WHITEPAPER Building a Strategy for the Post-DLP World€¦ · Lack of Insider Threat Detection and...
Transcript of WHITEPAPER Building a Strategy for the Post-DLP World€¦ · Lack of Insider Threat Detection and...
How to Stem the Tide of Data Loss in the Modern Organization
Building a Strategy for the Post-DLP World
W H I T E P A P E R
Table of ContentsWhat is Data Loss Prevention? 3
The History of DLP 4
How Data Loss Prevention Works 5
How Legacy Data Loss Prevention is Failing Organizations 7
ClassificationChallengesintheEraofUnstructuredData 8
OperationalandMaintenanceHurdles 9
LackofInsiderThreatDetectionandResponse 10
A Vision for the Post-DLP World 11
FlexibleandUser-Centric 12
DifficulttoBypass 13
HolisticandContinuousMonitoring 14
LightweightandStreamlined,forRapidROI 15
DecreasedTimetoDetectandRemediateIncidents 16
Building A Realistic Data Loss Prevention Strategy 17
What is Data Loss Prevention?
3 million Electronic records are stolen every single day
A whopping three million electronic records are stolen every single day.Datalossisabigproblem,andhasbeeneversincethedawnoftheinternet.Themagnitudeoftheproblemincreaseseveryday,asunstructureddatagrows—currentlyatarateof62%peryear.AdditionalcomplexitiesrelatedtodataprotectionarisewhenorganizationsneedtocomplywithstandardslikethenewEUGDPR,SOC2,PCIDSS,andindustry-specificstandardslikeHIPAA.
Everyorganizationthatdealswithelectronicdataneedstohaveadatalosspreventionstrategyinplace.Specifically,organizationsneedtoknow:
• Wheredoesconfidentialorsensitivedatareside?
• Howisitbeingusedandaccessed?
• Howcantheorganizationpreventlossofthisdata?
In this white paper, we’ll take a look at how organizations have been dealing with data loss to date, why these strategies are failing, and what a better path forward looks like. We’ll provide you with the information you need to build a data loss prevention strategy that works for the modern business.
ObserveIT | 3
1.
1. The History of DLP
Foryears,datalosspreventiontools(DLPs)havebeenthefirstlineofdefenseagainstdataleavinganorganization’sfourwalls.DLPsattempttoclassifydata,trackit,andpreventitfromleavingtheorganizationviaunauthorizedchannels.DLPsaroseindirectresponsetocompliancerequirements,includingPCIDSS,around2005.Sothistypeoftechnologyisnothingnew.
Overtime,datadiscoveryandclassificationfeaturesbecameanintegralaspectofwhatDLPsoffered.Thesefeaturesenabledorganizationstofindoutwhatdatatheypossessedandclassifyitbasedonsensitivityandotherkeyfactors.Next,DLPsstartedaddingsecurityfeaturestoactuallystopdataexfiltrationattempts.
Fromhere,DLPevolvedintothreedifferentformfactors(we’llelaboratemoreontheseinthenextsection):
• Endpoint DLP• Network DLP• Email DLP
Then,asthecloudtookholdandsoftware-as-a-servicebecamewidelyadopted,DLPsbegantooffervisibilityintoSaaSappswheremanyelectronicrecordswerenowbeingstored.Thiscapabilityprovidedameansofdiscoveringandclassifyingdatainthecloud.Next,cloudaccesssecuritybrokers(CASBs)appearedonthescene.CASBsaresituatedbetweenanorganization’son-preminfrastructureandthecloud,actingasagatekeeperthatletstheorganizationextenditssecuritypoliciestothecloud(includingtheirDLPs,inthiscase.)
Now that you have a sense of how DLPs evolved over the last decade-plus, let’s take a look at what’s under the hood.
What is Data Loss Prevention?
