How to Stem the Tide of Data Loss in the Modern Organization

Building a Strategy for the Post-DLP World

W H I T E P A P E R

Table of ContentsWhat is Data Loss Prevention? 3

The History of DLP 4

How Data Loss Prevention Works 5

How Legacy Data Loss Prevention is Failing Organizations 7

ClassificationChallengesintheEraofUnstructuredData 8

OperationalandMaintenanceHurdles 9

LackofInsiderThreatDetectionandResponse 10

A Vision for the Post-DLP World 11

FlexibleandUser-Centric 12

DifficulttoBypass 13

HolisticandContinuousMonitoring 14

LightweightandStreamlined,forRapidROI 15

DecreasedTimetoDetectandRemediateIncidents 16

Building A Realistic Data Loss Prevention Strategy 17

What is Data Loss Prevention?

3 million Electronic records are stolen every single day

A whopping three million electronic records are stolen every single day.Datalossisabigproblem,andhasbeeneversincethedawnoftheinternet.Themagnitudeoftheproblemincreaseseveryday,asunstructureddatagrows—currentlyatarateof62%peryear.AdditionalcomplexitiesrelatedtodataprotectionarisewhenorganizationsneedtocomplywithstandardslikethenewEUGDPR,SOC2,PCIDSS,andindustry-specificstandardslikeHIPAA.

Everyorganizationthatdealswithelectronicdataneedstohaveadatalosspreventionstrategyinplace.Specifically,organizationsneedtoknow:

• Wheredoesconfidentialorsensitivedatareside?

• Howisitbeingusedandaccessed?

• Howcantheorganizationpreventlossofthisdata?

In this white paper, we’ll take a look at how organizations have been dealing with data loss to date, why these strategies are failing, and what a better path forward looks like. We’ll provide you with the information you need to build a data loss prevention strategy that works for the modern business.

ObserveIT | 3

1.

1. The History of DLP

Foryears,datalosspreventiontools(DLPs)havebeenthefirstlineofdefenseagainstdataleavinganorganization’sfourwalls.DLPsattempttoclassifydata,trackit,andpreventitfromleavingtheorganizationviaunauthorizedchannels.DLPsaroseindirectresponsetocompliancerequirements,includingPCIDSS,around2005.Sothistypeoftechnologyisnothingnew.

Overtime,datadiscoveryandclassificationfeaturesbecameanintegralaspectofwhatDLPsoffered.Thesefeaturesenabledorganizationstofindoutwhatdatatheypossessedandclassifyitbasedonsensitivityandotherkeyfactors.Next,DLPsstartedaddingsecurityfeaturestoactuallystopdataexfiltrationattempts.

Fromhere,DLPevolvedintothreedifferentformfactors(we’llelaboratemoreontheseinthenextsection):

• Endpoint DLP• Network DLP• Email DLP

Then,asthecloudtookholdandsoftware-as-a-servicebecamewidelyadopted,DLPsbegantooffervisibilityintoSaaSappswheremanyelectronicrecordswerenowbeingstored.Thiscapabilityprovidedameansofdiscoveringandclassifyingdatainthecloud.Next,cloudaccesssecuritybrokers(CASBs)appearedonthescene.CASBsaresituatedbetweenanorganization’son-preminfrastructureandthecloud,actingasagatekeeperthatletstheorganizationextenditssecuritypoliciestothecloud(includingtheirDLPs,inthiscase.)

Now that you have a sense of how DLPs evolved over the last decade-plus, let’s take a look at what’s under the hood.

What is Data Loss Prevention?

ObserveIT | 4

DLPs attempt to classify data, track it, and prevent it from leaving the organization via unauthorized channels

Endpoint data loss prevention,themostprevalentform,worksbydeployingendpointagentstodesktops,laptops,andserverswithinanorganization.Adminscanthenenableorcustomizepolicytemplatesbasedontheirorganizationsneedsandpreferences.Onceinplace,theDLPbeginstomonitorandpreventconfidentialdatafrombeingcopiedordownloaded,whetherendusersareofflineoronline.Ifsomethinginappropriatetakesplace,thesystemnotifiesboththeemployeeandtheITadminormanager.TheITadminmustthenfigureouthowtoremediatetheincidentandreportonplansforriskreductiongoingforward.

