Data loss prevention (DLP) makes sure that users do not send sensitive or critical information outside the corporate network. The term describes software products that help a network administrator control the data that users can transfer. DLP products use business rules to classify and protect confidential and critical information so that unauthorized users cannot accidentally or maliciously share data, which would put the organization at risk. For example, if an employee tried to forward a business email outside the corporate domain or upload a corporate file to a consumer cloud storage service like Dropbox, the employee would be denied permission.
Organizations are adopting DLP because of insider threats and rigorous data privacy laws, many of which have stringent data protection or data access requirements. In addition to monitoring and controlling endpoint activities, some DLP tools can also be used to filter data streams on the corporate network and protect data in motion.
Here is how to initiate a successful DLP deployment:
Not all data is equally critical. Every organization has its own definition of critical data. The first step is to decide which data would cause the biggest problem if it were stolen. DLP should start with the most valuable or sensitive data that is likely to be targeted by attackers.
Classify the data
A simple, scalable approach is to classify data by context. This means associating a classification with the source application, the data store or the user who created the data. Applying persistent classification tags to the data allows organizations to track their use. Content inspection is also useful. It examines data to identify regular expressions, such as Social Security and credit card numbers or keywords (example: “confidential”). Content inspection often comes with pre-configured rules for PCI, PII, and other standards.
Understand when data is at risk
There are different risks associated with data distributed to user devices or shared with partners, customers and the supply chain. In these cases, the data is often at highest risk at the moment it is in use on endpoints. Examples include attaching data to an email or moving it to a removable storage device. A robust DLP program must account for the mobility of data and when data is at risk.
Monitor data in motion
It is important to understand how data is used and to identify behavior that puts data at risk. Organizations need to monitor data in motion to gain visibility into what’s happening to their sensitive data and to determine the scope of the issues that their DLP strategy should address.
Communicate and develop controls
The next step is to work with business line managers to understand why this is happening and to create controls for reducing data risk. At the beginning of a DLP program, data usage controls may be simple. Controls can target common behaviors that most line managers would agree are risky. As the DLP program matures, organizations can develop more granular, fine-tuned controls to reduce specific risks.
Train employees and provide continuous guidance
Once an organization understands when data is moved, user training can reduce the risk of accidental data loss by insiders. Employees often don’t recognize that their actions can result in data loss and will do better when educated. Advanced DLP solutions offer user prompting to inform employees of data use that may violate company policy or increase risk. This is in addition to controls to outright block risky data activity.
Some organizations will repeat these steps with an expanded data set or extend data identification and classification to enable fine-tuned data controls. By initially focusing on securing a subset of the most critical data, DLP is simpler to implement and manage. A successful pilot program will also provide options for expanding the program. Over time, a larger percentage of sensitive information will be included, with minimal disruption to business processes.
How DLP Works
DLP solutions work in two ways: analyzing data for contextual content, and analyzing content based on string matches. Just like analyzing languages, words have meaning based on context. Your DLP solution can filter out attacks based on words, but it also needs to understand these words based on the way words are formatted and built into communication. This technique is important especially in email cybersecurity and DLP.
Your DLP solution will work using the following strategies:
- Regular expression matching: DLP solutions will match specific set data conditions such as detecting 16-digit credit card numbers in email or 9-digit telephone numbers and determine if communication contains sensitive data.
- Structured data fingerprinting: Data stored in a database can be analyzed for specific sensitive data to determine if it’s properly protected.
- File checksum analysis: Determine if file content changed by using hashing algorithms to output hashes of file data and compare them based on when the file was saved.
- Partial data matching: Using this strategy, the DLP solution performs a match on some data such as finding forms and templates filled out by multiple people.
- Lexicon matches: Unstructured data can be analyzed using dictionary terms and other rule-based matches to detect sensitive information.
- Statistical analysis: Using machine learning and advanced methods, DLP solutions will detect more obscure sensitive information that cannot be found using other methods.
- Categorization: By categorizing data, the DLP solution can determine if data is highly sensitive and violates compliance regulations.
Why Is DLP Important?
The cost of a data breach averages $4.25 million per incident, but the long-term damage to the brand name can affect future revenue for years. Businesses fall victim to cyber-attacks every 11 seconds, and for this reason DLP solutions are more important than ever. It’s difficult for administrators to defend the environment from numerous risks, so DLP solutions detect potential attacks and other anomalies.
The DLP solution that you choose will work along with strategies to reduce risk. Risk can never be reduced by 100%, so DLP solutions detect sophisticated attacks that bypass your cybersecurity defenses. They also keep your environment compliant so that the organization avoids hefty fines for regulation violations.
Why Organizations Need DLP?
