Blocking that does not slow down business processes
05.04.2021

To protect a company from information leaks, it is no longer enough to control the movement of data outside the company. It is also of high importance to put inside information under control: configure confidential data access rights so only employees in charge can change or delete files. Sergey Ozhegov, CEO of SearchInform tells more about data protection at rest systems on the example of FileAuditor. 

1.    Due to universal digitalization, the risks of information loss have increased to the extent some believe it is impossible to organize a fully protected infrastructure. Is it truly an issue?

To my way of thinking such opinions is the result of illiteracy and lack of qualifications. You can also say it is impossible to build a house in which the ceilings do not fall. In most cases, they still do not fall. It's a matter of control. It's the same with IT infrastructure. For example, in some financial institutions data breach is a common occurrence, meantime some banks are practically leak-free. This speaks for different approaches towards data security.
Of course, it is impossible to protect yourself 100%. There are force majeure situations in which information can leak. But normally, if there is a proper control, attempts to drain are stopped, and the culprits are identified.

2.    DLP systems are designed to prevent corporate data leaks. Are they enough for infrastructure protection?

DLP system successfully prevents information leaks to the outside world. However, information is not always compromised as a result of getting out. A lot can happen inside. If the company’s line manager gets access to information about all salaries, it is definitely not good, however, the information remains within the perimeter.  The best approach is to "dose" the information, namely, distribute rights and be aware of who has the access and for what purposes.
Here, the right tool is DCAP system (Data-Centric Audit and Protection), it keeps track of any operation on sensitive data and protects the files. 

3.    DCAP is a relatively new term, what data protection functions should DCAP systems perform?

Simply put, DCAP is a file control system. SearchInform FileAuditor is our product of this class. The main purpose of the file control system is to investigate where the documents are located and closely monitor those that contain confidential information. It also gives information on who created the file, who edited and deleted it, and who creates the copies
Yes, you can restrict access to files on the server, but this will be a half solution since a user with access rights will move sensitive files from a confidential to a shared folder just because it is more convenient to work on it with a colleague. Nevertheless, since the folder is shared, all other employees of the company will see the confidential document…The file control system will track this case, and there will be a response that the file with confidential information appeared to be in the wrong place. FileAuditor will also see if some "smart guys" try to trick the system and leak the file by renaming it or changing the extension, for example, from DOC to XLS.

In March 2021, we also expanded FileAuditor functionality, now it can block file access and file forwarding in any applications by privacy tags. The tags contain all necessary information about users’ access rights.  For example, you prohibit the transfer of personal data through any channel, and the user will not be able to attach this file to either an email or a messenger.

We have implemented this tag blocking in SearchInform DLP. It allows to stop any operation instantly, which distinguishes it from standard "gap" blocking, which is available for March 2021 in most other DLPs. It took us a decent amount of time to implement instant blocking to the system, because as a rule instant blocking hinders business processes, e.g. analyzing whether to allow file forwarding or not.   We implemented “fast blocking” via privacy tags, so DLP system does not need to double-check the file contents; now the decision to block requires no computing power and is made instantly. 

4.    How to choose a DCAP system?

It is important to test a system. We give potential customers an opportunity to test FileAuditor for any number of computers. A customer should believe a word a vendor says. A sales team should be politely listened to and then asked for a trial version. And the trial should cover not just 5-6 endpoints but all the computers a company houses.
We had a few funny stories during DLP testing. A client was testing the system on 100 computers whereas a company had 5000. Then they decided to purchase a competitor’s solution as it dropped in price sporting a tag five times cheaper. Then there was launched deployment process: 50 computers show that everything works great, when it gets deployed on thousands everything lags and fails. In 2-3 years those customers come to purchase our product. That’s why it is necessary to try a solution in the most extreme conditions and not just for the sake of trying. You will see a lot of interesting moments.
What moments? For example, the number of false positives. Of course, any vendor would say that false positives are close to zero when it comes to their product. Honestly speaking, it is not true. There will be at least 10% of false reactions. What makes sense is that this percentage shouldn’t be higher than 10%, otherwise there will be more information security officers and analysts required to join your staff. You will see this during the trial period which is free. Although it wasn’t always like that.
The crucial point is how much hardware there should be for work. The counting should cover 3-4 years of exploitation to take into account the company’s outlook. That’s when it might appear that the system which has a more expensive license will come off as a 2-3 times cheaper one.
It reminds of cars – the same thing with them. If you drive a lot, a car which “eats” 5 ls each 100 km will be a more expedient choice than a car which needs 15 ls despite the fact that the first one can be more expensive.

5.    Do companies have beneficial options today?

We have launched SearchInform product as an MSSP solution. Our expert can be involved into analysis – this is a freelance information security officer as soon as many companies (especially those which have 50-200 computers) don’t have one. An expert will take full responsibility – deploy the solution, monitor what happens with information, create reports for a customer. Instead of the corporate hardware a company can use our cloud – this isn’t expensive as well.
Outsourcing is better than partial solution of a security problem. You shouldn’t install software only on some of the computers. You never know who will behave suspiciously.
That’s why when a customer says that their company is ready to purchase the product for 50 computers when they have 500 overall, we insist that they wait a little. It is better to opt for an MSSP solution but cover all the 500 computers.

6.    Data protection systems in companies keep develop and improve, there are new solutions emerging. One day file audit systems will become regular, common instruments helping infosec officers with their tasks. What are the most innovative solutions which are yet in the future?

Future is about integration and completeness. As FileAuditor supplements a DLP system, the integrated solution can incorporate new systems. For example, a database monitoring system which we released not so long ago and it is called Database Monitor. I think that in a few years DLP, DAM, DCAP systems will become standard for all companies.
I remember how 15 years ago customers were thinking whether to spend money on firewalls and antiviruses. The dissemination of Trojan viruses, ransomware taught everyone to never neglect spending on such software.
There is one more observation, which should be mentioned here. When asked about what time it takes for a monitoring system to pay off every customer says if it is about DLP system or a DLP system together with a FileAuditor the product pays off within 2-3 months, maximum a year. In other words, top companies already understand what to expect from the systems, and that it’s not wasting money, it’s like an investment. That’s why psychology is changing but now only in companies with modern management.
 

Subscribe to get helpful articles and white papers. We discuss industry trends and give advice on how to deal with data leaks and cyberincidents.