I recently read an article on Security Boulevard discussing how to get the most out of data loss prevention (DLP) technology. While much of the byline I agree with, especially the three questions all organizations should be asking to understand their data (What’s sensitive to us? Where does sensitive information reside? Who requires access to the sensitive information?), I noticed a few key elements were missing.
In today’s world, data exists and moves well beyond the four walls of an organization. It’s in the cloud and on mobile devices, accessed by employees sitting in offices, coffee shops, at home or anywhere else. The truth is, companies no longer have control over their data nor the devices it sits on. They also have limited manpower to monitor who’s accessing their most sensitive data and how they are interacting with it. Meanwhile, the threat attack surface is only expanding, with criminals on the inside and out leveraging new and old vulnerabilities and hacking tools. Less visibility and control of data coupled with more attackers seeking to grab it is a recipe for a breach.
As the DLP article mentioned, the technology has evolved. Whereas the traditional DLP enabled organizations to block sensitive information from getting outside the four walls, today’s DLP protects data on-premises and in the cloud. However, to really grab the reins on their data, no matter where it resides and who is accessing it, companies must integrate DLP with other security technologies, especially user and entity behavior analytics (UEBA).
DLP is a powerful tool for creating and monitoring enforcement of data security policies, but this also creates a high volume of alerts that analysts somehow need to prioritize and investigate. For example, DLP tools will alert analysts that a highly sensitive document is being sent to an employee’s personal email address; however, what if that employee was given permission to send it because she wanted to work from home? Meanwhile, the analyst will chase down the alert only to find out he spent time chasing a fire that didn’t exist.
With so much more data to protect than ever before, located and accessed from everywhere, DLP needs a “friend” to help decipher which alerts are truly critical and should be prioritized.
Enter UEBA. When integrating DLP with UEBA, analysts only receive the alerts that matter most. UEBA combined with DLP considers a user’s risk profile and the data that needs protecting. For example, let’s say “Jane” is the employee who sent the sensitive document to her personal email account. The UEBA tool would detect Jane’s behavior as unusual, compare it with the behaviors of her peers and overall team and correlate that information with Jane’s risk profile, including her risk score. Since UEBA incorporates machine learning, if Jane had been flagged for similar behavior in the past, but the behavior was deemed business-justified, then the alert would not have been generated in the first place, saving analysts from another false positive.
Other tools should be working in concert with DLP, especially considering the data control challenges described above. Organizations should use tagging technologies so that the DLP tool tracks the data that is most important no matter where it resides, and encryption to make valuable data unreadable as it moves from one location to another. CASB tools expand DLP’s protection into the cloud and multi-factor authentication helps ensure the right users get access to certain data.
These tools working in concert enable DLP to identify the data that’s most important and protect that data as it moves and is accessed, with UEBA sealing the deal.