Protecting a company’s network against data leaks is the first priority of any security officer.
However, this task is becoming more complex because of strong competition and the popularity
of Bring Your Own Device policies. Though there are a wide variety of cybersecurity solutions on
the market, choosing the wrong system may lead to security gaps.
Data leak prevention (DLP) systems are one of the oldest types of data protection software. But
are they a time-tested solution or an outdated practice? Let’s find out the main pros and cons of
data leak prevention systems.
What is a DLP solution?
A data leak prevention (or data loss prevention) system is software that defines, discovers, and
monitors sensitive data and prevents it from leaving the local environment. Implementation of a DLP
solution is required by such industry security standards as HIPAA, GLBA, PCI DSS, SOX, and FISMA.
A DLP solution provides you with active or passive monitoring. There are three major active DLP
types depending on their deployment environment: network, endpoint, or cloud.
• A network DLP is deployed on a server or comes as a physical box and controls everything going
on inside the network.
• An endpoint DLP is deployed on each endpoint and monitors only one machine.
• A cloud DLP is deployed on a virtual server and controls an organization’s activity inside a private
cloud.
All three types scan the environment (network, endpoint, or cloud server) to detect sensitive data.
Each DLP solution has its own detection algorithm based on a data classification policy. This policy
defines data types and formats considered sensitive for a particular organization. DLP software
searches for such types of data and monitors them.
Some DLP solutions are able to identify common types of sensitive information (e.g., credentials,
credit card and social security numbers, personally identifiable information) on their own. On the
one hand, such a solution provides you with a thorough network scan. On the other hand, it may
leave sensitive data undetected.
A passive DLP solution monitors and records network activity instead of monitoring data. It provides
administrators with extensive logs of all actions within the network. Such solutions are useful for
activity monitoring, incident investigation, and troubleshooting issues inside the network.
NIST outlines the following types of data loss covered by a DLP solution:
- Data leakage – The most common type of data loss, a data leak is a breach of confidentiality,
when sensitive data becomes publicly available. It usually happens when hackers post
confidential company data on the internet. - Data disappearance – This is when information is deleted from a company’s servers. For
example, a disgruntled employee with a privileged account may erase important data. - Data damage – This is when information is modified or encrypted. The most common scenario
for this form of data loss is an encrypting ransomware attack.
According to NIST documentation, a DLP protects data in one of these states:
• At rest – data stored on a hard drive, server, database, etc.
• On an endpoint – data used by employees on their devices
• In motion – data sent outside the company network using any method of communication
Advantages of a DLP system
Standard security measures include a firewall, intrusion detection system, and antivirus software.
These are mechanisms that guard computers against inside and outside attacks.
Adding a DLP solution to your cybersecurity system provides you with the following advantages:
- A DLP is effective for outsider and insider threat detection. It uses a firewall to limit outside
access to the internal network. Outside attacks can be detected by DLP software via antivirus
scans to find Trojans installed on endpoints and malware that enters a company’s network
through email attachments. It mitigates insider threats through continuous data monitoring,
detecting cases of malicious insiders disrupting data. It also encrypts all data copied to USB
devices or sent outside the network. - DLP solutions prevent attempts to copy or send sensitive data without authorization.
Information that’s classified as sensitive can be determined by using exact data matching,
structured data fingerprinting, rule and regular expression matching, plus conceptual definitions
and keywords. - DLP systems provide corporations with visibility into what’s going out of the building. They stop
users from sending out sensitive data. With a DLP system in place, you can see who’s trying to
send out information and possibly stop a data breach before it can cause too much damage. - Some DLPs use machine learning algorithms to identify new sensitive data. A continuous
analysis of internal content helps to pinpoint all data that needs to be protected. The same
technology allows for detecting unusual access requests and data exchanges between
employees. However, it’s best to use a dedicated user activity monitoring or user and entity
behaviour analytics solution for that.
Disadvantages of a DLP system
It sounds like a good idea to have a DLP system in place to prevent data breaches caused by insiders
as well as outside hackers. However, if your company has DLP software, there’s a risk that it may
leave gaps in your corporate security. You may feel that everything is protected so there’s no need
to put in place other security measures; but this feeling may actually be a false sense of security.
When using a DLP solution, watch out for the following:
- A DLP system will do your company no good if you don’t know where your data is stored. You
need to take inventory of both classified and unclassified data. Then list who has access to
classified data. Some DLP solutions offer automated scanning and detection of sensitive data
inside the corporate network. But due to specific workflows and data types in each company, it
may be better to label data manually. - A DLP system is a business product, not a technology project. Once your company commits to
purchasing a DLP system, the hard work begins, as a DLP solution is hard to deploy. In order to
understand what data is worth monitoring, your IT department needs a comprehensive
overview of the data flows in your company. - Users inside your network are assigned various access privileges. You need to audit all privilege
levels and make sure that your DLP solution is able to distinguish a regular user from a
privileged one. - If your company doesn’t take the time to define its data protection strategies and develop core
technical and business requirements, the DLP system won’t be effective. Defining and
implementing a comprehensive data leak prevention policy takes a lot of time. An unclear
policy causes issues with integrating a DLP into your cybersecurity system and adds overhead
costs. - You need to study the pros and cons of each piece of DLP software carefully before making
your choice. There’s no standard set of features. For example, some solutions don’t monitor file
exchanges via Dropbox or messengers, but others do. Deploying a network DLP helps you
protect information inside the local network. But if employees need to take their laptops on
business trips or work from home, data on those machines won’t be protected.
Key pros and cons of DLP systems
Pros
• Effective for insider and outsider threat prevention
• Provides visibility into data exchanges
• Enforce authorization procedures before accessing sensitive data
• Apply machine learning to identify abnormal user behaviour and label sensitive data
Cons
• Deploying a DLP takes a lot of time and effort
• Require precise data flow policies
• Creating a data loss prevention policy takes a lot of time
• May be hard to prepare an inventory of all sensitive data and establish user privileges
Conclusion
A DLP system can be effective at preventing data loss, but it requires a careful and well-thought-out
implementation. Unfortunately, there’s a risk of leaving some sensitive data unprotected because of
complex data discovery procedures. Tuning a DLP solution manually and scanning your whole
network manually takes plenty of time.
Recent Comments