New regulations and evolving threats are driving enterprises to protect sensitive information from leaving their networks. DLP tools can monitor and protect data at rest, in use and in motion.
As your cybersecurity teams explore DLP solutions, they must understand how these tools work to maximize their benefits and minimize risks. Here are some key concepts to keep in mind.
Contents
What Is DLP?
DLP software can detect sensitive data in motion or at rest and prevent it from leaving a network without authorization. It monitors all incoming and outgoing data to the cloud and user devices, alerting you to potentially dangerous activities.
Most DLP tools utilize pattern matching to detect and alert specific data types that pose risks, such as 16-digit credit card numbers or 9-digit U.S. social security numbers, or protected by compliance regulations, such as HIPAA or GDPR. Other DLP solutions use anomaly detection to identify patterns in the normal behavior of users and automatically flag any abnormal activity that may indicate malicious intent.
When selecting a DLP solution, ensure it supports your organization’s business needs. Look for a tool that provides the flexibility to adapt to new threats and evolving cybercriminal tactics. A good DLP deployment plan includes the development of clear goals, success metrics and reporting shared with leaders. Also, plan for regular updates and the inclusion of new features and capabilities. This way, your teams can be aware of changes to the threat landscape and make sure the DLP tool functions as intended. A good DLP solution should also support integrating other cybersecurity technologies and provide streamlined incident response capabilities.
Detecting Sensitive Data
CISOs must identify sensitive data, even when it isn’t in a form they can easily classify or tag. They must also have visibility into how data leaves the network through third parties, complicated supply chain networks or cloud storage and apps they no longer have full control over.
A growing number of global regulations heighten the need for organizations to protect personal information like Social Security numbers, credit card details and health records. DLP tools can help them do this while supporting compliance standards like HIPAA and GDPR.
DLP software typically monitors multiple data types in real-time, including file transfers to and from external systems and the cloud, print activity and screen captures of documents or emails. It uses several methods to detect sensitive data, including regular expression matching. It analyzes content for common patterns such as 16-digit credit card numbers and nine-digit Social Security numbers in proximity with dates or other indicators. It can also use exact file match to scan for unique fingerprints of files and partial document match to look for matches on documents that aren’t identical, such as multiple versions of the same form filled out by different users.
DLP solutions may also use statistical analysis, which analyzes text for patterns of sensitivity using algorithms such as Bayesian analysis. It looks for phrases or words that violate policies or contain sensitive data, alerting cybersecurity teams of possible issues and providing reporting capabilities to prove compliance to regulatory auditors.
Classifying Sensitive Data
The next step involves determining which files and folders are the most critical for your organization to protect. This process should include assessing the types of data and their value to the business, whether it’s intellectual property or confidential information that could be compromised if leaked.
Your DLP tools should have a variety of methods to categorize files. Some use file checksum analysis, which creates a fingerprint of each file and compares it to determine if the content has been modified. Others perform partial document matching, analyzing the hashes of documents to find duplicates, such as multiple versions of forms that different users have filled out. Lexicon searches and other rules-based analytics can help detect unstructured ideas that defy simple categorization.
Finally, several DLP products use machine learning and behavioral analytics to identify anomalous activities. They can recognize behavior patterns by modeling each user against their normal baseline, allowing them to detect unusual and potentially malicious activity.
Some DLP tools can also mitigate insider threats by monitoring employees’ screen-capture, copy/paste, and print activities with unauthorized access to sensitive information. This can flag their attempts to transmit it over email and the cloud. Often, DLP tools can integrate with SIEM systems to raise security events and automate responses.
Mitigating Threats
A DLP solution can automatically detect and mitigate a wide variety of threats. For example, if it senses that sensitive information could be shared outside the organization through email or other channels, it can take action based on staff-established policies. This includes logging the data for auditing, alerting users who unintentionally share sensitive information and even blocking certain types of information from being shared.
The most common approach to detecting data loss is through pattern matching. For instance, the engine might look for patterns like 16-digit credit card numbers or nine-digit social security numbers alongside indicators like proximity to keywords like “Visa” and “Amex.” A reputable DLP vendor will have tested its engine against actual sensitive data sets to verify its effectiveness.
Other DLP technologies use more advanced techniques to detect and mitigate threats. These might include file checksum analysis to determine whether file content has been modified or Lexicon matching that searches for dictionary terms to identify unstructured data such as forms and templates filled in by multiple people. Other approaches to reducing risk involve implementing DLP in conjunction with existing cybersecurity tools, such as secure email gateways (SEGs), secure web gateways (SWGs), enterprise content management (ECM) platforms, and managed endpoint solutions that secure remote employee access to the organization’s applications and data on desktop and mobile devices.
