[BreachExchange] Why Data Loss Prevention Will Suffer the Same Fate as Anti-Virus

Audrey McNeil audrey at riskbasedsecurity.com
Tue Apr 3 19:05:02 EDT 2018


http://infosecisland.com/blogview/25052-Why-Data-Loss-
Prevention-Will-Suffer-the-Same-Fate-as-Anti-Virus.html

For years, Data Loss Prevention (DLP) has been the first line of defense
against data leaving an organization’s four walls. DLP solutions have been
touted as having the ability to track and prevent the loss of data through
unauthorized channels. However, there are challenges associated with DLP,
such as solution stability, the time-consuming data classification process
and ongoing maintenance, and disconnects between data owners and DLP
administrators. Security teams are realizing DLP is not sufficient in
keeping an organization’s critical data safe.

DLP appears to be following in the footsteps of another once-ubiquitous but
now outdated technology: anti-virus. The parallels between the two
technologies may not be apparent at first, but when taking another look, it
is clear that DLP may suffer the same fate as traditional anti-virus.

Since 1987, the anti-virus approach has been to tag data with signatures,
continuously scan systems for these signatures, and then attempt to
quarantine the known bad files. In theory, this method sounds great, but in
the 21st century, malware can move and morph faster than anyone ever
imagined. With the dawn of malware, hackers realized how these tools
operated and they customized specific ways to avoid the existing tool sets.

The dawn of DLP

Similarly, data loss prevention (DLP) tools require data classification and
tagging of sensitive files, use scanning for the movement of files, and
attempt to prevent these files from going places they shouldn’t be going.
Since 2000, organizations implemented these tools to adhere to regulatory
compliance, monitor sensitive file movement, or prevent specific files from
going out specific egress points.

However, a few major factors have seriously diminished the effectiveness of
data loss prevention solutions. The primary challenge being the exponential
growth of unstructured and semi-structured data within organizations. To be
effective, DLP tools must keep up with the constant creation and
modification of sensitive data. This places a heavy burden on data owners
and those that are administrating the DLP technology to stay on the on the
same page. It is almost inevitable that data growth will outpace the lines
of communication within the organization.

DLP and the people problem

One of the most challenging elements of DLP isn’t within the software – it
is the people. It’s no secret people are the biggest challenge when it
comes to implementing effective security controls. Not all users have
malicious intent; they may simply be seeking to find a way to bypass
existing controls to make their life easier. People are unpredictable, and
ensuring organization’s have a rule for every action a person might take is
hard if not impossible.

When it comes to malicious insiders operating within an organization, DLPs
are notoriously ineffective at stopping data loss caused by these type of
threats since DLPs are often trivial for technical users to bypass. This
means if someone on the inside really wants to exfiltrate data, they will
probably find a way to do it.

DLPs are incomplete as they do not offer all-in-one detection, deterrence,
and mitigation of data exfiltration and insider threats. While they may
catch some instances of attempted data exfiltration, they are not designed
to help security teams investigate or respond effectively, and they don’t
have proactive user education built in to reduce accidental misuse.

Say goodbye to traditional DLP

Traditional DLP tools have been popular given the magnitude of the data
loss problem and compliance needs of some organizations. However, DLPs
often fall short when it comes to preventing data loss— especially when it
comes to providing visibility into user actions to detect incidents in the
moment and quickly investigate them.

Instead of relying on a traditional DLP focused exclusively on data,
organizations should implement a holistic people-focused strategy.
Organizations should shift to an approach that enables the security
organizations to have full visibility into user actions with alerts for
out-of-policy actions enabling an early warning system to decrease the time
to detection. This should be coupled with strong processes in place to
quickly remediate incidents involving data loss and flexible prevention
controls that align with the business goals, to ensure a 360-degree view.

Now more than ever, organizations need to invest in solutions that provide
full visibility into what users are doing coupled with flexible prevention
policies. With this visibility, organizations are able to quickly identify
risky behavior, streamline the investigation process and prevent data loss.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180403/bb265af6/attachment.html>


More information about the BreachExchange mailing list