DLP Meaning
DLP, or Data Loss Prevention, is a cybersecurity solution that detects and prevents data breaches. Since it blocks extraction of sensitive data, organizations use it for internal security and regulatory compliance.
DLP enables businesses to detect data loss, as well as prevent the illicit transfer of data outside the organization and the unwanted destruction of sensitive or personally identifiable data (PII). It is also used to help organizations with data security and ensure they comply with regulations like the California Consumer Privacy Act (CCPA), EU General Data Protection Regulation (GDPR), and Health Insurance Portability and Accountability Act (HIPAA).The terms "data loss" and "data leakage prevention" are often used interchangeably, but DLP security enables organizations to defend themselves against both. DLP allows businesses to:
- Identify sensitive information across multiple on-premises and cloud-based systems
- Prevent the accidental sharing of data
- Monitor and protect data
- Educate users on how to stay compliant
Why You Need DLP
The threat of data breaches—incidents where protected is stolen, used, or viewed by an unauthorized individual—has rapidly increased as the world became more digital. There were more than 3,800 breaches in the first half of 2019 alone. DLP is a crucial tool in helping businesses protect their data.
Personally Identifiable Information (PII)
PII is data that could potentially identify an individual or distinguish them from another person. This includes end-users’ email addresses, mailing addresses, and Social Security numbers, as well as IP addresses, login IDs, social media posts, and biometric and geolocation information. There are stringent regulations in place to protect this, such as GDPR, that grant people more rights around how companies handle their data and impose heavy fines for noncompliance and breaches.
DLP security enables businesses to classify, identify, and tag data and monitor activities and events surrounding it. It also provides the reporting capabilities that let organizations complete compliance audits.
Intellectual Property (IP)
Intellectual property includes software, proprietary data, and original works. IP owners need to ensure their digital assets are secure behind proper security protocols and defenses, including firewalls, restricted access privileges, and intrusion detection and prevention systems.
Malicious actors who gain access to intellectual property may cause severe losses by destroying irreplaceable information or code, copying protected assets and selling or distributing them on the Internet, and otherwise exploiting unauthorized access for their own gain.
HIPAA Compliance
HIPAA places extensive data security requirements on all businesses that have access to, process, and store any protected health information. The organization defines guidelines, policies, and procedures for maintaining the privacy and security of individually identifiable health information. It also outlines offenses and civil and criminal penalties for failing to protect this data.
Like GDPR, DLP is vital for organizations that need to comply with HIPAA. It allows them to identify, classify, and tag data that is covered by regulations and ensure end-users are protected.
How DLP Works
DLP systems protect businesses’ data by identifying sensitive information, then using deep content analysis to detect and prevent potential data leaks. This content analysis uses methods like keyword matches, regular expressions, and internal functions to recognize content that matches a company’s DLP policy. As a result, businesses can identify, monitor, and automatically prevent the theft or exposure of protected data.
Define Sensitive Data
The first step in deploying DLP is for businesses to define the sensitive data they want to protect and build a DLP policy around. This could be credit card details, email addresses, and Social Security numbers, or simply a list of names in a spreadsheet.
A DLP policy contains:
- Locations and systems where data needs to be protected
- When and how to protect data
- Rules that define sensitive data and actions when a security risk is discovered
- Conditions that assign different actions to different risk levels
Take a Proactive Approach
Simply having a DLP solution in place is not enough to keep attackers at bay. Businesses need to monitor user activity and protect confidential data when it is at rest, in use, and in motion.
- Data in motion: Also referred to as data in transit, this is data that is actively moving from one location to another, either over the internet, between networks, from a local storage device to the cloud, or through a private network. Data can often be less secure while in motion, so it is vital to have effective data protection measures in place.
- Data in use: Data that is currently being accessed, erased, processed, updated, or read by a system is considered in use. This includes information that is stored or processed in databases, CPUs, or RAM, such as a user requesting access to transaction history in their online banking account.
- Data at rest: This is data that is not actively moving between devices or networks and is archived or stored on a device or hard drive. Data at rest is considered less vulnerable than data in motion, but it can be considered a more valuable target by hackers. It is therefore important to have security measures in place to prevent cybercriminals from gaining access to it.
Detect and Respond in Real-Time
DLP uses several methods to detect sensitive data, but the most common is regular expression pattern. This analyzes content for common patterns, such as 16-digit card numbers or nine-digit Social Security numbers, alongside indicators like the proximity of certain keywords.
For example, a Visa card has 16 digits, but not every 16-digit number will be a credit card number. So DLP performs a checksum calculation to confirm whether the numbers match the patterns of various brands. It also looks for the existence of keywords like "VISA" or "AMEX" in proximity to dates that could be an expiration date to decide whether sensitive information is at risk.
When a violation is discovered, DLP remediates it by sending alerts, encrypting data, and other actions that prevent users from accidentally or maliciously sharing sensitive information. It also provides reports that enables businesses to meet compliance and auditing requirements, as well as identify areas of weakness.
Solutions like security information and event management (SIEM) and intrusion prevention system (IPS) also offer similar functions that help businesses to identify suspicious movement and alert IT teams of a potential breach.
Types of Data Threats
Cybercriminals deploy a wide range of hacking methods that range in simplicity and sophistication. Common types of data threats include:
Extrusion
Extrusion is the act of cybercriminals targeting and attempting to steal sensitive data. They try to penetrate businesses’ security perimeters using techniques like code injection, malware, and phishing.
WannaCry was dubbed the biggest malware attack in history after it infected 230,000 computers in 150 countries in May 2017. Attackers targeted a vulnerability in older versions of Windows, then encrypted files and demanded a ransom fee in exchange for unlocking them.
Insider Threats
An insider threat is a breach that comes from within an organization. The malicious insider could be a current or former employee, a contractor, or business associate that has information about the organization’s security practices and systems. The insider either abuses their own permissions or compromises the account of a user with higher privileges and attempts to move data outside the organization.
In 2016, UK technology firm Sage was the victim of an insider threat breach after an employee used an internal login to access the data of between 200 and 300 customers without permission. The breach was relatively small and it has not been revealed what data was affected, but the impact of the attack was proven by Sage’s shares falling by 4% in the aftermath.
The credit card data breach of Target in 2013 is a good example of the financial and reputational risk of insider threat attacks. The attack, which impacted 41 million consumers and cost Target $18.5 million, was caused by a third-party vendor taking critical systems credentials outside of a secure use case. This enabled hackers to exploit a vulnerability in Target’s payment systems, gain access to its customer database, install malware, and steal customers’ information.
DLP can prevent such risks by providing businesses with comprehensive visibility of file transactions and user activity across their IT environment. It enables businesses to keep files for as long as is required to protect data and compliance requirements, even when an employee has left the organization. Data loss prevention also allows file recovery capabilities that enable organizations to recover from malicious or accidental data loss.
Unintended Exposure
Breaches can also be caused by unintended or negligent data exposure. This typically occurs as a result of inadequate employee data procedures, in which employees either lose sensitive information or provide open access to their account or data. It can also be caused by businesses not putting appropriate access restrictions in place on organizational policies.
A breach of cybersecurity firm RSA in 2011 compromised 40 million employee records after users clicked on emails sent from targeted phishing attacks. The attack came from two hacker groups within a foreign government pretending to be trusted colleagues. When employees clicked on the emails, the hackers gained access to systems and compromised SecurID authentication tokens.
DLP’s content analysis engine enables businesses to identify when sensitive information are potentially at risk of being shared externally. They can then take action by logging the event for auditing, displaying a warning to the employee that could unintentionally be sharing the information, or actively blocking the email or file from being shared.
