Data Loss Prevention: A guide to DLP

Security challenges

What is DLP?

Data loss prevention (DLP) is a collection of technologies and tools that monitor and protect business data from unauthorized access. When DLP technology is implemented, it protects data in three places: in use by authorized personnel, in motion (being transferred via the intranet), or at rest (on a file server or in a database). For example, data loss prevention software can stop users from copying data to move it outside a company's network.

At the center of all data loss prevention software is content inspection, which is the software looking at pieces of data as they move on a network, evaluating the type of file that contains them, and determining whether the data is where it should be and whether it is being used for its intended purposes. Both accidental exposure or nefarious activity can put sensitive data in jeopardy, which is why DLP security is important to organizations that need to protect their data assets. Historically, data loss prevention software has been built using static, policy-based rules but the development of intelligent technologies, particularly machine learning, has taken this protection to the next level. Machine learning DLP can recognize behavior patterns that happen before data breaches and stop them from happening.

How does DLP work?

DLP software is based on content inspection, which uses a series of methods to catch policy violations.

First, content inspection is based on rule-based expressions that are detected by data loss prevention software and lead to subsequent actions. A typical example is that of 16-digit credit card numbers. Organizations can create rules that state if you try to email a credit card number (that starts with a 4, 5, or 6), especially with the 3-digit security code and expiration date, the DLP software will block the email from sending or automate encryption.

Next, there is exact file matching. This identifies files in use, in motion, or at rest whose content matches exactly that of an indexed file. This is also called data fingerprinting.

Third, content analysis within DLP solutions uses conceptual / lexicon analysis. This level of analysis uses a compilation of dictionaries or other lists and rules to identify unwanted behavior, such as specific internet searches, or sharing trade secrets with those outside the network.

Finally, content analysis can incorporates sophisticated statistical analysis techniques. Statistical methods use machine learning to protect specific pieces of information. When the machine learns what the data should look like, it constantly looks for anomalous data that doesn’t match the given pattern.

Different types of DLP

There are three types of data loss prevention software: Network, endpoint, and cloud. All three deliver the same results (data protection), but the methods used vary from one type to the next.

Network DLP

Network DLP puts a secure perimeter around the data in motion on the network, as the name indicates. This solution tracks and monitors data as it moves on the company’s network, as opposed to the endpoints.

So, if a user attempts to email sensitive information while on company’s network, the network DLP security would then carry out one or more of several pre-programmed actions, such as encrypting, blocking, quarantining, or auditing the email. It can also notify the administrator of the attempt to send information over email.

Network DLP solutions are effective when a computer is connected to a network, but its safety net doesn’t extend to laptops and devices on-the-go, away from the network.

Endpoint DLP

Endpoint DLP doesn’t operate on the network where the data is in motion. Instead, it is installed on each individual device, which is where the endpoints of the network reside. Endpoint DLP security monitors data as it moves to and rests in these endpoints regardless of where they are or how they’re connected to the network or internet. It can even detect when sensitive data is saved unencrypted in the files on the devices.

Endpoint DLP offers more blanket protection than Network DLP, but it also requires more management. Each device needs to have the Endpoint DLP security software installed on it. This can be challenging logistically when organizations have remote staff. The time and attention required to manage and maintain an Endpoint DLP system should also be considered.

Cloud DLP

Cloud DLP is like Endpoint DLP, but it enforces the rules of the DLP rules and policies on select cloud accounts. It does not form a perimeter around a traditional on-premises network like Network DLP does. Instead, it integrates with cloud tools like Office 365 and Google’s G Suite (and many others).

This allows your staff the convenience and security of using cloud apps and cloud storage without risk of data breach or loss.

What are the benefits of DLP?

Some benefits of using data loss prevention software are obvious, while some are less intuitive.

Properly deploying DLP security can ensure legal compliance. For example, legislations like HIPAA, CCPA and GDPR require you to know where personal/patient data is, and how it is being shared and handled, this data loss prevention software can do. DLP also protects against personal data accidentally being copied, pasted, uploaded, or printed to other areas of the network to be used in unintended ways. Data loss prevention software prevents the unauthorized use of all sensitive data by making sure that no person or script can transfer sensitive data to the wrong place. Such attempts will be blocked or restricted.