ObserveIT | 4
DLPs attempt to classify data, track it, and prevent it from leaving the organization via unauthorized channels
Endpoint data loss prevention,themostprevalentform,worksbydeployingendpointagentstodesktops,laptops,andserverswithinanorganization.Adminscanthenenableorcustomizepolicytemplatesbasedontheirorganizationsneedsandpreferences.Onceinplace,theDLPbeginstomonitorandpreventconfidentialdatafrombeingcopiedordownloaded,whetherendusersareofflineoronline.Ifsomethinginappropriatetakesplace,thesystemnotifiesboththeemployeeandtheITadminormanager.TheITadminmustthenfigureouthowtoremediatetheincidentandreportonplansforriskreductiongoingforward.
Similarly,network data loss preventionworksbyhavingadminsenableorcustomizeDLPpolicytemplates.Then,whenanemployeeorotherusersendsconfidentialdataviathenetwork,themonitoringtooldetectstheincident.DependingonhowyourDLPissetup,itcanblocktheattempt,removetheuser,and/ortagtheactivityforencryption.Thesystemwillthen,muchlikeendpointDLP,notifytheemployeeandITadmin.TheITadminmustthenfigureouthowtoremediatetheincidentandreportonplansforriskreductioninthefuture.
Email data loss preventionisperhapsthemostspecificandnichetype.MostorganizationschoosenetworkorendpointDLP,becausetheyalsomonitoremail.Similartotheothertwotypes,emailDLPlooksforsignsofdataleavinganorganization,sendsupaflag,andplacestheburdenofremediationontheITteam.
HowacertainDLPsolutionworksdependsonitstypeandwhatitisdesignedtomonitorandprotect.DLPsaredesignedtoofferdatalosspreventionbymonitoringeverythingfromcloudstorage,towebproxies,toSPANorTap,dependingonwhereinthesystemtheysit.
ObserveIT | 5
1. How Data Loss Prevention Works
What is Data Loss Prevention?
Endpoint
Network
NowthatyouunderstandthehistoryofDLPsandhowtheyworkatabasiclevel,let’stakealookatwherethingsaregoingwrong.
BelowisagraphicillustratingacommonDLParchitecture:
Datadiscoveryoftenhappensattheleveloftheendpoint,asdoesmonitoringandblockingofout-of-policybehaviorthatcouldleadtoexfiltration(suchasUSBstorage,printing,andremotedesktopaccess.)MonitoringandpreventionareexecutedviaprotocolsincludingSMTP,HTTP,IM,FTP,andTCP.
Architecture Overview
Administration
Network Discover/Network Protect
Detection Integrated Components
Cloud Storage
Data Insight*
O365 Exchange
Storage Cloud Endpoint Network
Web Proxy
Web Proxy
MTA
Web Proxy
SPAN or Tap
Cloud Prevent for MS Office 365
Endpoint Prevent/Endpoint Discover
Mobile Prevent
Mobile Email Monitor
Network Prevent for Email
Network Prevent for Web
Network Monitor
ObserveIT | 6
1. How Data Loss Prevention Works
What is Data Loss Prevention?
How Legacy Data Loss Prevention is Failing OrganizationsWhile the idea of data loss prevention sounds great in theory and has worked relatively well in the past, research shows that successful DLP implementations are very rare. DLP as atoolhasdoneagoodjobonthecompliancefront,whichtracesbacktoitsoriginsasatechnology.Itallowsorganizationstoclassifydatabasedonrisk,whichhelpsthemcheckcomplianceboxes.However,DLPhasfailedmiserablyasasecuritytool—anareathatisatleastas,ifnotmore,importantthancompliance.
Whydon’tDLPsworkforsecurity?Toputitsimply,conventionalDLPtoolsthatregulatetheexchangeofnetworkdataarearen’tabletostopinsiderthreatsbecausethetoolsweren’tdesignedforthatpurpose.AccordingtoGartner,DLPssimplydon’tprotectalldataorcoveralllossscenarios.
Additionally,DLPsareapaintoadministerandmaintain.Organizationsstrugglewiththeirheavykernel-basedagents,thetime-consumingdataclassificationprocess,ongoingmaintenance,anddisconnectsbetweendataownersandDLPadministrators.
Now, let’s take a look in depth at these challenges and limitations, which illustrate how DLPs are failing the modern organization.
