What kind of DLP system do you need in 2022?

08.11.2021

Back to blog list

Despite the fact that DLP vendors continue to announce new functionality, it is far from always being clear what effect for business is behind these developments and whether they will give a qualitative leap in terms of speed and efficiency in solving data loss prevention challenges, the number of which is increasing.

In the race for attention, DLP vendors are adding new features, sometimes going beyond the boundaries of information leakage protection and overcomplicating products. What kind of solution could possibly change the life of information security specialists, make their contribution more relevant to modern business processes?

DLP should significantly reduce the time it takes to handle incidents

The quality of analysis technologies determines the incident processing labor input. If it is impossible to configure the system to give a minimum of false positives without compromising the reliability of protection, then, inevitably, one should expect a large number of false positives. All of them will have to either be processed manually or ignored.

Just like SIEM is called the graveyard of security logs, the DLP may soon be called the graveyard of violated policies.


SearchInform DLP system allows a specialist to reconfigure the preset policies and tailor it to any company’s needs, thus false positives can be minimised.


Hence, the first obvious task is not to miss the important thing. Surprisingly, many DLPs do not cope with it yet. That is because they have to capture different data formats like text, several types of graphics, etc.

Many years of observations over data protection methods development show that few people know how to protect graphics. Each type of graphics has its own recognition technologies, which too many modern DLP systems fail to provide.

For example, there are confidential photographs (photographs related to research, technological development, medical), site development maps, premises layouts, geo-prospecting maps, drawings, circuitry, etc. The maximum that most DLP systems can do is to detect the file format and report to the security officer: "This is an AutoCAD document." However, we need to be able to crawl into the file and figure out what precisely this image contains.

Only this way, at a crucial moment, we will be able to determine whether a photo from a corporate party or a photo of an important drawing was sent via the instant messenger app. It is impossible to claim that you can protect confidential data and at the same time bypass high-quality recognition of graphic information.


SearchInform solution stands out thanks to its comprehensive set of search types: search by words, regular expressions, phrases, attributes, digital fingerprints, dictionaries, statistical queries and unique proprietary ones – complex queries and the similar content search. The proprietary Similar Content

Search algorithm identifies confidential documents even if they have been edited, which means that the search results will include documents that match the query semantically rather than just technically. The solution detects not only the type of an image, but also the content of an image identifying passports, credit cards, driving licenses thanks to the integrated OCR system. Moreover, the software allows a security specialist to receive text converted from audio records and automatically analyses whether this text complies with the security policies.


The difference in the effectiveness of graphics protection technologies on real customer cases is obvious. Take, for example, a construction company that publishes part of its drawings publicly on the Internet along with the official bidding documents. Some parts of the drawings remain confidential, for example, plans for the development of the territory. Confidential and non-confidential drawings are visually similar. Therefore, protection based on detecting only the file format will never protect a company from leaking confidential drawings. Here we need a graphic copyright analysis.

The second clear task is not to overload the information security manager with unnecessary actions. For example, in the event of personal data, the use of the system without advanced technologies of content analysis obviously overburdens the information security department.

Imagine that you have two messages with personal data in your messenger. One message contains the full name, phone number, and address of the client of the company from your business system. The other message contains the same data, but the situation is different as someone in a friendly way recommended a specialist in a related field and shared his contact details.

If you try to detect such data leaks using regular expressions, both messages qualify as a violation. Moreover, every signed letter in the mail will be considered an incident. It is another story when your DLP is integrated with business systems where each piece of data has real value.

So, we have by several times reduced the number of incidents that need to be responded to. But there are events or a series of events where it is completely unclear that this is an impending incident.

This is where the ability to predict security risks using machine learning technologies comes in handy. You need the predictive analytics module that can provide these features, recognize a link between disparate events and warn the security service before a real threat occurs.