Similarly,network data loss preventionworksbyhavingadminsenableorcustomizeDLPpolicytemplates.Then,whenanemployeeorotherusersendsconfidentialdataviathenetwork,themonitoringtooldetectstheincident.DependingonhowyourDLPissetup,itcanblocktheattempt,removetheuser,and/ortagtheactivityforencryption.Thesystemwillthen,muchlikeendpointDLP,notifytheemployeeandITadmin.TheITadminmustthenfigureouthowtoremediatetheincidentandreportonplansforriskreductioninthefuture.

Email data loss preventionisperhapsthemostspecificandnichetype.MostorganizationschoosenetworkorendpointDLP,becausetheyalsomonitoremail.Similartotheothertwotypes,emailDLPlooksforsignsofdataleavinganorganization,sendsupaflag,andplacestheburdenofremediationontheITteam.

HowacertainDLPsolutionworksdependsonitstypeandwhatitisdesignedtomonitorandprotect.DLPsaredesignedtoofferdatalosspreventionbymonitoringeverythingfromcloudstorage,towebproxies,toSPANorTap,dependingonwhereinthesystemtheysit.

ObserveIT | 5

1. How Data Loss Prevention Works

What is Data Loss Prevention?

Endpoint

Network

Email

NowthatyouunderstandthehistoryofDLPsandhowtheyworkatabasiclevel,let’stakealookatwherethingsaregoingwrong.

BelowisagraphicillustratingacommonDLParchitecture:

Datadiscoveryoftenhappensattheleveloftheendpoint,asdoesmonitoringandblockingofout-of-policybehaviorthatcouldleadtoexfiltration(suchasUSBstorage,printing,andremotedesktopaccess.)MonitoringandpreventionareexecutedviaprotocolsincludingSMTP,HTTP,IM,FTP,andTCP.

Architecture Overview

Administration

Network Discover/Network Protect

Detection Integrated Components

Cloud Storage

Data Insight*

O365 Exchange

Storage Cloud Endpoint Network

Web Proxy

Web Proxy

MTA

Web Proxy

SPAN or Tap

Cloud Prevent for MS Office 365

Endpoint Prevent/Endpoint Discover

Mobile Prevent

Mobile Email Monitor

Network Prevent for Email

Network Prevent for Web

Network Monitor

ObserveIT | 6

1. How Data Loss Prevention Works

What is Data Loss Prevention?

How Legacy Data Loss Prevention is Failing OrganizationsWhile the idea of data loss prevention sounds great in theory and has worked relatively well in the past, research shows that successful DLP implementations are very rare. DLP as atoolhasdoneagoodjobonthecompliancefront,whichtracesbacktoitsoriginsasatechnology.Itallowsorganizationstoclassifydatabasedonrisk,whichhelpsthemcheckcomplianceboxes.However,DLPhasfailedmiserablyasasecuritytool—anareathatisatleastas,ifnotmore,importantthancompliance.

Whydon’tDLPsworkforsecurity?Toputitsimply,conventionalDLPtoolsthatregulatetheexchangeofnetworkdataarearen’tabletostopinsiderthreatsbecausethetoolsweren’tdesignedforthatpurpose.AccordingtoGartner,DLPssimplydon’tprotectalldataorcoveralllossscenarios.

Additionally,DLPsareapaintoadministerandmaintain.Organizationsstrugglewiththeirheavykernel-basedagents,thetime-consumingdataclassificationprocess,ongoingmaintenance,anddisconnectsbetweendataownersandDLPadministrators.

Now, let’s take a look in depth at these challenges and limitations, which illustrate how DLPs are failing the modern organization.