2.DLP tools aren’t able to stop insider threats because they weren’t designed to
ObserveIT | 7
ObserveIT | 8
2. Classification Challenges in the Era of Unstructured Data
How Legacy Data Loss Prevention is Failing Organizations
Detecting and preventing the loss of data was a lot easier when there was less of it.Today,datadiscoveryandclassificationisaveryonerousprocess,becauseunstructureddatagrowseveryday.Infact,by2022,it’sexpectedthat93%ofalldatawillbeunstructured.There’snoeasywaytoapplyadataclassificationschemewhennewdocuments,records,andpiecesofdataarecreatedbytheminute.
Whileit’struethatsomeorganizationsmustclassifytheirdatainordertomeetcompliancemandates,dataclassificationasameanstosecuresystemsandpreventlossisnotawinningstrategy.
Toillustratehowdataclassificationchallengesariseandwhytheyleadtosecuritygaps,let’stakealookatanexample.SayasecurityorITadministratoratalargeenterpriseistaskedwithclassifyingdataacrosstheorganization.Thisperson’sjobistoknowwhat’sgoingonwithdataatagranularlevelacrosstheentirecompany—frommarketing,todevelopment,tooperationsandbeyond.Todothejobproperly,theadminwouldhavetoreachouttoeachlineofbusinessnotjustdailybuthourlyandevenuptotheminutetofindoutwhichfilesaresensitiveandclassifythem.Withnewdocumentsbeingcreatedallthetimeandunstructureddatagrowingexponentially,thismethodiscompletelyunrealistic.
Because perfect data classification is an impossible goal, data-centric DLP schemes are failing to protect today’s modern business against data loss. DLPs have proven to be ineffective at detecting and preventing data loss in today’s fast-paced, data-rich organizations.
By 2022, 93% of all data will be unstructured
ObserveIT | 9
2. Operational and Maintenance Hurdles
How Legacy Data Loss Prevention is Failing Organizations
There are also quite a few operational and maintenance challenges that accompany the deployment and ongoing usage of DLPs.Asaresult,manyorganizationsthatdeployenterpriseDLPsystemsstruggletomovebeyondthebeginningphasesofdiscoveringandmonitoringdata,as Gartnerhaspointedout.
Deployment itself can be very complex, in many cases taking more than two years to fully complete.Asyoucanimagine,that’sfartoolongforacompetitivebusinesstoday.Forthisreason,incompleteDLPdeploymentsarecommon,andmanyadministratorscomplainthat,evenafterdeployment,fine-tuningalertsisanever-endingprocess.Falsepositivesarealsocommon,whichaddstotheoperationalburdenofrunningaDLP.
Additionally,DLPsarewell-knownfortheirheavy,kernel-basedagents,whicharequitetaxingonendpoints—andthusonendusers.Theyoftenleadtosystemandappcrashes,whichcanslowdownproductivityandfrustrateusers.It’scommonforuserstobeforcedtointerrupttheirdaystorestartmachinesafterDLP-causedcrashes.SecuritygapscanarisewhenusersattempttobypassDLPsforthisreason.Finally,DLPsmayalsorunupyourorganization’smachineoverheadandevenconflictwithothersecuritytoolslikeantivirussoftware.
Becauseoftheseheadaches,DLPagentsoftenacquireabadreputationaroundtheorganization,encouragingemployeestoskirtthemaltogether,whichstokesconflictbetweenthesecurityorITadminswhomanagetheDLPandendusers.
Asyoucanprobablytell,theoperationalandmaintenanceburdensthatcomealongwithDLPsoftenmakethemfrustratingandimpracticalfororganizationswhowanttorunalean,streamlinedbusiness.
ObserveIT | 10
Lack of Insider Threat Detection and Response
How Legacy Data Loss Prevention is Failing Organizations
Additionally, 60% of all data leaks are carried out by insiders, with an estimated $5 million in costs per insider-caused security breach. Data classificationschemescan’tdomuchtoidentifyriskybehavior,whichiswhyDLPsoftenmissindicatorsofinsiderthreats.
