For years, Data Loss Prevention (DLP) has been the first line of defense against data leaving the organisation’s four walls. DLP attempts to classify data, track data, and prevent it from going leaving the organisation via unauthorised channels. Research shows that successful DLP implementations are very rare. Organisations continue to struggle with heavy DLP agents on the endpoint, the time consuming data classification process, ongoing maintenance, and disconnects between data owners and DLP administrators. Even Gartner has transitioned their DLP magic quadrant to a market guide. So it begs the question... will DLP suffer the same fate as traditional anti-virus?
Traditional anti-virus stood watch and guarded endpoints dating all the way back to 1987. The anti-virus approach has always been to tag data with signatures, continuously scan systems for these signatures, and then attempt to quarantine the known bad files. In theory, this method sounds great, but malware has the ability to move and morph faster than anyone ever imagined. Once hackers realised how these popular tools operated, they would customise specific ways to avoid the existing tool sets. Finally, the operational challenges of endpoint agents slowing down systems, conflicting with varying tools and software, and the constant effort to ensure agents and signatures are always up to date caused significant challenges for organisations.
Now, think about your existing DLP technology. Sounding familiar? Are you seeing the parallel with traditional Anti-virus?
Data loss prevention tools have been around since the early 2000s. Typically, organisations have implemented these tools to adhere to regulatory compliance, monitor sensitive file movement, or prevent specific files from going out specific egress points. Data loss prevention tools take the approach of classifying and tagging sensitive files, using scanning for the movement of files, and then attempt to prevent these files from going places they shouldn't be going. A few major factors have seriously diminished the effectiveness of data loss prevention software. The primary challenge being the exponential growth of unstructured and semi-structured data within organisations. This presents a major challenge for DLP to keep up with the constant creation and modification of sensitive data. This, in turn, places a heavy burden on data owners and those that are administrating the DLP technology to stay on the on the same page. It is almost inevitable data growth will outpace the lines of communication within the organisation. Secondarily comes the people problem. It is no secret people are the biggest challenge when it comes to implementing effective security control sets.
To quote a CISO at a global financial services company:
“I haven’t seen a data loss prevention tool my team can’t bypass in two seconds.”
It is extremely challenging for DLP software to prevent every outcome. Let's face it, technology isn't bulletproof and a person that wants to maliciously bypass your existing DLP to steal data can probably do so with a simple google search. Not all users have malicious intent; they may simply seek to find a way to bypass existing controls to make their life easier. For example, a user uploading information to a personal cloud storage account so he can work from home. People are unpredictable and ensuring you have a rule for every action a person might take is a hard work. Then finally comes the operational challenge with the DLP agent and administration. DLP's are notorious for being hard to deploy, having a heavy footprint on the endpoint, and requiring a never-ending tuning process. Due to these challenges, DLP success stories are very rare, often don't get past the initial pilot phase, and the ongoing maintenance of tools becomes a time sink for the DLP administrators.
So is DLP dying?
While DLP has its challenges in preventing data exfiltration, one of the best arguments for DLP software is that it does take care of part of the threat and it also helps address regulatory compliance requirements.
"It only takes care of a fraction of the threat, but it does check the box"
-CISO, Financial Services organisation.
DLP can cover specific uses cases and it is true these tools can mitigate a portion of the threat. What you have to ask yourself is are you trying to check a box or are you trying to implement a data security governance strategy that stops data loss? Assuming it is the latter, we recommend organisations take a look at a holistic strategy that shifts from a rule-based prevention model to a model that enables the security organisations to have an early warning system to decrease the time to detection, strong processes in place to quickly remediate incidents involving data loss and flexible prevention controls that align with the business goals.
If you're ready for a new approach to traditional data loss prevention, take a look at how Proofpoint helps more than 1,600 customers detect insider threats, streamline the investigation process, and implement flexible prevention polices.