2.DLP tools aren’t able to stop insider threats because they weren’t designed to

ObserveIT | 7

ObserveIT | 8

2. Classification Challenges in the Era of Unstructured Data

How Legacy Data Loss Prevention is Failing Organizations

Detecting and preventing the loss of data was a lot easier when there was less of it.Today,datadiscoveryandclassificationisaveryonerousprocess,becauseunstructureddatagrowseveryday.Infact,by2022,it’sexpectedthat93%ofalldatawillbeunstructured.There’snoeasywaytoapplyadataclassificationschemewhennewdocuments,records,andpiecesofdataarecreatedbytheminute.

Whileit’struethatsomeorganizationsmustclassifytheirdatainordertomeetcompliancemandates,dataclassificationasameanstosecuresystemsandpreventlossisnotawinningstrategy.

Toillustratehowdataclassificationchallengesariseandwhytheyleadtosecuritygaps,let’stakealookatanexample.SayasecurityorITadministratoratalargeenterpriseistaskedwithclassifyingdataacrosstheorganization.Thisperson’sjobistoknowwhat’sgoingonwithdataatagranularlevelacrosstheentirecompany—frommarketing,todevelopment,tooperationsandbeyond.Todothejobproperly,theadminwouldhavetoreachouttoeachlineofbusinessnotjustdailybuthourlyandevenuptotheminutetofindoutwhichfilesaresensitiveandclassifythem.Withnewdocumentsbeingcreatedallthetimeandunstructureddatagrowingexponentially,thismethodiscompletelyunrealistic.

Because perfect data classification is an impossible goal, data-centric DLP schemes are failing to protect today’s modern business against data loss. DLPs have proven to be ineffective at detecting and preventing data loss in today’s fast-paced, data-rich organizations.

By 2022, 93% of all data will be unstructured

ObserveIT | 9

2. Operational and Maintenance Hurdles

How Legacy Data Loss Prevention is Failing Organizations

There are also quite a few operational and maintenance challenges that accompany the deployment and ongoing usage of DLPs.Asaresult,manyorganizationsthatdeployenterpriseDLPsystemsstruggletomovebeyondthebeginningphasesofdiscoveringandmonitoringdata,as Gartnerhaspointedout.

Deployment itself can be very complex, in many cases taking more than two years to fully complete.Asyoucanimagine,that’sfartoolongforacompetitivebusinesstoday.Forthisreason,incompleteDLPdeploymentsarecommon,andmanyadministratorscomplainthat,evenafterdeployment,fine-tuningalertsisanever-endingprocess.Falsepositivesarealsocommon,whichaddstotheoperationalburdenofrunningaDLP.

Additionally,DLPsarewell-knownfortheirheavy,kernel-basedagents,whicharequitetaxingonendpoints—andthusonendusers.Theyoftenleadtosystemandappcrashes,whichcanslowdownproductivityandfrustrateusers.It’scommonforuserstobeforcedtointerrupttheirdaystorestartmachinesafterDLP-causedcrashes.SecuritygapscanarisewhenusersattempttobypassDLPsforthisreason.Finally,DLPsmayalsorunupyourorganization’smachineoverheadandevenconflictwithothersecuritytoolslikeantivirussoftware.

Becauseoftheseheadaches,DLPagentsoftenacquireabadreputationaroundtheorganization,encouragingemployeestoskirtthemaltogether,whichstokesconflictbetweenthesecurityorITadminswhomanagetheDLPandendusers.

Asyoucanprobablytell,theoperationalandmaintenanceburdensthatcomealongwithDLPsoftenmakethemfrustratingandimpracticalfororganizationswhowanttorunalean,streamlinedbusiness.

ObserveIT | 10

Lack of Insider Threat Detection and Response

How Legacy Data Loss Prevention is Failing Organizations

Additionally, 60% of all data leaks are carried out by insiders, with an estimated $5 million in costs per insider-caused security breach. Data classificationschemescan’tdomuchtoidentifyriskybehavior,whichiswhyDLPsoftenmissindicatorsofinsiderthreats.

Moreover,DLPtoolsthatworkbyregulatingtheexchangeofnetworkdataarenotdesignedtosuccessfullycatchorstopinsiderthreats.Theysimplyweren’tdesignedtodoso.

