The Death of Data Loss Prevention (As We Know It)
Recent high profile breaches underscore the fact that data loss prevention (DLP) technologies are not as effective as we would hope. There are two major reasons for this: 1) traditional DLP technologies focus too much on content which can be maliciously manipulated and 2) traditional DLP discards non-policy violations (yes, events are simply dumped).
DLP’s Content-Aware Focus
Ten years ago, a little content-awareness feature saved the DLP space by reducing false positives to tolerable levels, paving the way for wide commercial adoption of the technology. Both analysts and DLP vendors touted the importance of the ability to scan content for sensitive data. Today, however, content-awareness falls down if the content is manipulated by bad actors before exfiltration. No DLP solution can detect sensitive data when it’s been modified to avoid detection.
Dumping Non-Policy Violations
To clarify this a bit, DLP technologies create incidents for activity that violate policy. But for activity that does *not* violate policy, the event data is trashed. This would be ok if we believed that DLP was perfect in its detection accuracy, but it is not. It’s possible then that non-policy violations include some DLP false negatives. And the DLP false negatives are the huge data breaches we’ve seen in the news. Consequently, by dumping this data, the DLP solution has no chance of detecting data breaches after the fact.
What To Do
To address these two problems requires a Big Data platform that supports the logging of all activity (policy violation or not) and a technology that relies on more than just content for detecting risky data use. While they’re not openly talking about these two product deficiencies, some DLP vendors are making efforts to address the future of data protection. These vendors are adding a layer of data protection in the form of new features and even whole new technologies that increase visibility and potential detection.
Lastly, there are new vendors that have identified ways to pick up where DLP technologies have left off. One unique technology by a company still in stealth mode, works as a complement to DLP solutions by identifying data loss incidents that then allow administrators to create needed policies in DLP or other security technologies.
For more information:
Webinar: DLP’s Failure to Deliver on the Data Protection Promise