In the 3,950 breaches studied in the 2020 Verizon Data Breach Investigations Report (DBIR), 58% of them involved Personal data[1]NIST Special Publication 800-122: “any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s … Continue reading. Organized criminal groups were behind 55% of the breaches, and 30% of the breaches involved internal actors.
Data Loss Prevention (DLP), also known as Data Leak Prevention, encompasses technologies, solutions, techniques and policies focused on detecting and preventing the loss, leakage or misuse of data. Organizations can use DLP solutions to classify business information and ensure compliance with industry regulations such as HIPAA, PCI, or ISO 27001.
Loss, Leakage, and Misuse
There are three common categories of data loss: data exfiltration, insider threats, and negligence.
Data exfiltration – This type of loss occurs when a malicious actor gains physical or remote access to systems containing an organization’s data. This data may include user credentials, personal identifiable information (PII), proprietary information, intellectual property, or cryptographic keys.
Insider threats – This type of loss is caused by an internal actor (employee or contractor) who willfully steals, damages, or exposes data. These actions are often motivated by grievances or profit.
Negligence – These losses are caused by unintentional or negligent actions. This includes sensitive data lost in public, information inadvertently left unprotected and accessible from the Internet, weak passwords used for data or system access, and email misdelivery incidents[2]emails with sensitive content or attachments, sent to the wrong recipient or recipients.
How Does Data Loss Prevention work?
Data Loss Prevention categorizes data into three vectors: Data In Use, Data At Rest, and Data In Motion.
Data In Use – Data In Use, as its name implies, is data that users are interacting with. DLP solutions monitor and flag unauthorized activities that may intentionally or unintentionally occur, including screen capture, copy/paste actions, print, fax, or other forms of transmission. Advanced DLP systems are capable of detecting abnormal or suspicious user behavior by malicious actors or insider threats. Typically this monitoring happens at endpoints, such as user workstations or mobile devices.
Data At Rest – Data At Rest refers to data that is not moving, such as files stored on a drive, network share, or database, that is not being interacted with. This data can be protected by a variety of methods, such as access control, data encryption, and data retention policies.
Data In Motion – Data In Motion is data that is being transmitted via internal or external networks. DLP solutions analyze network traffic for sensitive data, and alert on and block unauthorized access. These systems can also mitigate ransomware attacks by detecting unusual file access patterns.
Data Loss Prevention Best Practices
Prioritize and Classify Data – Decide what data is the most sensitive, or valuable to a malicious actor or insider threat. Compliance with industry standards or legal regulations, such as CCPA, GDPR, HIPAA, or PCI DSS should also be taken into consideration.
Understand the risk factors for your data – Is your data frequently stored on removable storage or portable devices? Is it transmitted via email, shared with vendors, or accessible remotely via the Internet? Understanding these factors is an important part of designing your DLP solution, and providing guidance for your organization’s Data Loss Prevention policies.
Monitor sensitive data in motion – An effective DLP solution should give insight into how and where your sensitive data is being transmitted, and if it is at risk.
Implement access controls – A DLP solution should limit sensitive data access to authorized users only, and block suspicious, abnormal, or risky activity.
Ongoing security training – Employees and contractors should receive training on how to adhere to your organization’s DLP policies and reduce the risk of data loss.
Evaluate and adapt – New capabilities may be added over time to improve your DLP solution. These features should be evaluated to see if they increase the effectiveness of your implementation. Your solution should also be adapted to emerging cybersecurity threats or workflow changes in your organization.
Periodic testing – Your DLP solution should be tested on a regular basis to ensure that it is working as intended against internal and external threats.
Designing, implementing, and maintaining an effective DLP solution is an important part of a comprehensive security strategy. Contact us today to learn how we can build a solution suited to your organization’s needs.
References
| ↑1 | NIST Special Publication 800-122: “any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.” – https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-122.pdf |
|---|---|
| ↑2 | emails with sensitive content or attachments, sent to the wrong recipient or recipients |