Aswementionedabove,ifaninsiderknowshowtheDLPisimplemented(whichmanytechnicalusersdo),theyarelikelytobeabletobypassit.Infact,oneofObserveIT’scustomers,theCISOatamajorglobalfinancialservicesorganization,toldus,“Ihaven’tseenanenterpriseDLPmyteamcan’tbypassinamatterofseconds.”Thatcanspellrealtroubleifyou’rerelyingonyourDLPtomonitorandstopdataloss.

Ontopofbeingineffectiveatcatchinginsiderthreatsandeasytobypass,DLPs also lack user activity monitoring and context about the movement of data, which means they have no investigational capabilities.Theydonotofferanyvisibilityintowhathappenedbefore,during,orafteradataexfiltrationincident.Withoutthesetypesofactionableforensics,DLPscanactuallydrivedownthemeantimetodetectionandresponseforanorganization,asadminsmustspendtheirtimepainstakinglycorrelatinglogstotrytofigureoutwhathappened.

TheseshortfallsareobviouslymajorproblemsandillustratewellhowDLPsarefailingtoday’sorganizations.

Inthenextsection,we’lltalkaboutanidealfuturestateinwhichsecurityteamsareabletoeffectivelydetect,prevent,andstopdataloss.

“I haven’t seen an enterprise DLP my team can’t bypass in a matter of seconds.”

CISO, Major Global Financial Services Organization

2.

A Vision for the Post-DLP World

As Gartner’s report, “It’s Time to Redefine Data Loss Prevention,” clearly illustrates, it’s time to take a more holistic approach to identifying and stopping data loss.Dataprotectionneedstobebuiltintoallorganizations’securityandcompliancestrategiesfromdayone,anditneedstobeexecutedinawaythattakestherapidproliferationofdataandcomplexityoftoday’stechnologicallandscapefullyintoaccount.

DLPs on their own are not up to the task. Sowhatdoesapost-DLPworldlooklike?Whattypesoftoolsandtechnologiesdoteamsneedtoinvestintofullyprotecttheirdataagainstalltypesofloss,includinginsiderthreats?Let’stakealook.

3.

ObserveIT | 11

“By 2020, 85% of organizations will have implemented some form of integrated DLP, up from 50% today.”

Gartner Report

ObserveIT | 12

3. Flexible and User-Centric A Vision for the Post-DLP World

Firstofall,data loss prevention strategies need to be flexible and user-centric—asopposedtorigidanddata-centric,thewayDLPsaretoday.

Flexiblepreventionpolicies,ratherthanstaticdataclassificationschemes,trackfilesinuse,inmotion,andatrest.Theyidentifycommonexfiltrationpointslikefile-copying,USBdriveusage,printing,cloudstorage(especiallypersonalcloudstorage)andemailingwithortopersonalaccounts.Alloftheseactionsarelikelyindicatorsofdatalossinprogress.Applyingaflexiblerubriclikethis,ratherthanonethatdemandsastaticdataclassificationscheme,ismorelikelytocatchthreats.

Toputafinepointonit,user-centricstrategiesarefocusedmoreonuserbehaviorthanondataclassification.Theydon’tfocussomuchoncarefullycatalogingwhichpiecesofdataaresensitiveoratrisk.Instead,theylookforlikelyindicatorsofcompromise.

To achieve the goal of being more flexible and user-centric, a tool like ObserveIT comes equipped with a built-in insider threat library. This out-of-the box library of alerts enables prevention around the 200 most common insider threat indicators.Thislibrarycontainsalistofcommonuserbehaviorsthatindicatepotentialdatacompromise,andcanbeusedforreal-timecaptureandalertingwheneveruserbehaviorindicatesrisk.