These breaches are sometimes malicious or intentional, but are more often simply caused by human error (such as an employee mistakenly attempting to print or email a sensitive document). No matter what the intent, having a well-configured DLP in place will prevent these mistakes from becoming breaches. This takes the burden of data protection away from human judgement and places it on the software.

These examples of DLP systems keeping data safe are of obvious benefit for IT and security staff, but what is the broader business case?

DLPs prevent data breaches, and data breaches are expensive. Having to perform a cleanup on breached data can have an exorbitant price tag. Companies that offer free credit monitoring to clients whose data was exposed, for example, can spend millions on that alone. In addition, it is commonplace for data subjects to take legal action against companies that put their data at risk, which, depending on the scale of the breach, can be crippling.

The short-term financial impact can be devastating, but the long-term damage to a company’s reputation can have a ripple effect that lasts for years. Both the issues of incurred costs and loss of reputation can be eclipsed by problems caused by failure to comply with information privacy laws, such as HIPAA), the Fair and Accurate Credit Transactions Act (FACTA), and California’s Online Privacy Protection Act (OPPA).

Although the United States does not yet have comprehensive legislation covering data protection in a similar way that GDPR protects information privacy in the European Union, it would be wise for American companies to take preemptive measures to protect client privacy, so they are compliant if/when such laws do come to pass.

What are the limitations of traditional DLP?

The most frustrating aspect of working with traditional DLP running is its lack of flexibility and the fact that false positives can be high. This happens because the software is rigid by design. DLP’s biggest strength is therefore also its key weakness.

Say, for example, that you have hired a freelancer, and you need to share data with that person. This is legitimate, but if the freelancer’s email and website is hosted on a shared server that your DLP software has blacklisted, you may be in the difficult position of finding a workaround to communicate. IT administrators therefore often find themselves in the unenvious position of creating different rules for different users, which ultimately cannot scale across medium or larger organizations, and takes time to implement (which can be frustrating for users that "need to send this email now"). Often, this leads to DLP rules being relaxed over time, weakening an organization's security posture.

Additionally, traditional DLP will not stop all data breaches, such as phishing scams and misdirected emails. Lexicons of words to identify and flag incoming emails as potentially suspicious helps to a degree, but it cannot prevent 100% of phishing incidents, nor can it stop all cases of accidentally sending an email with sensitive information to the wrong person within or outside the organization. Traditional DLP software has to know what to "look for" in order to prevent data breaches, which means it cannot detect emerging use cases or outliers without being pre-programmed/updated.

Note that these limitations are specific to traditional DLP security. Advanced data loss prevent software packages, such as those offered by Egress, virtually eliminate the limitations of traditional DLP.

Take the example of misdirected emails (some call this “fat finger syndrome”). Egress Prevent prompts users when they include a recipient that is outside of their normal pattern but who they are technically authorized to email under other circumstances. For example, the sender is authorized to share financial data externally but never normally sends it Person A at Company X; they usually send it to someone with a similar name at the same company. They are legitimately allowed to email both recipients; they just normally share different types of data with them. Egress' intelligent DLP will prompt the sender to ensure only authorized recipients are contained within the email, stopping emails from landing in the inboxes of the wrong recipients. The software scans email text and the contents of the attachments to detect potential data breaches before they happen.

The advancements that Egress has made in the content analysis and contextual machine learning aspects of data loss prevention software help take the human element out of security decision-making. People develop tech-fatigue, where they perform the same actions over and over (like sending and receiving emails). The repetition lulls them into feelings of familiarity and comfort. Not carefully reading emails before clicking links or double-checking the distribution list before clicking the send button is how mistakes happen. Egress Prevent eliminates these errors.

Egress Prevent is part of the Egress Intelligent Email Security platform, which also encompasses Egress Protect for email encryption and Egress Investigate for compliance monitoring. Together, they create a safety net around every user. They keep your data safe and protect your customers and organization, without burdening your information security or IT staff.