What is a DLP Solution and How does it Add up Your Company’s Cybersecurity
How to Choose the Best DLP Solution. DLP Tips, Tricks, Hacks, and Advice.
Whenever a company, whether a small, family business or a big corp, formulates a risk mitigation plan, DLP flares up. Data Loss Prevention – often confused with data leak – is that extra (mandatory) item on your business continuity plan you’ll definitely want to look into for any number of reasons, the least of which is not compliance. In today’s article, I’m going to talk about DLP solutions – what’s a DLP solution? Are there any limitations to using DLP? Should you deploy DLP if you run a ‘one-man show’? Got any more questions? Great! Write them down in the comments section and I’ll be more than happy to answer them for you. In the meantime, let’s have this chat about DLP solutions.
What exactly is a DLP solution?
DLP, which stands for Data Loss Prevention, is a system or flow or both that detects and prevents potential data leaks and data exfiltration through continuous monitoring and company-defined security policies. A DLP solution can operate at different levels.
For instance, even though most DLPs are deployed at the network level – which is considered the most ‘abused’ attack vector – there are DLPesque solutions that cover (un)removable storage devices and, of course, endpoints. Regardless of the scope or, better said, the devices it serves, a DLP solution needs to fulfill four basic functions – monitoring, filtering, reporting, and analysis. Monitoring means inspecting data sources, regardless of location, availability, and classification. A DLP solution’s effectiveness is measured by its ability to police data – applies to both data-in-transit and data-at-rest.
Filtering is used to ‘sift through’ the data with the purpose of identifying anomalous patterns or unauthorized access attempts. Reporting – who needs reporting when you have monitoring and filtering? Well, without this bit you would be unable to create audits, log events nor come up with an actionable incident response scenario-based plan.
This brings us to the last component – analysis. So, you’ve got all these reports and red flags and alerts? What are you going to do with them? Get them analyzed by your SOC team, of course – all the data gathered by a DLP solution can provide the necessary digital forensic context to make your team understand exactly what happened during X event and how future occurrences can be prevented. DLP-delivered data is useless on its own – all of the assessments, predictions, and observations are fed into a workflow ‘machine’ which produces the DLP Ops.
As the name suggests, DLP Ops describes how a DLP solution operates within a company. I will tackle the more technical aspects of DLP in a separate article. Suffice to say that DLP Ops covers three fields: triage, reporting, and escalating. Here’s an example of what the DLP Ops workflow should look like.
Open-Source and Paid DLP Solutions
Need a hand in picking out a good DLP solution for your business? Then check out this list of open-source and paid Data Loss Prevention solutions. Enjoy!
I’ll kick off this list with an open-source solution. MyDLP is a free-to-use Data Loss Prevention solution that sports out various data-inspection features such as IM, FT (File Transfer), web, mail, printers, and removable storage devices. Written in Erlang, Java, C++, C-Sharp, and Adobe Flex, MyDLP, which would later be acquired by Comodo, has tons of cools features. So, besides the fact the source code can be downloaded from GitHub’s repository, MyDLP can help you:
- Administer and enforce Data Loss Prevention policies.
- Collect and display all event logs in a single dashboard.
- Create, reshape, and manage different roles.
- Integrate with Microsoft Exchange.
- Blacklist emails that contain BCC addresses outside the company.
- Deploy or update new policies via Microsoft AD or SCCM.
- Filter and block data flow carrying sensitive information.
MyDLP is a pretty good place to start if you’re new to Data Loss Prevention. You should keep in mind that MyDLP also has a pay-per-use pricing tier that can unlock more cool features. Generally, Comodo’s solution is very intuitive and user-friendly. However, most users reported that the tool has a couple of shortcomings when it comes to in-depth suspicious behavior analysis. I guess it’s understandable, considering that MyDLP is many things, but not a forensics tool.