A DLP solution solves many of today’s cybersecurity and compliance challenges that cannot be resolved without help. Administrators continually chase the latest threats to find the right solution to detect and stop them. You need a DLP for:
- Compliance: Several compliance regulations require monitoring and data protection. If your organization must follow HIPAA, PCI-DSS, GDPR, or any other compliance standards, a DLP solution helps keep your organization stay within guidelines.
- IP protection: It’s not uncommon for organizations to store intellectual property in document files, and a DLP will stop attackers from accessing and stealing trade secrets.
- Visibility into your data: Tracking data both at-rest and in-transit is a compliance requirement, and it helps organizations understand the types of data stored across endpoints.
Types of DLP Solutions
Because attackers have numerous ways to steal data, the right DLP solution has the detection solutions that cover the many ways data can be disclosed. The types of DLP solutions include:
- Email: Protect your business from phishing and social engineering by detecting incoming and outgoing messages.
- Endpoint management: For every device that stores data, an endpoint DLP solution will monitor data when devices are connected to the network or offline.
- Network: Data in-transit on the network should be monitored so that administrators are aware of any anomalies.
- Cloud: With more employees working from home, administrators leverage the cloud to provide services to at-home staff. A cloud DLP solution will ensure that data stored in the cloud is monitored and protected.
As the cybersecurity landscape changes, organizations must keep up with the latest trends. The trends in security can be difficult to track, but a DLP solution will keep the organization compliant and on track with effective monitoring. DLP adoption continues to grow because:
- CISO roles: Organizations see the importance of a Chief Information Security Officer (CISO) who will often suggest adopting DLP solutions.
- Compliance regulations: Standards to protect data change as the cybersecurity landscape changes, and a DLP solution is adopted to help bring data protection to standards.
- Additional endpoints: Data in the cloud and on user devices adds risk to the environment, but a DLP solution will monitor the potentially thousands of endpoints across the cloud and internally to ensure data is protected.
As with any integration, DLP deployments need the right strategy to avoid costly mistakes and downtime. Before deploying your DLP solution, here are a few tips to consider:
- Define business requirements: Before deploying a solution, you should define the business requirements behind the deployment strategy. The business requirements will help start a plan that will create a smoother deployment process.
- Define security requirements: Compliance and other cybersecurity standards will also define the way DLP solutions are deployed. Use these standards to determine the ways data should be monitored and protected.
- Audit infrastructure: You need to know where data is stored and where it’s transferred. DLP solutions protect data at-rest and in-transit, so this planning step will discover endpoints and data storage points.
- Determine responsibilities: Every IT staff member must be involved in deployments so that they understand changes and can support customer questions. It also helps with remediation of bugs.
- Communicate with documentation: Document changes to the environment and any procedures that should be followed. Documentation avoids mistakes when staff do not know what changes were made to the environment and the way DLP works to monitor data.
DLP Tools and Technology
Before choosing a DLP provider, you need to find one that has the tools and technology necessary for efficient tracking, detection, and remediation. To find the right vendor, ask the following questions:
- Does the vendor support the operating systems installed on your systems?
- Do they have the deployment options necessary for reduced downtime?
- Does the provider defend against internal and external threats?
- Is classification of data done by the provider or do users classify documents?
- Is your data mainly structured or unstructured?
- Do you need protection for data at-rest and in-transit?
- What compliance regulations does the vendor support?
- What technologies must the DLP solution integrate with?
- What is your timeline for DLP deployment?
- Will you need to hire additional staff to support the DLP integration?
Proofpoint Email Data Loss Prevention offers integrated data protection for email and attachments. It is designed to stop accidental data exposure and prevent third-party attacker or impostor attacks via email. It can be used in conjunction with other information protection suite products, such as Proofpoint Data Discover and Proofpoint Email Encryption.
A full-suite DLP tool has four elements: a central management server, network monitoring, storage DLP and endpoint DLP. In a small deployment, everything except the endpoint agent may be consolidated on a single server or appliance. Larger deployments may include multiple distributed pieces to cover different elements of the infrastructure.
With this tool, organizations always know where their private or proprietary data resides, including intellectual property, personal identification, patient information, financial information and more. It helps organizations to simplify discovery and quickly evaluate data so they can respond to any issue. The Proofpoint in-place DLP solution, Content Control, helps organizations:
- Easily locate sensitive data, wherever it resides in the enterprise. The simplified discovery process enables IS and IT teams to be aware of issues without dealing with a complex DLP solution or using a lock-it-all-down approach.
- Evaluate historical data and ensure that new data is evaluated as it’s created. Quarantine, move or delete any violations to avoid being adversely affected by wrong material. For example, if corporate content is discovered in a Dropbox synchronization folder, the user will automatically be alerted, and the data will be moved to the IT security team’s sanctioned repository.
- Evaluate the metadata and the full text within a file. This enables IT security departments to identify credit cards, personal identification, license numbers, medical information and more. This process also teaches users best practices for data management and security on the job—without hindering productivity or workflow.