Data loss prevention (DLP) is not just one technology but rather a well-integrated stack of technologies that work together to automatically detect any situations where there is a potential risk of losing data. Since corporate data is either stored on or travels through many information systems and solutions, it is a complex task to cover every single point where a data leak, data theft, or data breach may occur.
DLP solutions perform three primary functions: defining and discovering sensitive data, providing secure means of transferring data through insecure channels, and – often regarded as the most important – monitoring the discovered data both by regular scanning at rest as well as observing any kind of data access and data movement. Therefore, at the core of modern DLP solutions are advanced data loss prevention monitoring engines, which are responsible for continuously observing the data, raising alarms, and/or activating preventive mechanisms whenever there is even a suspicion of unauthorized access or usage.
How does DLP monitoring work?
The complexity of today’s information system makes DLP monitoring a challenging task. The increasing reliance on the cloud, distributed solutions, and the popularity of remote work mean that there are multiple layers of data storage that need to be continuously monitored, as well as many different channels of potential data access and data transfer. For perspective, imagine how simple it was when all data was simply stored on a company server in a local server room, accessed only via Ethernet networks within the company, and viewed on old-school text terminals with no access to the Internet. Compare this to today’s range of different operating systems, mobile devices, Internet technologies, and completely remote storage spaces managed by third parties.
Due to this diversity of technologies, DLP monitoring solution providers have to take it one step at a time and deeply understand each underlying technology. For example, monitoring the access and flow of data on a Windows laptop means using completely different programming tricks than doing the same thing on a macOS or Linux devices. And that is just the tip of the iceberg with the need to account for not just other operating systems like Android, Linux, or iOS, but most of all, the movement of data to and from today’s cloud solutions, each of them using different technologies.
So there is no simple answer to the question “how DLP monitoring works”, because it works differently for every hardware platform, every operating system, and every accompanying technology. The more advanced the solution, the better it “hacks” the system itself, being able to observe user actions and system procedures. For example, a well-designed DLP monitoring agent for a desktop computer must be able to notice whenever the data is, for example, downloaded from the cloud and stored on a local disk, and then accessed by any other software, not just as a result of intended user actions.
Why is DLP monitoring so important?
The role that DLP monitoring plays in corporate security strategies is absolutely crucial, as it is the last line of defense against attacks. It is also one of the very few mechanisms that can address internal threats and prevent costly accidents. Other cybersecurity technologies act more as initial perimeter defense but if they fail, it’s all up to DLP to save the day.
For example, antivirus software or phishing detection tools eliminate a lot of threats even before they happen. However, it takes just one malicious program or one spear phishing email to cause massive data breach. Once this threat reaches the user, everything depends on DLP monitoring – only such technologies can, at the last moment, discover that the user is accessing sensitive data and about to share it using an insecure channel, such as email or instant messaging software.
Every corporate security strategy should include the use of DLP monitoring as that last line of defense, and that is also the recommendation of many cybersecurity frameworks and a requirement of many regulatory compliance standards such as HIPAA, PCI DSS, or NIST. While, of course, none of such standards point to specific solutions, demonstrating that sensitive data is well-monitored both at rest and in motion is crucial to passing security audits.
Implementing effective data handling policies
A beginner’s misconception, which is often one of the reasons behind security issues, is that cybersecurity software can be purchased, implemented, and “it will just work”. Unfortunately, without spending time to define the right policies and usage cases, it is extremely easy to either design a system that is too lax and allows for expensive data breaches, or design a system that is too strict and makes everyday work impossible. The first step must be defining specific data handling policies, with the help of DLP software to discover potentially sensitive data.
Once sensitive data is identified and well-classified, only then can DLP monitoring do its job well and prevent risky access while allowing for access that is required for regular work. As a simple example, a piece of sensitive data should not be copied from safe cloud storage and saved on the user’s disk for a year, while it’s being accessed approximately once a week. At the same time, if the user needs to access the same piece of data many times a day, immediately removing it after, for example, 15 seconds, and requiring the user to go through a complex process to download it (for example, using additional authentication and MFA) could drive the poor employee insane.
It is up to the cybersecurity teams to build effective policies for different types of data and different access requirements, and to configure DLP monitoring to raise alarms only when necessary, but also not ignore potentially risky situations. So, while DLP monitoring can be an extremely effective tool in preventing data breaches, like every cybersecurity solution it needs to be well-maintained by a dedicated team.
DLP monitoring in the real world
The benefits of DLP monitoring may be initially hard to notice, but let’s have a look at two examples, where DLP monitoring could prevent a massive data breach.
Imagine that one of your top managers receives a well-prepared spear phishing email, designed based on months of observation by the intelligence forces of an unfriendly nation. As expected, no anti-phishing software will be effective in stopping such an email, and, unless completely paranoid about security, it is very likely that someone less specialized in technology may fall for that email and paste key credentials on a malicious page after copying them from a secure password manager. In this case, DLP monitoring would be able to notice that sensitive credentials are being copied and pasted onto an illegitimate page, and stop the breach by making it impossible and raising a priority alarm, getting IT security teams to immediately take action.
As another example, imagine that one of your key R&D employees was approached by your major competitor, and lured into working together with them by offering major financial incentives. The employee accesses your company’s secret formula or algorithm, and pastes that data into a private browser session, where they are logged in with their private email account. DLP monitoring would immediately detect such an attempt, block it, and raise an alarm so that your IT security team could cut off the employee in a few moments from all company resources, preventing any of your secrets from leaking out. Also, note that no other cybersecurity solution except DLP would be able to prevent such an occurrence.
DLP – not just monitoring
As we mentioned at the beginning, while DLP monitoring is at the heart of DLP solutions, it is not the only technology that can help secure your sensitive data. Today’s DLP solutions go beyond monitoring, and implement the newest technologies to help you get the job done. For example, they use artificial intelligence (AI) to help you not only discover and classify sensitive data but also define data handling policies quickly and effectively.
As an example of a modern DLP solution for endpoint monitoring, Endpoint Protector provides you with not just a robust and highly configurable real-time DLP monitoring engine but also includes the aforementioned AI technologies as well as provides you with tools that allow you to securely transfer sensitive information over insecure channels. Thanks to Endpoint Protector, you can build the last line of defense for the most crucial and most commonly used devices – your users’ laptops and desktop computers.