User-centric strategies focus more on behavior than data classification

ObserveIT | 13

Difficult to BypassA Vision for the Post-DLP World

Additionally, you want to invest in tools that are difficult for users to bypass.IfaDLPisoneroustouse,theninnocentandwell-meaningusersmaydiscoverawaytogetaroundit,leavingyouopentoaccidentaldataloss.Ifauserhasmoremaliciousintentions,thentheeasewithwhichtheycanbypassaDLPopensyouuptointentionaldataexfiltrationaswell.Asheadlinesillustrate,sensitivedatacancommandahighpriceontheblackmarket,temptingemployeesintosellingitforpersonalgain.

TheeasewithwhichtechnicalusersareabletobypassDLPmakesitano-gofororganizationswhoneedatooltheycandependontokeepdatasecure.

A tool like ObserveIT, on the other hand, has a watchdog mechanism built in that makes it very difficult for users to kill the agent. Iftheydo,theagentautomaticallyrestartsitselftoensurethatitisalwaysupandrunning.Italsocontainsaself-monitoringsystem,soifauserdoestrytoshutdowntheagent,anadminwillbealertedimmediatelyandcantakeactiontopreventfurtherriskybehavior—whetherintentionaloraccidental.

The strongest data loss prevention tools also have user education built in,sothatemployeesandotheruserswhotrytoactoutofpolicyarenotonlyimmediatelyblockedfromdoingso,butalsoprovidedwithinformationaboutwhattheyaredoingwrong.Insomecases,thisstepactsasadeterrentagainstintentionaldatatheft,butinmanycasesitsimplyservesasahelpfulandin-contextreminderofhowtoavoidputtingtheorganizationatrisk.Thisknowledgecontributestoanorganization’soverallsecurityanddecreasesthelikelihoodofadatalossscenariotakingplace.

The strongest data loss prevention tools have user education built right in

3.

ObserveIT | 14

Holistic and Continuous Monitoring

A Vision for the Post-DLP World

One of the major downsides of DLPs is that they only monitor logs.Ifanincidenttakesplace,adminsmustsiftthroughlogfilesandtrytopiecetogetherwhathappenedwithlittletonocontext.Additionally,becausetheyarefocusedonlogs,DLPsareoftennotabletoalertadminstodatalossinreal-time,andevenifanalertdoesfire,it’squitecommonforittobeafalsealarmduetothesensitivityandinaccuracyofdataclassificationschemes.

A user activity-centric tool like ObserveIT provides holistic and continuous monitoring. Itmonitorsuseractivityindepth,lookingatdataexfiltrationpointslikecloudapps,USBinsertions,andprintjobstoidentifyinsiderthreatindicators.Itlooksforexamplesofuserstakingdataoutthroughunauthorizedchannels,whichismuchmorepracticalthandataclassificationintermsofidentifyingrealthreats.

Moreover, ObserveIT is able to offer a holistic view of what happened before, during, and after an incident.Thisstepprovidesthecontextnecessarytorespondquicklyandaccuratelytothethreat,offeringirrefutableevidenceofexactlywhattookplace.

Whenanincidentoccurs,whatwouldyouratherhaveonhandtoexplainittoyourboss?Low-levellogfilesoraholisticpicturethatiseasytoarticulatetoanyoneintheorganization?Yetagain,DLPssimplycan’tkeeporganizationssecure.

3.

Gain a holistic view of what happened before, during, and after an incident.

ObserveIT] | 15

Lightweight and Streamlined, for Rapid ROI

A Vision for the Post-DLP World

Asweexplainedindetailearlier,DLPsaredifficulttodeployandfine-tuneandtheiragentsareheavyontheendpoint,leadingtobluescreens,crashes,andfailuresthatmakeithardtogetworkdone.

A modern data loss prevention strategy needs to be lightweight, with minimal impact on endpoints.Itallstartswithdeployment.AtoollikeObserveIThasasilentinstallanddoesnotrequireareboottogetgoing,meaningittakesjustafewdaystocompletelydeploy—vs.uptotwoyearswithatraditionalDLP.