Moreover,DLPtoolsthatworkbyregulatingtheexchangeofnetworkdataarenotdesignedtosuccessfullycatchorstopinsiderthreats.Theysimplyweren’tdesignedtodoso.
Aswementionedabove,ifaninsiderknowshowtheDLPisimplemented(whichmanytechnicalusersdo),theyarelikelytobeabletobypassit.Infact,oneofObserveIT’scustomers,theCISOatamajorglobalfinancialservicesorganization,toldus,“Ihaven’tseenanenterpriseDLPmyteamcan’tbypassinamatterofseconds.”Thatcanspellrealtroubleifyou’rerelyingonyourDLPtomonitorandstopdataloss.
Ontopofbeingineffectiveatcatchinginsiderthreatsandeasytobypass,DLPs also lack user activity monitoring and context about the movement of data, which means they have no investigational capabilities.Theydonotofferanyvisibilityintowhathappenedbefore,during,orafteradataexfiltrationincident.Withoutthesetypesofactionableforensics,DLPscanactuallydrivedownthemeantimetodetectionandresponseforanorganization,asadminsmustspendtheirtimepainstakinglycorrelatinglogstotrytofigureoutwhathappened.
TheseshortfallsareobviouslymajorproblemsandillustratewellhowDLPsarefailingtoday’sorganizations.
Inthenextsection,we’lltalkaboutanidealfuturestateinwhichsecurityteamsareabletoeffectivelydetect,prevent,andstopdataloss.
“I haven’t seen an enterprise DLP my team can’t bypass in a matter of seconds.”
CISO, Major Global Financial Services Organization
2.
A Vision for the Post-DLP World
As Gartner’s report, “It’s Time to Redefine Data Loss Prevention,” clearly illustrates, it’s time to take a more holistic approach to identifying and stopping data loss.Dataprotectionneedstobebuiltintoallorganizations’securityandcompliancestrategiesfromdayone,anditneedstobeexecutedinawaythattakestherapidproliferationofdataandcomplexityoftoday’stechnologicallandscapefullyintoaccount.
DLPs on their own are not up to the task. Sowhatdoesapost-DLPworldlooklike?Whattypesoftoolsandtechnologiesdoteamsneedtoinvestintofullyprotecttheirdataagainstalltypesofloss,includinginsiderthreats?Let’stakealook.
3.
ObserveIT | 11
“By 2020, 85% of organizations will have implemented some form of integrated DLP, up from 50% today.”
Gartner Report
ObserveIT | 12
3. Flexible and User-Centric A Vision for the Post-DLP World
Firstofall,data loss prevention strategies need to be flexible and user-centric—asopposedtorigidanddata-centric,thewayDLPsaretoday.
Flexiblepreventionpolicies,ratherthanstaticdataclassificationschemes,trackfilesinuse,inmotion,andatrest.Theyidentifycommonexfiltrationpointslikefile-copying,USBdriveusage,printing,cloudstorage(especiallypersonalcloudstorage)andemailingwithortopersonalaccounts.Alloftheseactionsarelikelyindicatorsofdatalossinprogress.Applyingaflexiblerubriclikethis,ratherthanonethatdemandsastaticdataclassificationscheme,ismorelikelytocatchthreats.
Toputafinepointonit,user-centricstrategiesarefocusedmoreonuserbehaviorthanondataclassification.Theydon’tfocussomuchoncarefullycatalogingwhichpiecesofdataaresensitiveoratrisk.Instead,theylookforlikelyindicatorsofcompromise.
To achieve the goal of being more flexible and user-centric, a tool like ObserveIT comes equipped with a built-in insider threat library. This out-of-the box library of alerts enables prevention around the 200 most common insider threat indicators.Thislibrarycontainsalistofcommonuserbehaviorsthatindicatepotentialdatacompromise,andcanbeusedforreal-timecaptureandalertingwheneveruserbehaviorindicatesrisk.