SearchInform DLP emphasises its investigating toolset as the key advantage over blocking which many other solutions rely on the most. Blocking can be adjusted for the chosen data transfer channels in SearchInform DLP, but the solution focuses on prevention rather than limitation offering a sophisticated approach to a possible incident. Both ongoing and retrospective investigation opportunities are present here. A security specialist can consider a number of alerts an incident if a chain of events gets represented by interdependent activities marked as suspicious or dangerous. A violation always has a source, an asset and a channel. Quite often it has a reason, an accomplice, a witness and preconditions or so-called red flags. A combination of these facts attracts a specialist’s attention as a priority matter to tackle.

For instance, an employee sends a document to his private mailbox. It can be a “homework”. But what if this employee has been discussing his discontent with the top management or job tasks, was reluctant to do much work during work hours and stayed extra hours alone at this workplace, attempted to download the customer base to his flash drive? Such chain of events will be processed as the activity requiring proper monitoring.

Frequent alerts can influence corporate overall internal regulations. Security policies are easy to tweak and re-edit in the solution allowing a company to pay attention on the new triggers and prevent a similar activity from happening again.


That is why in order not to overload the security officer and help with the prioritization of events, the DLP system must notify the information security specialist what he should pay attention to. For example, using the same prediction module, you can automate alerts about abnormal behavior and even a chain of events. The security officer is just to configure what he wants to see and how often he wants to receive alerts.

Data analysis should be convenient

Detecting an incident using a minimum of resources is only the first stage at which a DLP system should be able to show its effectiveness. The main labor costs come with the transition to the investigation stage. You need to tear through massive heaps of data, figure out the direction and restore the picture of what has happened bit by bit. Visual analytics tools help an information security specialist to increase the speed of response.

Can the security officer see the route of the confidential document and investigate the leak in five minutes? Most likely, no. But if he applies a DLP visual data analytics tool and builds a graph of data circulation, he will immediately see the ways for further investigation by checking who created the document, where he sent it, by what means, and when the document left the company perimeter.


That is where the things are totally automated in SearchInform solution. The system is an out-of-the-box software and can be launched straight after deploying. It provides a customer with dozens of report templates which can be created and even sent to a specialist’s or business owner’s email at request.

The system offers relational graphs demonstrating corporate communication between users, content routing reports showing where a document or any other data goes to, user productivity reports as well as software and hardware reports discovering any issues with software and hardware inventory or exploitation. The process is automated and the reports are graphical, no additional effort from a specialist is required.


That routine should also work even taking into account the various nuances arising over the document lifespan. For example, Contract_112 and Contract_112_Edits may refer to the same document, the title of which is supplemented with comments and notes during its circulation. Factors of this kind should not hinder your search, which will not be a problem if the DLP system recognizes files by content.

DLP must be relevant

Any company is a living organism, and its processes are constantly changing. Business leaders usually do not coordinate their actions with the information security department. They do not notify of changes and rarely bring to the information security department templates of new documents that need to be protected. How to keep up with the speed of change?

The connections graph visually highlights what often remains outside the security officer's area of attention. For example, communication with one addressee through two parallel channels (personal email and corporate email), communication with retired employees, sending data to your personal address, and other actions that pose a potential danger and may lead to virus attacks and data breaches. Again, this can be seen using visualization tools.

Another example is when you need to quickly configure the protection policy for new types of documents that appear in the company. It would be ideal to do it automatically. Some DLP systems provide such opportunities based on AI technology.

The next logical step is to learn in time about the emergence of new types of documents in the company. Whoever does it first will be able to prove to the market and customers that he really understands the pain of security professionals working with DLP systems, and can think several steps ahead from the customer's point of view. Anyway, the search by content, file auditing and data classification increases a specialist’s awareness significantly.

 

David Balaban is a computer security researcher with over 18 years of experience in malware analysis and antivirus software evaluation. David runs MacSecurity.net and Privacy-PC.com projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with a recent focus on ransomware countermeasures.


DLP Investigation Human factor