Additionally,ascomparedtoakernel-basedDLPagent,ObserveIT runs in user mode with little to no impact on the end user.Inmostcases,userswon’tevenrealizeObserveITisthere,givenits1%CPUimpacttoendusersandabilitytoruninfullstealthmode.Thelightweightagentresolvesperformanceissues,whichmeansthatuserswon’tbelookingforwaysaroundit(and,aswementionedearlier,it’smuchmoredifficulttobypassthanatraditionalDLP.)

ObserveIT altogether eliminates time-consuming troubleshooting and maintenance processesthatgohand-in-handwithDLP,meaningyoucanrealizearapidreturnoninvestment,ratherthansinkingyearsofadministrators’timeandenergyintoanincompleteDLPdeployment.

TimetovalueisakeymetricforITandsecurityteams,sincetheyareoftenseenascostcentersbythelargerbusiness.ObserveIT is able to complete a standard proof of concept in an hour,withafullpilottakingnomorethanonetotwoweeksbeforeadministratorsareabletorealizethevalueofdeployment.

Time to value is of critical importance for IT and security teams

3.

ObserveIT | 16

Decreased Time to Detect and Remediate Incidents

A Vision for the Post-DLP World

Finally,aswehavetouchedonbrieflyabove,DLPsfallbehindwhenitcomestoactuallyremediatingadatalossincident.Bytheirverynature,theyarenotabletoprovidecontextorinvestigationalcapabilities.Inpractice,whileaDLPmightalertyoutoanincident,itwon’thelpyoudoanythingaboutit.

To actually address a data loss incident, user activity-centric detection and investigation tools are necessary. A tool like ObserveIT provides the sort of context that is necessary to rapidly detect and remediate incidents, driving down mean times to resolution. ObserveIT reduces incident response times, often even catching an insider-caused incident in progress(whichcansliprightpastDLPs),becauseitislaser-focusedonactualindicatorsofcompromise.

Moreover,becauseObserveITiseasilyintegratedintoabroadersecurity ecosystem,itdecreasessecurityteams’workloadsbyprovidingnecessarycontextwhenit’stimetoconductforensics.CombingthroughlogfilesfromaDLPcanonlyslowdownincidentresponsetimes,andintoday’sclimateoffrequentandbusiness-endangeringbreaches,thatkindoflosttimeisdifficulttoafford.

When addressing a data loss incident, contextual insights are essential for investigation and remediation

3.

Building A Realistic Data Loss Prevention Strategy

Tosumitup,today’ssecurityandITteamsarelookingforanewwaytostopdatalossbecausecurrentDLPsolutionshaveproventimeandtimeagaintobeineffective.Manyteamshavealsorecognizedthatcompletedatalosspreventionmaynotevenbeattainable,whichcallsintoquestionthevalueofinvestinginatraditionaldatalosspreventionsolution.AtObserveIT,webelievecompletedatalosspreventionisanunrealisticexpectationandthatmodernsecurityteamsare—andshouldbe—shiftingawayfrompreventiontodetectionandresponse.

Datalossis,atitscore,apeopleproblem—notasystemsproblem.Thismeansthebeststrategytoidentify,stop,andremediatedatalossincidentsisonethatputsuseractivityatitscenter.

ProactivesecurityorganizationsrecognizethatDLPsarefailingforallofthereasonsthatwehaveexploredinthispaper.Theymayhelpyoucheckcomplianceboxes,buttheyaren’tabletoprotectagainstinsiderthreatsandothercommoncausesofdataloss,noraretheysufficienttothetasksofinvestigationorresponse.Thewayforwardistoadoptanewsecurityparadigmaltogether,onethatisuser-centric,holistic,andstreamlined.Onlywhenorganizationsbegintoinvestinstrategiesthattaketoday’senormousandcomplextechnologicallandscapefullyintoaccountwillwebegintoseeadecreaseindataloss.

4.

Ready to bring yourdata loss prevention strategy into the modern era?

Test Drive ObserveIT Today

Data loss is not a systems problem—it’s a people problem

ObserveIT | 17

©2018 ObservelT. All rights reserved.

All trademarks, trade names, service marks and logos Referenced herein belong to their respective companies. This document is for information purposes only.