By Vibin Shaju, Presales Director – EMEA, Trellix
The UAE is one of the world’s most connected countries. A staggering 99% of the 10-million-strong population has access to the Internet (where they spend an average of more than seven hours each day) and 99% are active on social media. The corporate world operates in this hyperconnected, and thus vulnerable, ecosystem, managing and protecting customer data while trying to extract value from it. It is in the “protection” element of this activity that stakeholders are encountering challenges. Unprecedented IT stack complexity, for example, was caused by the emergence of multi-domain environments and unvetted remote devices during COVID lockdowns.
Amid this digital malaise, CISOs, SecOps teams and SOCs struggle onward. One of their principal tasks is delivery of data-loss prevention (DLP), which extends not only to losses but also to damage inflicted on data during the course of a breach. The management of risks and threats that may lead to negative impacts requires being able to dissect data at any moment to understand its content and status. DLP tools work according to predetermined policies, automatically responding to detected threats that may cause data leaks or unauthorized manipulation, whether that data is at rest, in use, or in transit.
But to even begin formulating a strategy requires visibility. Just as every bodyguard needs to know a little something about their protectee, a DLP system must know the type, location, and sensitivity of the data it guards, along with a host of other attributes. The policies used to automate protection will be based on this discovered information; and those policies will underpin the organization’s threat posture.
A granular platform is vital when security teams come to formulate their DLP strategy, and today that flexibility arises from the ability to integrate DLP into a rich ecosystem of tools that covers endpoint security, network security, and SIEM. Such interlocking capabilities can really only be found in extended detection and response (XDR) solutions, which reach across networks, endpoints, communications, applications, and workloads, both on premises and in the cloud. XDR delivers a stream of intelligence that enhances visibility and allows security teams to go on the offensive against bad actors. DLP is an integral component of XDR environments, in which it plays five key roles.
DLP is a critical source of threat intelligence because its capture engine gathers information regarding sensitive data, through advanced searches on captured content. One type of search involves forensic investigation of files, emails, attachments, and headers to link data to users, which allows security teams to identify sensitive data that has been misdirected or viewed by an unauthorized individual. DLP content-searches can also enable rule tuning, where the search analyzes captured data, as opposed to active data, to allow editing of the rule until the capture engine returns the right results, which leaves live data analysis undisturbed. This replaces the traditional trial-and-error system where live deployment would have been necessary after each rule adjustment.
DLP can trawl network file systems and databases to sift out sensitive files and data. Searchability is not restricted to text keywords. Even image files can be subject to business rules. Once a sensitive file is found, the DLP component can take actions such as in-place encryption, transport to another safe storage zone, or the assignment of a fingerprint. When a data leak occurs, fingerprints help teams to determine which files have been tampered with or moved.
With DLP, endpoint protection includes not only obvious devices such as laptops, desktops, or servers, but connectable USB drives, USB-C devices, smartphones, and tablets. Files and removeable media protection (FRP) works in concert with endpoint DLP to prevent data compromise. For example, business rules can be put in place to govern the type of device on which sensitive files can be opened, meaning that stray USB sticks pose less of a risk.
Regional organizations are subject to a rising number of local and international obligations regarding their collection, storage, management, protection, and leverage of data. DLP systems in XDR environments can perform automatic checks on databases to ensure they are configured correctly and have received all the necessary patches. The system can alert security personnel or IT administrators to the presence of any anomalies or risks, and patches can be applied without the need for database downtime. In addition, DLP database monitoring covers real-time transactions.
DLP is a rich source of threat intelligence, and because it can identify data compromise, it can inform threat hunters and give them a head start in incident response (IR), especially when telemetry associated with data compromise is combined with other information about suspect user behavior. Response teams can not only track down extant threats more easily but can learn from incidents and respond with increasing effectiveness to subsequent breaches.
The scale of the threat landscape is staggering. How long did it take you to read to this point? Compare that to the estimate that every 40 seconds, somewhere in the world, a cyberattack occurs. For the region’s security leaders, it is difficult to shake off the feeling that such an attack could happen to their organization tomorrow. Or indeed that it could be happening right now.
Strong DLP suites have your back and act as battle scouts for IR teams. The artificial intelligence, machine learning, automation, device monitoring, and database security of DLP unite to form some of the strongest available protections for today’s at-rest, in-use, or in-transit data. DLP is XDR’s aide de camp in the daily war against threat actors. It makes extended detection and response viable, and keeps data safe from unauthorized eyes.