specific workflows and data types in each company, it
    may be better to label data manually.
  2. A DLP system is a business product, not a technology project. Once your company commits to
    purchasing a DLP system, the hard work begins, as a DLP solution is hard to deploy. In order to
    understand what data is worth monitoring, your IT department needs a comprehensive
    overview of the data flows in your company.
  3. Users inside your network are assigned various access privileges. You need to audit all privilege
    levels and make sure that your DLP solution is able to distinguish a regular user from a
    privileged one.
  4. If your company doesn’t take the time to define its data protection strategies and develop core
    technical and business requirements, the DLP system won’t be effective. Defining and
    implementing a comprehensive data leak prevention policy takes a lot of time. An unclear
    policy causes issues with integrating a DLP into your cybersecurity system and adds overhead
    costs.
  5. You need to study the pros and cons of each piece of DLP software carefully before making
    your choice. There’s no standard set of features. For example, some solutions don’t monitor file
    exchanges via Dropbox or messengers, but others do. Deploying a network DLP helps you
    protect information inside the local network. But if employees need to take their laptops on
    business trips or work from home, data on those machines won’t be protected.

Key pros and cons of DLP systems

Pros
• Effective for insider and outsider threat prevention
• Provides visibility into data exchanges
• Enforce authorization procedures before accessing sensitive data
• Apply machine learning to identify abnormal user behaviour and label sensitive data

Cons
• Deploying a DLP takes a lot of time and effort
• Require precise data flow policies
• Creating a data loss prevention policy takes a lot of time
• May be hard to prepare an inventory of all sensitive data and establish user privileges

Conclusion

A DLP system can be effective at preventing data loss, but it requires a careful and well-thought-out
implementation. Unfortunately, there’s a risk of leaving some sensitive data unprotected because of
complex data discovery procedures. Tuning a DLP solution manually and scanning your whole
network manually takes plenty of time.