User-centric strategies focus more on behavior than data classification
ObserveIT | 13
Difficult to BypassA Vision for the Post-DLP World
Additionally, you want to invest in tools that are difficult for users to bypass.IfaDLPisoneroustouse,theninnocentandwell-meaningusersmaydiscoverawaytogetaroundit,leavingyouopentoaccidentaldataloss.Ifauserhasmoremaliciousintentions,thentheeasewithwhichtheycanbypassaDLPopensyouuptointentionaldataexfiltrationaswell.Asheadlinesillustrate,sensitivedatacancommandahighpriceontheblackmarket,temptingemployeesintosellingitforpersonalgain.
TheeasewithwhichtechnicalusersareabletobypassDLPmakesitano-gofororganizationswhoneedatooltheycandependontokeepdatasecure.
A tool like ObserveIT, on the other hand, has a watchdog mechanism built in that makes it very difficult for users to kill the agent. Iftheydo,theagentautomaticallyrestartsitselftoensurethatitisalwaysupandrunning.Italsocontainsaself-monitoringsystem,soifauserdoestrytoshutdowntheagent,anadminwillbealertedimmediatelyandcantakeactiontopreventfurtherriskybehavior—whetherintentionaloraccidental.
The strongest data loss prevention tools also have user education built in,sothatemployeesandotheruserswhotrytoactoutofpolicyarenotonlyimmediatelyblockedfromdoingso,butalsoprovidedwithinformationaboutwhattheyaredoingwrong.Insomecases,thisstepactsasadeterrentagainstintentionaldatatheft,butinmanycasesitsimplyservesasahelpfulandin-contextreminderofhowtoavoidputtingtheorganizationatrisk.Thisknowledgecontributestoanorganization’soverallsecurityanddecreasesthelikelihoodofadatalossscenariotakingplace.
The strongest data loss prevention tools have user education built right in
3.
ObserveIT | 14
Holistic and Continuous Monitoring
A Vision for the Post-DLP World
One of the major downsides of DLPs is that they only monitor logs.Ifanincidenttakesplace,adminsmustsiftthroughlogfilesandtrytopiecetogetherwhathappenedwithlittletonocontext.Additionally,becausetheyarefocusedonlogs,DLPsareoftennotabletoalertadminstodatalossinreal-time,andevenifanalertdoesfire,it’squitecommonforittobeafalsealarmduetothesensitivityandinaccuracyofdataclassificationschemes.
A user activity-centric tool like ObserveIT provides holistic and continuous monitoring. Itmonitorsuseractivityindepth,lookingatdataexfiltrationpointslikecloudapps,USBinsertions,andprintjobstoidentifyinsiderthreatindicators.Itlooksforexamplesofuserstakingdataoutthroughunauthorizedchannels,whichismuchmorepracticalthandataclassificationintermsofidentifyingrealthreats.
Moreover, ObserveIT is able to offer a holistic view of what happened before, during, and after an incident.Thisstepprovidesthecontextnecessarytorespondquicklyandaccuratelytothethreat,offeringirrefutableevidenceofexactlywhattookplace.
Whenanincidentoccurs,whatwouldyouratherhaveonhandtoexplainittoyourboss?Low-levellogfilesoraholisticpicturethatiseasytoarticulatetoanyoneintheorganization?Yetagain,DLPssimplycan’tkeeporganizationssecure.
3.
Gain a holistic view of what happened before, during, and after an incident.
ObserveIT] | 15
Lightweight and Streamlined, for Rapid ROI
A Vision for the Post-DLP World
Asweexplainedindetailearlier,DLPsaredifficulttodeployandfine-tuneandtheiragentsareheavyontheendpoint,leadingtobluescreens,crashes,andfailuresthatmakeithardtogetworkdone.
A modern data loss prevention strategy needs to be lightweight, with minimal impact on endpoints.Itallstartswithdeployment.AtoollikeObserveIThasasilentinstallanddoesnotrequireareboottogetgoing,meaningittakesjustafewdaystocompletelydeploy—vs.uptotwoyearswithatraditionalDLP.
