The traditional approach to data loss prevention (DLP) is not as efficient in today’s work-from-anywhere world—at least, not as a standalone solution.
A DLP solution helps ensure that users don’t send sensitive data—regulated data, intellectual property and other sensitive business information—out of the organisation in a manner that’s risky or out of policy. A traditional DLP solution focuses on data in use, in motion and at rest, without the necessary context around the data, especially the user(s) interacting with the data.
Herein lies the challenge: Without insight into how users interact with data inside and outside an office, how can an organisation determine if its sensitive data is at risk? This is where legacy DLP solutions fail to combine content awareness with behavioural and threat context.
Organisations need to take a people-centric approach to information protection to be most effective. After all, recent research shows that more than 90% of successful cyber attacks require some level of human interaction.
People centricity refers to data privileges, user behaviour and user-specific, external threat context. A unified solution brings that people-centric visibility, detection, prevention and response across all modern data loss channels, namely cloud, web, email and endpoints. And a cloud-native architecture behind such a solution enables scale, compliance, extensibility, security and privacy to meet the needs of large, complex and regulated organisations.
Outlined below are the top four use cases that motivate organisations to come to Proofpoint seeking this modern approach to DLP:
1. Detecting and preventing account compromise with threat context
As the world has shifted to a remote work environment and accelerated cloud adoption, organisations have seen trusted accounts, domains and apps become a significant source of cloud attacks.
According to Proofpoint cloud threat research, 95% of organisations experienced brute force or phishing-based attacks in 2020. And more than half (52%) of those organisations had at least one compromised cloud account. After compromising an account, threat actors commonly expand their footprint by sending phishing emails to internal and external users from the “trusted account”. This explains the widespread nature of cloud account compromise.
Cyber criminals heavily target Microsoft 365 and Google Workspace accounts because they hold the key to business communication and valuable data. It’s a fruitful strategy: Proofpoint research finds that users are seven times more likely to click on malicious SharePoint Online and OneDrive links hosted on legitimate Microsoft domains.
Third-party OAuth apps have also become a growing attack surface and vector. Many of these apps request broad permissions to access and manage user information and data and sign into other cloud apps on the user’s behalf. In a 2020 study of their 20 million+ active cloud users, Proofpoint researchers learned that 10% of organisations had malicious OAuth apps in their cloud environments.
Legacy DLP solutions don’t collect any threat context information. This leaves them blind to data movement involving compromised user accounts and identities. Fraud and data exfiltration through compromised users will look legitimate to such solutions.
A modern DLP solution helps organisations to move quickly to detect and revoke malicious third-party apps and block known threat actors and malicious IP addresses that could lead to account compromise.
2. Detecting and preventing data loss
A projected total of $1.64 billion in DLP spending worldwide underscores just how concerned organisations are about data loss. In our 2021 Voice of the CISO Report, CISOs reported that the cybersecurity threats they’re most concerned about include business email compromise (BEC) (34%), cloud account compromise (33%) and insider threats (31%).
Traditional DLP tools require extremely precise policies that can often get in the way of productivity. In fact, nearly 70% of respondents to a recent survey reported that three in every four incident alerts they investigate within their traditional DLP solution are false positives. This generates complaints from the security team and can create alert fatigue, leading to a slower response to real threats.
Another challenging factor: Without trustworthy, automated classification and monitoring of new data and devices, the burden of keeping the organisations’ DLP rules up to date falls to the users. And most CISOs would agree that human error is their organisation’s biggest cyber vulnerability.
A modern approach to DLP adapts its detection, prevention and response to the risky user—malicious, negligent or compromised—and to sensitive data, whether it’s regulated data, intellectual property or other sensitive business information. Organisations that adopt a modern approach to DLP can meet compliance needs and protect sensitive business information across email, cloud and endpoints, without burdening their security teams with maintenance nightmares and heavyweight endpoint products.
3. Monitoring insider risks and behavioural context
There are three unique types of insider risks—accidental, negligent and malicious—and they all have one thing in common: people.
According to the Ponemon Institute study, 2020 Cost of Insider Threats: Global, the average global cost of insider threats rose by 31% from 2018 to 2020 to $11.45 million. The frequency of incidents spiked by 47% during the same time frame.
These trends haven’t gone unnoticed. Forty-two percent of CISOs reported that the purposeful leaking of data or intellectual property is the greatest threat posed by employees (malicious). An almost equal percentage of CISOs (41%) said they fear users will click on malicious links or download compromised files (accidental). And 40% of CISOs said they’re wary of phishing, the use of unauthorised applications and poor password hygiene (negligent).
Legacy DLP solutions provide no behavioural awareness before, during or after risky data movement— and forget about any risky user behaviour analytics. Legacy tools can’t help you answer the “who, what, where, when and why” behind an alert. Instead, they overburden security teams with alert fatigue and management headaches.
A modern approach to insider threats gives people-centric insight into data movement and user activity to answer the “who, what, where, when” and intent questions around security alerts and events in real time. That empowers security teams to protect against data loss, monitor insider threats and accelerate their response to user-driven incidents.
4. Incident response
Despite the significant spending on incident response solutions worldwide, it still takes 77 days, on average, to resolve insider threats. Security teams are burdened with high rates of false-positive alerts, and they’re forced to analyse disparate logs for context—all while under intense time constraints and the pressure to “get it right”.
Investigations into data loss, account compromise and insider threats require visibility across all activity by users, organised in a timeline, and at the fingertips of the security team. You can always answer the “who, what, where, when and why” behind every user-driven security incident. And you can share the evidence of wrongdoing with your teams, including legal, IT, human resources, business units and others, in easy-to-understand and organised formats.
No more asking IT for application logs or manually correlating activity or translating technical jargon for nontechnical teams. A modern DLP and insider threat management (ITM) platform can solve these issues—and help accelerate your response to any user-driven security event or incident.
Adopting a modern DLP solution
Many organisations have rapid digital transformation in sight. But as operations scale and globalise, the technology used to protect the business and its customers must also mature.
Remote collaboration and workplace application sprawl demand solutions that proactively monitor and prevent data loss across endpoints, while also taking cloud access and third-party apps into account.
The Proofpoint Cloud App Security Broker (CASB), Browser Isolation and Email DLP solutions can help your teams detect and prevent account compromise and keep your data safe while users interact with sensitive data and applications on email and cloud channels.
With the Proofpoint Enterprise DLP suite, your teams can detect and prevent data loss across regulated data, intellectual property and sensitive business information, whether the user moving the data is malicious, compromised or negligent. And the Proofpoint ITM solution will help them monitor and detect insider risks and respond to insider threats appropriately.
Also, each product on the Proofpoint Information and Cloud Security Platform will help accelerate your mean time to repair (MTTR) and efficiency in responding to the various security issues described earlier. Combined, these products can help you speed your response when data loss, account compromise and insider threat incidents span multiple channels.
All of these things are possible because of our unique people-centric visibility and controls across channels, and our consolidated solution and cloud-native architecture. The modern solutions for DLP that Proofpoint provides keep scalability, ease of use, security and extensibility at the forefront to allow organisations to push forward without compromising their data security.
For a deeper dive into the modern use cases for DLP and to learn how these capabilities can safeguard your organisation, download our e-book, “Redefining DLP”.