Why Data Loss Prevention Will Suffer the Same Fate as Anti-Virus

Tuesday, April 03, 2018

Mike McKee


For years, Data Loss Prevention (DLP) has been the first line of defense against data leaving an organization’s four walls. DLP solutions have been touted as having the ability to track and prevent the loss of data through unauthorized channels. However, there are challenges associated with DLP, such as solution stability, the time-consuming data classification process and ongoing maintenance, and disconnects between data owners and DLP administrators. Security teams are realizing DLP is not sufficient in keeping an organization’s critical data safe.

DLP appears to be following in the footsteps of another once-ubiquitous but now outdated technology: anti-virus. The parallels between the two technologies may not be apparent at first, but when taking another look, it is clear that DLP may suffer the same fate as traditional anti-virus.

Since 1987, the anti-virus approach has been to tag data with signatures, continuously scan systems for these signatures, and then attempt to quarantine the known bad files. In theory, this method sounds great, but in the 21st century, malware can move and morph faster than anyone ever imagined. With the dawn of malware, hackers realized how these tools operated and they customized specific ways to avoid the existing tool sets.

The dawn of DLP

Similarly, data loss prevention (DLP) tools require data classification and tagging of sensitive files, use scanning for the movement of files, and attempt to prevent these files from going places they shouldn’t be going. Since 2000, organizations implemented these tools to adhere to regulatory compliance, monitor sensitive file movement, or prevent specific files from going out specific egress points.

However, a few major factors have seriously diminished the effectiveness of data loss prevention solutions. The primary challenge being the exponential growth of unstructured and semi-structured data within organizations. To be effective, DLP tools must keep up with the constant creation and modification of sensitive data. This places a heavy burden on data owners and those that are administrating the DLP technology to stay on the on the same page. It is almost inevitable that data growth will outpace the lines of communication within the organization.

DLP and the people problem

One of the most challenging elements of DLP isn’t within the software – it is the people. It’s no secret people are the biggest challenge when it comes to implementing effective security controls. Not all users have malicious intent; they may simply be seeking to find a way to bypass existing controls to make their life easier. People are unpredictable, and ensuring organization’s have a rule for every action a person might take is hard if not impossible.

When it comes to malicious insiders operating within an organization, DLPs are notoriously ineffective at stopping data loss caused by these type of threats since DLPs are often trivial for technical users to bypass. This means if someone on the inside really wants to exfiltrate data, they will probably find a way to do it.

DLPs are incomplete as they do not offer all-in-one detection, deterrence, and mitigation of data exfiltration and insider threats. While they may catch some instances of attempted data exfiltration, they are not designed to help security teams investigate or respond effectively, and they don’t have proactive user education built in to reduce accidental misuse.

Say goodbye to traditional DLP

Traditional DLP tools have been popular given the magnitude of the data loss problem and compliance needs of some organizations. However, DLPs often fall short when it comes to preventing data loss— especially when it comes to providing visibility into user actions to detect incidents in the moment and quickly investigate them.

Instead of relying on a traditional DLP focused exclusively on data, organizations should implement a holistic people-focused strategy. Organizations should shift to an approach that enables the security organizations to have full visibility into user actions with alerts for out-of-policy actions enabling an early warning system to decrease the time to detection. This should be coupled with strong processes in place to quickly remediate incidents involving data loss and flexible prevention controls that align with the business goals, to ensure a 360-degree view. 

Now more than ever, organizations need to invest in solutions that provide full visibility into what users are doing coupled with flexible prevention policies. With this visibility, organizations are able to quickly identify risky behavior, streamline the investigation process and prevent data loss.

About the author: Mike McKee brings over 20 years of cross-functional, global experience in technology to ObserveIT. Previously, Mike led the award-winning Global Services and Customer Success organizations at Rapid7, served as Senior Vice President CAD Operations and Strategy at PTC, and Chief Financial Officer at HighWired.com.

Possibly Related Articles:
Enterprise Security Security Awareness
Data Loss Prevention DLP anti-virus security challenge
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.