Additionally,ascomparedtoakernel-basedDLPagent,ObserveIT runs in user mode with little to no impact on the end user.Inmostcases,userswon’tevenrealizeObserveITisthere,givenits1%CPUimpacttoendusersandabilitytoruninfullstealthmode.Thelightweightagentresolvesperformanceissues,whichmeansthatuserswon’tbelookingforwaysaroundit(and,aswementionedearlier,it’smuchmoredifficulttobypassthanatraditionalDLP.)
ObserveIT altogether eliminates time-consuming troubleshooting and maintenance processesthatgohand-in-handwithDLP,meaningyoucanrealizearapidreturnoninvestment,ratherthansinkingyearsofadministrators’timeandenergyintoanincompleteDLPdeployment.
TimetovalueisakeymetricforITandsecurityteams,sincetheyareoftenseenascostcentersbythelargerbusiness.ObserveIT is able to complete a standard proof of concept in an hour,withafullpilottakingnomorethanonetotwoweeksbeforeadministratorsareabletorealizethevalueofdeployment.
Time to value is of critical importance for IT and security teams
3.
ObserveIT | 16
Decreased Time to Detect and Remediate Incidents
A Vision for the Post-DLP World
Finally,aswehavetouchedonbrieflyabove,DLPsfallbehindwhenitcomestoactuallyremediatingadatalossincident.Bytheirverynature,theyarenotabletoprovidecontextorinvestigationalcapabilities.Inpractice,whileaDLPmightalertyoutoanincident,itwon’thelpyoudoanythingaboutit.
To actually address a data loss incident, user activity-centric detection and investigation tools are necessary. A tool like ObserveIT provides the sort of context that is necessary to rapidly detect and remediate incidents, driving down mean times to resolution. ObserveIT reduces incident response times, often even catching an insider-caused incident in progress(whichcansliprightpastDLPs),becauseitislaser-focusedonactualindicatorsofcompromise.
Moreover,becauseObserveITiseasilyintegratedintoabroadersecurity ecosystem,itdecreasessecurityteams’workloadsbyprovidingnecessarycontextwhenit’stimetoconductforensics.CombingthroughlogfilesfromaDLPcanonlyslowdownincidentresponsetimes,andintoday’sclimateoffrequentandbusiness-endangeringbreaches,thatkindoflosttimeisdifficulttoafford.
When addressing a data loss incident, contextual insights are essential for investigation and remediation
3.
Building A Realistic Data Loss Prevention Strategy
Tosumitup,today’ssecurityandITteamsarelookingforanewwaytostopdatalossbecausecurrentDLPsolutionshaveproventimeandtimeagaintobeineffective.Manyteamshavealsorecognizedthatcompletedatalosspreventionmaynotevenbeattainable,whichcallsintoquestionthevalueofinvestinginatraditionaldatalosspreventionsolution.AtObserveIT,webelievecompletedatalosspreventionisanunrealisticexpectationandthatmodernsecurityteamsare—andshouldbe—shiftingawayfrompreventiontodetectionandresponse.
Datalossis,atitscore,apeopleproblem—notasystemsproblem.Thismeansthebeststrategytoidentify,stop,andremediatedatalossincidentsisonethatputsuseractivityatitscenter.
ProactivesecurityorganizationsrecognizethatDLPsarefailingforallofthereasonsthatwehaveexploredinthispaper.Theymayhelpyoucheckcomplianceboxes,buttheyaren’tabletoprotectagainstinsiderthreatsandothercommoncausesofdataloss,noraretheysufficienttothetasksofinvestigationorresponse.Thewayforwardistoadoptanewsecurityparadigmaltogether,onethatisuser-centric,holistic,andstreamlined.Onlywhenorganizationsbegintoinvestinstrategiesthattaketoday’senormousandcomplextechnologicallandscapefullyintoaccountwillwebegintoseeadecreaseindataloss.
4.
Ready to bring yourdata loss prevention strategy into the modern era?
Test Drive ObserveIT Today
Data loss is not a systems problem—it’s a people problem
ObserveIT | 17
©2018 ObservelT. All rights reserved.
All trademarks, trade names, service marks and logos Referenced herein belong to their respective companies. This document is for information purposes only.