The debate between users of active DLP and passive monitoring approaches goes on for years. In this paper we are publishing a research on the two approaches, analyze their strong points and limitations, and make recommendations as to which approach may better suits your requirements.
Data Leak Protection (DLP)
Data leak prevention solutions are systems designed to detect and prevent potential data breach coming from the inside.
There are two major types of DLPs commonly used in organizations.
- The first type is installed as an Internet gateway or proxy server, and has no software installed at client computers. A network DLP analyzes network traffic to detect the transmission of sensitive data and blocking the transmission of information that is found to be in violation of the corporate security policy.
- The second type of DLP systems deals with data at the source. Endpoint DLPs run client software on end-user workstations, intercepting and analyzing data such as user inputs, Internet connections and application activities at the source. Unlike network-based solutions, endpoint DLP’s can analyze both internal activities and external communications of a given workstation.
As a result, a typical corporate DLP combines the use of network-based and endpoint-based solutions, which, in turn, can potentially introduce even more disruptions into business workflow.
Surveillance and Monitoring
In order to mitigate interruptions to business process introduced by active response systems such as DLP solutions, a different approach is often recommended by security experts. Instead of deploying a company-wide data leak protection system, experts recommend using passive, non-intrusive monitoring of all employees and network users combined with instant alerts and fast incident response. This approach takes away the guessing of common DLP’s and gets rid of intrusive roadblocks intruding into the business process.
In addition, many of these solutions are not exactly easy to use, generating a set of logs files for various aspects of system use and data access operations. Most are quite resource-intensive, time-consuming to analyze and requiring significant financial investments.
Take a look at the Best cyber security practices.
Does an Ideal Solution Exist?
In recent years, a new approach to computer monitoring has appeared. In this type of monitoring systems, client software intercepts user activities while supplementing raw logs and text-based reports with live video stream captured on the user’s workstation. However, unlike traditional video surveillance systems, these computer monitoring solutions do not make one watch the entire video, even in fast-forward mode.
Instead, they index the video stream with other, text-based information collected from the same workstation, placing searchable markers onto the video stream. As a result, discovering information relevant to a certain incident becomes easier, while watching the video stream reveals far more detailed information regarding the incident than any text-based log can.
Ekran System is a modern solution for corporate networks to enable monitoring and auditing of independent service providers, employees, and other insiders. This innovative computer surveillance system is based on capturing on-screen user activities of regular and privileged users, and creating fully indexed and easily searchable video streams. Ekran System can monitor all workstations and servers on the corporate network including local, remote, and terminal sessions.
In our White Paper block, you can find more details about the debate between users of active DLP and passive monitoring approaches, and as a result, choosing the best solution.