Why Data Loss Prevention and Insider Threat Management Are Converging

Share with your network!

Data Loss Prevention (DLP) and Insider Threat Management (ITM) are like two sides of a coin. The primary objective of both sets of technology is to prevent data loss and misuse of data. DLP monitors file activity and leverages content scanning to determine whether users are handling sensitive data according to corporate policy. ITM monitors user activities such as application usage, user input/output, website access and file movement. It also captures screenshots of high-risk activity for visual evidence to accelerate investigations.

In the 2022 Market Guide for Data Loss Prevention, Gartner® points out that there is a “convergence of DLP with insider risk management solutions.” Gartner states, “apart from providing the content-inspection capabilities, these solutions also analyze day-to-day behavior of the users and thus enrich DLP events with contextual analysis. They track who, what, when, where and how for any data exfiltration scenarios.”

Let’s take a more detailed look at what drove the adoption of these technologies and why these technologies are converging.

Traditional drivers of DLP

  • Compliance with data regulations: Across the globe, governments and regulators are tightening or implementing strict privacy rules. Regulation standards dictate how organizations can use, collect, store, and distribute this data. Data privacy regulations aim to protect customer data such as social security numbers, credit card numbers (PCI), personal medical information (PHI), and other personally identifiable information (PII) from unethical use and distribution to third parties. To that effect, regulators are also forming governing bodies such as the California Privacy Agency and applying heavy penalties. For example, the General Data Protection Regulation (GDPR) calls for fines of up to 10 million euros or 2% of the company’s worldwide annual revenue. DLP helps organizations understand and secure the location, flow and usage of regulated data across the enterprise.
  • Intellectual property (IP) protection: Protecting intellectual property and trade secrets from theft or external disclosure is necessary to stay competitive in many industries such as manufacturing, telecommunications, biotechnology, pharma, high technology, chemical, fintech, etc. For tech companies, IP can take the form of patents or proprietary source code. For the manufacturing and automotive industry, it can be CAD design files. And for the chemical industry, it can be formulas. Industrial espionage and data leakage can result in lost sales and profits, reputational damage and jobs lost to other countries.

Modern drivers of DLP and insider risk management

  • Digital transformation: With the digitization of business processes such as sales, HR and product development, employees have access to more sensitive data through more channels than before. Not only is more data being generated, but it can also be accessed on a laptop, through collaboration tools like Box or Microsoft Teams, or via a mobile app. Higher mobility of data and proliferation of channels open the door for external hackers and malicious insiders to leverage security differences between channels for data theft. Today’s CISO is looking at DLP as an important signal that can be fed into a security analytics service and contextualized appropriately.
  • Information becomes more diverse. Traditional DLP systems worked on very tightly defined patterns (such as a group of 16 digits, passing the Luhn checksum formula, which indicated a valid payment card number). Even within these bounds, DLP systems were considered “noisy,” generating a high number of false alerts. Today, key business information can be graphical (for example, the latest creative output for a movie), tabular (a set of key financial figures), or source code. In addition, operating system features such as Windows Alternate File Streams (AFS) make it challenging for some simple DLP systems to detect and report problematic content accurately. 
  • Remote work: Employees and contractors work from anywhere and everywhere– whether at home, in the office, or from a café. With remote work, security teams have lost visibility. Remote workers do not fear their managers looking over their shoulders. This sense of isolation and insulation from the requirements and consequences of professional corporate life gives additional weight to the need for CISOs to form effective stakeholder partnerships with HR and Finance through formal insider threat management programs.
  • Employee turnover: Employees are leaving and joining organizations at an unprecedented rate. The global pandemic has been a catalyst for employees to evaluate their current situation and make a change. While some companies are laying off employees due to M&A or divestiture, the trend is the same – employees are going and coming, creating risk of data exfiltration, infiltration and sabotage. 
  • Resource shortage: The lack of security talent has left many organizations under-resourced when it comes to data protection. Although automated policy enforcement is available, many security teams do not leverage the prevention capabilities of DLP for fear of interrupting a critical business process. Since content-focused policies are not enough to identify high-risk activities and employees, additional signals such as visibility to resume editing and time spent on job sites can be an early indicator of insider risk and accelerate investigations, saving time and resources.

How Proofpoint’s converged DLP and ITM platform can help

Proofpoint is recognized as a Representative Vendor in both the 2022 Gartner Market Guide for Data Loss Prevention and 2022 Gartner Market Guide for Insider Risk Management. We provide a converged platform to address data loss and inside threats:

  • Proofpoint’s people-centric approach to DLP provides greater visibility and context on who, what, when, where and how for any data loss scenario. These include accidental misuse, compromise of credentials, and maleficence. With our single lightweight agent, we not only monitor everyday users for sensitive data activity but can expand monitoring to gain visibility into risky user activity and gather visual evidence of such activity. This allows us to triage alerts, accelerate investigations and automate remediation rapidly. 
  • Our platform offers rich context on threats and user behavior in addition to content inspection capabilities for investigations. We incorporate user and entity behavior analytics (UEBA) in our solution to address the key people-centric data loss scenarios such as compromised users. Our solution includes data lineage tools such as a file timeline for visibility and a user timeline for context on user intent. Context helps detect data loss early and accelerate investigations.
  • Our cloud-native, cross-channel and contextual solution addresses the many shortcomings of legacy approaches to DLP as well as integrated DLP. It provides comprehensive visibility and protection across today’s key data loss channels – cloud, email, and endpoint. It provides policy uniformity and eliminates the opportunity for determined bad actors to leverage differences between channels to facilitate data theft.
  • In addition, our People-Centric Managed Services can partner with organizations to design their DLP and ITM programs, successfully implement and manage a converged solution, augment their staff and improve their data security posture.

Learn more

To learn more about how Proofpoint Enterprise DLP and Proofpoint ITM can help you protect against data loss and insider threats, please view our 2-minute demo video and visit the ITM hub.

During Insider Threat Awareness Month, learn more about approaches to managing insider threats by listening to a fireside chat with Pfizer on September 29, 2022.

Gartner, Market Guide for Data Loss Prevention, Ravisha Chugh, Andrew Bales, July 19, 2022

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. 

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.