The Data Loss Prevention tool offered by SecureTrust comes with a predefined set of risk and policy settings, covering every known violation and\or suspicious behavior. Not free of charge, mind you, but you can get a 30-day free trial if you ask nice enough. SecureTrust also comes with a feature that allows users to set up their own ground rules; you’ll be able to create new policies based on existing ones, redefine violations, add more suspicious behavior patterns, and more. What sets apart SecureTrust from its competitors is the product’s emphasis on analysis.
This DLP solution can cover everything from email attachments, web attachments, internally-shared documents, sudden chances in access governance policies, and more. Another cool feature offered by SecureTrust is the autoblock on violation detection. Basically, whenever the solution detects an attachment or file that could potentially violate a predefined or company-defined policy, the software blocks it. Very simple and deadly efficient.
CoSoSys’ Endpoint Protector
Despite its rather off-putting name, Endpoint Protector by CoSoSys is a Data Loss Prevention designed to identify policy violations, protect customer and employee information, and, of course, intellectual property. Unfortunately, EP is not free-of-charge, but the 30-day free trial option’s always on the table. On the features side, Endpoint Protector boasts something called content-aware protection which is basically a real-time, data-in-transit scanner.
EP’s data sniffer can peek at everything from clipboard clips, removable media devices, screen captures, Outlook content, Skype conversations, and Dropbox file and crosscheck those content with a pre-or user-defined security policy checklist in order to detect suspicious behavior or potential policy violations. Member of Gartner’s DLP Magic Quadrant, EP’s definitely the right choice if you’re looking for a powerful DLP solution with a set-and-forget interface.
“They come at night with policies and data protection” or “for the night’s dark and my network is protected against APTs and data loss”. Regardless of what you like the call it, Nightfall looks (and feels) like a very promising DLP solution.
Cloud-native by choice and design, Nightfall does a very neat job at securing all IaaS and SaaS platforms, considerably reducing the chances of cloud data leakage. According to the product’s website, the 100+ pre-tuned security policies make Nightfall a competitor few could topple. These policies cover Standard PII, Finance, IDs, Crypto, Network, Health, and much more.
The last item on our list is Orchestrate, Commvault’s answer to Data Loss Prevention, secure backup, containerization, data management, and more. Now, the reason why Orchestrate is last has something to do with how it operates. This is a pro’s tool -web-based interface only, lots of testing and optimization. On top of that, Orchestrate does indeed support data management and recovery automation, but there’s a lot of scripting involved so definitely not a popular choice among sysadmins looking for a set-and-forget DLP solution.
Moving beyond DLP software
Data Loss Prevention should be construed as an addition to your cybersecurity and not something capable of replacing one or more of the components that make up your cyber-defense grid. For instance, a DLP solution relies on a firewall’s AMC to figure out if inbound or outbound connection requests violate internal security policies or if they originate from potentially malicious sources. DLP touches on every aspect related to cybersecurity: internal threat mitigation, forensics, data recovery, incident response, remediation, and so on.
Now, before choosing the right DLP solution for your company, make sure that you create the proper security context – what’s acceptable and not acceptable in terms of email security, data classification, role-based access governance, endpoint-level security, MDMs, perimeter security, AP (access point) security and the list goes merely on.
Since we’re on the topic of building up the wireframe capable of supporting your DLP solution, allows me to make a couple of recommendations on behalf of Heimdal™.
With Heimdal™’s Privileged Access Management and standalone Application Control, you can easily curate rights within your organization, black or whitelist application on session elevation, and automatically de-escalate rights on threat detection.
Covering the email vector are Heimdal Security’s Email Security and Fraud Prevention – deep-attachment scanning, real-time protection against business email compromise, vendor email compromise, and altered VoIPs. For true endpoint protection, we recommend Heimdal’s Next-Gen Antivirus & MDM – lightweight, capable of tackling both known and unknown malware strains, and with a market-leading detection rate.
As I’ve promised, I will talk about the more technical and fun aspects of DLP in a future article. For now, stay safe, fine-tune your policy enforcement software, cover all your attack vectors, and stay safe. If you have any questions about DLP solutions, don’t forget to reach out via the comments section.