Why the Future of Enterprise Security Depends on Intelligent DLP Systems

At the beginning of my story, I want to note that DLP systems should not be viewed as something that solves a narrow range of issues related only to personnel safety. Today, DLP systems are solving a wide range...

Why the Future of Enterprise Security Depends on Intelligent DLP Systems

At the beginning of my story, I want to note that DLP systems should not be viewed as something that solves a narrow range of issues related only to personnel safety. Today, DLP systems are solving a wide range of tasks that include compliance, risk management, anti-corruption, personnel and internal security of enterprises.

Personnel security and information security

Personnel security is one of the main tasks of DLPs. These tools help reduce the risks associated with careless actions of employees as well as malicious insider activities. Many companies already have a built-in information security ecosystem, but even mature and well-developed systems are at risk if insiders work effectively. Therefore, personnel security plays an increased role these days.

Company security is highly dependent on three areas of security: information, personnel, and network. If the security problem concerns technical issues, such as how to penetrate data storage, then this is a network security issue. When we are talking about people’s actions, this is personnel security. Finally, if the task is related to business processes, then this is information security.

High efficiency in the fight against security threats can only be achieved through the proper interaction between the IT department, information security, and HR teams. Therefore, DLP is becoming an increasingly comprehensive and integrated tool that connects all areas of business protection.

To be better protected, you should consider not only actual risks but also potential threats. Therefore, collecting data, analyzing it correctly, and subsequently drawing the correct conclusions is essential.

Personnel security risks

The main risks that DLP tools address are data breaches, fraud, employees working for competitors, etc. These main risks mainly relate to the economic sphere. However, DLP is a “Swiss knife” for information security, and its functions can connect to various tasks.

DLP systems help companies avoid risks primarily related to finances and reputation. However, with government organizations, the situation is different. The latter deal with strategic data, and the damage can seriously affect the entire country. So, DLPs are becoming crucial in the public sector.

The field of personnel security is changing. Previously, we had to deal primarily with incidents due to negligence – the vast majority of cases used to be unintentional. Today, we see a sharp change in malice.

Risks that existed primarily as potential have now materialized. Many medium-sized companies have, until now, believed that they do not need special protection because they do not have important or sensitive information. Now they are faced with the fact that employees are purposefully planning malicious actions. Employees are often the organizers of attacks or participate in operations organized by third parties. In addition, external actors are not uncommon to install cell tracking apps on employees’ devices and use them in an unwitting fashion – “blindly.”

Earlier, malicious intent was often limited to mischief or revenge. Sabotage was also widespread. Now, the task is to actually break through the perimeter and take possession of confidential data.

For DLP systems, this gives rise to new factors and assessments. It is necessary to consider the place of work of employees and the level of the critical significance of their position in terms of security.

The practice of using DLP systems in personnel security

Employees should be notified about the introduced security controls. They are also provided with a package of documents for signing. Employees must understand that the collected data belongs to the information security field and can be used in court.

With the help of DLP, it is possible to prove, for example, that an employee did something in the interests of a competing organization by sending them documents and screenshots containing trade secrets. Evidence can also be mined when an employee uses company equipment for personal gain.

From a technical point of view, the system looks as simple as possible. There are endpoints and gateways where data is collected about legitimate and illegitimate events. In response to legitimate events, special rules must be created.

Problems of DLP systems

The main personnel security risk comes from malicious insiders. In addition to insiders, there are also risks related to privileged users. DLP can collect user data from all company departments. However, this requires high competence and the correct setting of the DLP rules.

When implementing DLP, one should pay attention to the operators of DLP systems. They may come across personal information and must understand their responsibility when dealing with this data.

Security teams are excessively focusing on the technical part of the work of DLP systems. At the same time, little attention is paid to working with people. Therefore, it is essential to understand that attackers are also people. Correctly interpreting their actions and timely preventive measures will allow you to establish effective countermeasures.

It is also worth paying attention to the differences in the culture of using DLP in different companies. Not all customers share their problems with the DLP vendor. The vendor can assist with the choice of rules that help identify the problem’s origins and find ways to solve it. However, many customers do not share such information. The reasons may be different. The first is that information can be classified as strictly confidential (in some organizations, this is a state secret). But we often deal with a specific security culture in the company. Few companies adhere to openness, and most prefer to be as closed as possible.

