Protecting a company’s network against data leaks is the first priority of any security officer. However, this task is becoming more complex because of strong competition and the popularity of Bring Your Own Device policies. Though there are a wide variety of cybersecurity solutions on the market, choosing the wrong system may lead to security gaps.
Data leak prevention (DLP) systems are one of the oldest types of data protection software. But are they a time-tested solution or an outdated practice? Let’s find out the main pros and cons of data leak prevention systems.
What is a DLP solution?
A data leak prevention (or data loss prevention) system is software that defines, discovers, and monitors sensitive data and prevents it from leaving the local environment. Implementation of a DLP solution is required by such industry security standards as HIPAA, GLBA, PCI DSS, SOX, and FISMA.
A DLP solution provides you with active or passive monitoring. There are three major active DLP types depending on their deployment environment: network, endpoint, or cloud.
- A network DLP is deployed on a server or comes as a physical box and controls everything going on inside the network.
- An endpoint DLP is deployed on each endpoint and monitors only one machine.
- A cloud DLP is deployed on a virtual server and controls an organization’s activity inside a private cloud.
All three types scan the environment (network, endpoint, or cloud server) to detect sensitive data. Each DLP solution has its own detection algorithm based on a data classification policy. This policy defines data types and formats considered sensitive for a particular organization. DLP software searches for such types of data and monitors them.
Some DLP solutions are able to identify common types of sensitive information (e.g. credentials, credit card and social security numbers, personally identifiable information) on their own. On the one hand, such a solution provides you with a thorough network scan. On the other hand, it may leave sensitive data undetected.
A passive DLP solution monitors and records network activity instead of monitoring data. It provides administrators with extensive logs of all actions within the network. Such solutions are useful for activity monitoring, incident investigation, and troubleshooting issues inside the network.
NIST outlines the following types of data loss covered by a DLP solution:
- Data leakage – The most common type of data loss, a data leak is a breach of confidentiality, when sensitive data becomes publicly available. It usually happens when hackers post confidential company data on the internet.
- Data disappearance – This is when information is deleted from a company’s servers. For example, a disgruntled employee with a privileged account may erase important data.
- Data damage – This is when information is modified or encrypted. The most common scenario for this form of data loss is an encrypting ransomware attack.
According to NIST documentation, a DLP protects data in one of these states:
- At rest – data stored on a hard drive, server, database, etc.
- On an endpoint – data used by employees on their devices
- In motion – data sent outside the company network using any method of communication
Advantages of a DLP system
Standard security measures include a firewall, intrusion detection system, and antivirus software. These are mechanisms that guard computers against inside and outside attacks.
Read also: 12 Best Cyber Security Practices
Adding a DLP solution to your cybersecurity system provides you with the following advantages:
1. A DLP is effective for outsider and insider threat detection. It uses a firewall to limit outside access to the internal network. Outside attacks can be detected by DLP software via antivirus scans to find Trojans installed on endpoints and malware that enters a company’s network through email attachments. It mitigates insider threats through continuous data monitoring, detecting cases of malicious insiders disrupting data. It also encrypts all data copied to USB devices or sent outside the network.
2. DLP solutions prevent attempts to copy or send sensitive data without authorization. Information that’s classified as sensitive can be determined by using exact data matching, structured data fingerprinting, rule and regular expression matching, plus conceptual definitions and keywords.
3. DLP systems provide corporations with visibility into what’s going out of the building. They stop users from sending out sensitive data. With a DLP system in place, you can see who’s trying to send out information and possibly stop a data breach before it can cause too much damage.
4. Some DLPs use machine learning algorithms to identify new sensitive data. A continuous analysis of internal content helps to pinpoint all data that needs to be protected. The same technology allows for detecting unusual access requests and data exchanges between employees. However, it’s best to use a dedicated user activity monitoring or user and entity behavior analytics solution for that.
Disadvantages of a DLP system
It sounds like a good idea to have a DLP system in place to prevent data breaches caused by insiders as well as outside hackers. However, if your company has DLP software, there’s a risk that it may leave gaps in your corporate security. You may feel that everything is protected so there’s no need to put in place other security measures; but this feeling may actually be a false sense of security.
When using a DLP solution, watch out for the following:
1. A DLP system will do your company no good if you don’t know where your data is stored. You need to take inventory of both classified and unclassified data. Then list who has access to classified data. Some DLP solutions offer automated scanning and detection of sensitive data inside the corporate network. But due to specific workflows and data types in each company, it may be better to label data manually.
2. A DLP system is a business product, not a technology project. Once your company commits to purchasing a DLP system, the hard work begins, as a DLP solution is hard to deploy. In order to understand what data is worth monitoring, your IT department needs a comprehensive overview of the data flows in your company.
3. Users inside your network are assigned various access privileges. You need to audit all privilege levels and make sure that your DLP solution is able to distinguish a regular user from a privileged one.
4. If your company doesn’t take the time to define its data protection strategies and develop core technical and business requirements, the DLP system won't be effective. Defining and implementing a comprehensive data leak prevention policy takes a lot of time. An unclear policy causes issues with integrating a DLP into your cybersecurity system and adds overhead costs.
5. You need to study the pros and cons of each piece of DLP software carefully before making your choice. There’s no standard set of features. For example, some solutions don’t monitor file exchanges via Dropbox or messengers, but others do. Deploying a network DLP helps you protect information inside the local network. But if employees need to take their laptops on business trips or work from home, data on those machines won’t be protected.
Key pros and cons of DLP systems
- Effective for insider and outsider threat prevention
- Provides visibility into data exchanges
- Enforce authorization procedures before accessing sensitive data
- Apply machine learning to identify abnormal user behavior and label sensitive data
- Deploying a DLP takes a lot of time and effort
- Require precise data flow policies
- Creating a data loss prevention policy takes a lot of time
- May be hard to prepare an inventory of all sensitive data and establish user privileges
A DLP system can be effective at preventing data loss, but it requires a careful and well-thought-out implementation. Unfortunately, there’s a risk of leaving some sensitive data unprotected because of complex data discovery procedures. Tuning a DLP solution manually and scanning your whole network manually takes plenty of time.
Deploying a user activity monitoring solution like Ekran System instead of a DLP is a reasonable choice. Ekran constantly monitors all actions inside your company’s network, including those of privileged and third-party users. Ekran System also provides you with robust incident response functionality that includes alerts and notifications. Coupled with a simple deployment scheme, Ekran System is more effective and easier to use than a traditional DLP system.