Legacy Data Loss Prevention (DLP) providers have long focused their efforts on preventing
malicious insiders and external attackers from exfiltrating sensitive data.
They address this challenge by classifying data and applying complex, granular rules dictating which users can take which actions with each class of data.
False positives are common and result in alert fatigue in the SOC and impede legitimate workflow. Users respond by seeking alternative methods of obtaining or sharing information and unauthorized workarounds become the norm.
The result is often to simply deploy the DLP solution as a forensic tool in monitor mode. This allows users (and attackers) to do whatever they want with data, hoping the SOC cannot respond quickly when exfiltration begins.
While rules certainly play a role in DLP, attempting to detect and block attacks as they remove the data is counterintuitive. Airlines don’t rely solely on strong cockpit doors to prevent hijackings. Instead, they work to identify threats before they can carry out attacks. They screen luggage and check IDs, then cross-reference government databases to identify passengers that require secondary screening. They watch for suspicious behavior and ask that other passengers do the same.
Reveal takes the same approach. Instead of just following the data, we look at human factors to identify evidence of malicious behavior before attackers compromise data. These indicators of compromise capture the activities people must take before downloading sensitive data to a USB drive or uploading it to unsanctioned cloud storage.
Criminals do not want to be caught. When attempting to steal data they first search for the data, gather it, and attempt to disguise their activity. This is where DLP solutions must consider the human factor. We designed Reveal to analyze and understand which activities by which users are benign, and which could indicate malicious intent.
For example, the data thief doesn’t know where the organization stores the data they seek. They must find it by exploring many different data stores. An unusual spike in file requests to a data store seldom accessed by a user could be an indicator of compromise. Once they find the data they must collect it, so a large collection of compressed or encrypted files can indicate elevated risk. A user attempting multiple times to access data they don’t normally use can also be an indicator of compromise. Other malicious activities can include testing an organization’s defenses to determine the best exfiltration path, disguising or obfuscating sensitive data by changing file names or extensions, and copy/pasting large volumes of data.
By identifying and tracking indicators of compromise. Reveal can discern between the activity of a careless but well-meaning user and that of a malicious actor. It uses the former as an opportunity to improve the organization’s cyber hygiene and teach users to make the right decisions with sensitive data. Pop-ups reinforce corporate security policies and can require users to review and acknowledge corporate policies.
When Reveal determines the activity is malicious, Reveal can isolate devices from the network, lock out user sessions, take screenshots (static/in motion), block uploads, and kill processes to protect your organization.
Blog
Blog
Blog
Blog
Resources
Resources
Resources
Resources