Some DLP customers do not consider DLP as a “living” system that requires control rules to be regularly revised to solve new problems. Instead, they believe that DLP is an automaton tool that is enough to set up once during installation and not touch again.

Learning to work with DLP systems

Particular attention should be paid to the issues of training and learning the rules of operation of DLP systems. For example, who and when can become an operator or analyst of DLP systems? This topic is quite hot, especially with a growing interest in outsourcing.

There are no special courses or textbooks to learn DLP operation rules comprehensively. Instead, universities teach only economic security. This knowledge is not suitable for DLP. Basically, training takes place in specialized centers opened by DLP vendors that teach how to work with their system. The rest of the training takes place in self-learning mode when employees gain experience on their own.

Very often, former law enforcement officers are recruited to work with DLP. However, only they understand the value of the collected information and have experience with the tools, methods, and scenarios. Unfortunately, the average graduate who has completed economic security training is of little use to DLP.

DLP myths

There have always been a lot of myths about DLP tools. Myths are born from a lack of understanding of the system’s workings and primitive fears, often even expressed by someone else. However, all myths are dispelled by themselves when you delve into the structure of the DLP system and its principles. Here are some of the myths:

Ten years ago, you could hear employees talking about serious fears that arose after the introduction of DLP. There is still an opinion that DLP is a personal enemy of many employees as it monitors them and invades their privacy. Other myths also appear. There is a well-established myth regarding the “high” cost of DLP systems. There is also a nasty myth about the excessive complexity of DLP installation and the impossibility of running it out of the box. At the initial stage of launching DLP, hundreds of security events have been issued, frightening many business leaders. As a result, people think DLP is very difficult to work with and are afraid to use this system. There is also a well-established judgment about the excessive resource consumption of DLP systems. “They will put down all the computers on the network” – something like this can often be heard. It is also worth noting the fear that the vendors of DLP systems can use their customers’ data, creating risks for the company. The most dangerous myth is that DLP systems can allegedly provide security on their own upon installation. But security is primarily a competent employee who deals with security issues. DLP is just a tool that is used for security purposes.

Again, proper assessment of your risks and needs, close cooperation with the vendor, and correct DLP implementation will help dispel all the myths.

Technologies for improving DLP systems

Future perspectives of DLP are primarily associated with introducing behavioral analytics (UBA and UEBA). Such systems allow you to introduce a rating of employees, which helps to track risks and identify and prevent serious incidents.

Integration with UBA and UEBA allows employee layoff forecasting and identifying data accumulation to take it outside the perimeter. UBA and UEBA can also help improve DLP by identifying violations and anomalies in business processes associated with the planned discrediting of the company or detecting the disloyal behavior of employees.

It is challenging to address these issues within the framework of a standard DLP since there are no clear security incidents associated with such events. However, new technologies make it possible to predict the development of various risky situations more accurately.

Currently, UBA has not really “taken off” due to the abundance of speculation on this topic. Afraid of not keeping up with market trends, vendors have tried to add UBA features, but in the absence of actual expertise and unique research, they have had little success.

Implementation of UEBA in its current form is also tricky since, in practice, there are too many different formats. Moreover, the results of the UEBA mechanism depend too much on data sources, and their slightest changes instantly cause a difference in the results. Therefore, it is first necessary to formalize the input data for UEBA. This will provide the correct decomposition.

Trends in the development of personnel security systems

The DLP customers always want to have a big red button. By clicking it, customers want to get the result immediately. This is the ideal goal. DLP vendors are just starting to go to it. We will come to it when DLP systems can process large arrays of complex data.

Much is already being done. An increase in the level of automation and widespread use of AI is expected soon. Labor costs for the operation of DLP will decrease. Identifying incidents better and automating configuration and policy settings will be possible. The machine should do the central part of the work. The DLP officer will be involved only in decision-making, not technical problems.

From the point of view of technical development, DLP will move towards integration with other security solutions. For example, DLP is expected to move towards integration with DCAP, UBA, and UEBA. Integration has already taken the first steps. For instance, DLP logs are actively used in SIEM products to evaluate the correlation of events.

Featured Image Credit: Danny Meneses; Pexels; Thank you!

Alex Vakulov

Alex Vakulov

Alex Vakulov is a cybersecurity researcher with over 20 years of experience in malware analysis. Alex has strong malware removal skills. He is writing for numerous tech-related publications sharing his security experience.