Troy Gabel, our Chief Revenue Officer, has been in the DLP market for a while. He’s seen it evolve from protecting the walled gardens of enterprises to today’s work-from-anywhere, web-centric environment.
Troy recently had the opportunity to sit down and discuss these changes and where DLP is headed with Dr. Rebecca Wynn, Click Solutions Group’s CISO. Dr. Wynn also knows the DLP market well, having served as Chief Information Security Officer at LearnVest, Matrix Medical Network, and [24]7.ai.
Here are some of the highlights:
It was around the turn of the century when the early DLP companies began operating. These solutions were designed for the dominant work environment. DLP solutions ran on-premises on “heavy iron” and administrative overhead was required by design. Security analysts would build specialty rules to address perceived threats and construct SQL queries to learn how data traveled. In the early “aughts” all data and applications were within the organization’s control. Users ran business applications on their local devices, making it simpler to monitor their activities. A data protection platform must evolve to how businesses run today, forcing a legacy DLP to work outside its design will be problematic. Reveal was built with this new paradigm in mind, its a low overhead platform that can be effectively run by a lean information security team.
Data is everywhere and data usage has changed. DLP leveraging cloud-native infrastructure and APIs can see and control data usage without interfering with devices. This includes web apps, messaging apps, and other data exfiltration channels that were not prevalent when the legacy DLP platforms were designed. Importantly, just because the ways data egress have evolved, it doesn’t mean the traditional channels can be ignored. Modern DLP leverages sanctioned connections into operating systems, browsers, and applications to deliver the required visibility and controls needed. The coverage must extend to both the new and the old communications channels.
DLP was originally skewed towards security, not productivity. The goal was to block data misuse with little concern for any negative repercussions. In the process, these solutions could stymie legitimate business use of data and were especially inflexible to adapt to the evolving business. Security teams today need to support a business’s goals at large – not just security. Sharing sensitive data is often an unavoidable part of business, but rarely does executive management tell security to block all data movement. Reveal lets security teams enable the business, not get in the way and become a source of friction.
Rule-based DLP requires teams to either predict how every user will interact with data or react to past behavior and hope nothing changes. By moving machine learning to each endpoint, a modern DLP solution can build a baseline for each individual user and device and respond instantly. It can learn how each user interacts with data and devices, including normal keystroke patterns, what applications they use, and normal data usage. There is no gap in protection like a centralized model that feeds data up, aggregates, analyzes, and pushes updates down in a batch mode. Reveal enables "policy free" data protection: the platform can baseline each user and then immediately alert on anomalous activity, while updating itself as user patterns evolve.
We often think of security solutions as simply reporting violations of preset policies. The problem is, unless you know what you are looking for, often very specifically, even the best policy won’t give you risk discovery. When innovations such as ChatGPT emerge, your team needs to see this change, understand the impact of it, and then put controls in place if warranted. Reveal can uncover risky behavior and anomalies that are not covered by policy to inform better security hygiene.
Troy has seen a lot of data protection proposals over the years. His recommendations for the top three requirements are:
The strategy for DLP in the early days was linear. Your first task was to define the data you wanted to protect and find it wherever it existed in your organization. This takes time and effort that may not pay off, or can have a negative impact. Additionally, not all sensitive data is necessarily "content inspectable." Source code and images cannot be inspected and classified by regular expression rules. A better approach is to observe how each employee uses data and report on anomalous behavior. Not having to tell the DLP what to look for can save a lot of effort without sacrificing security.
No single security tool provides teams with everything they need. Look for solutions that can share information with your other security platforms, including SIEM and SOAR solutions. It’s also important that these integrations are based on modern approaches such as APIs to reduce the complexity of maintaining these connections.
Security solutions need to do more than simply stop USB uploads or website controls, that’s too simplistic and not a long term solution. Teams need solutions that strike the proper balance between security and data usage both the current business model but also with an eye to the future.
There is a lot more in the webinar, and you can watch it for free on BrightTALK. Rebecca and Troy discuss the role of ChatGPT and artificial intelligence in DLP, data leakage, and how pre-classifying data is no longer necessary or feasible.
Ready to see a demo for yourself?
Click here and we’ll show you how we’re delivering what’s Next for data protection.