How Does Data Loss Prevention Work?

  • By Maddie Rosenthal
  • 02 June 2020

There’s been a 47% increase in data loss incidents over the last two years; this includes accidental data loss and deliberate data exfiltration by negligent or disgruntled employees or contractors.

While every incident of data loss or leakage may not result in a breach, many do, and the cost can be tremendous. That’s why today, data loss prevention (DLP) is one of the top spending priorities for IT leaders.

  • What is Data Loss Prevention (DLP)?

    Data loss prevention (DLP) is a strategy put in place to ensure data isn’t lost, misused, or accessed by unauthorized users, specifically those outside of an organization. Generally speaking, rather than proactively defending against incoming cyberattacks, DLP software minimizes the risk of confidential or business-critical data (like company IP, credit card details, medical records, insurance details, tax records, and social security numbers) leaving an organization.

We’ve covered data loss prevention broadly in this blog: What is Data Loss Prevention (DLP) – A Complete Overview of DLP, but in this article, we’ll detail how exactly DLP works. 

How does DLP work?

DLP software monitors, detects, and blocks sensitive data from leaving an organization. 

Monitor 

DLP solutions monitor different entry and exit points of a corporate network, such as user devices, email clients, servers, or gateways within the network to safeguard data in different forms, including data in motion, data in use, and data at rest. 

  • Data in motion refers to data that is sent and received over your network. 
  • Data in use refers to data that you are using in your computer memory. 
  • Data at rest refers to data that is stored in a database, file, or a server. 

Detect

If security software detects anything suspicious, such as an email attachment containing credit card details or an attempt to print confidential documents, a predefined response will kick in. 

Note: This predefined response will depend on the solution itself and how it’s configured.

Block

Most DLP solutions offer organizations the ability to block potentially risky communications or to simply flag the anomaly for administrators to follow up on. Properly configured DLP allows organizations to block sensitive information while permitting non-sensitive communications to continue. 

Again, this depends entirely on the solution and how it’s configured. So, how do current solutions prevent data loss?

How do current solutions prevent data loss?

While all DLP solutions will monitor, detect, and block data, there are still several different solutions. 

Unfortunately, many fall short.

Manually labeling and tagging sensitive data

How it works: Security teams can manually label and tag sensitive data. This way, it can be monitored (and blocked) when it is seen moving outside the network. 

Why it’s ineffective: This approach relies entirely on employees tagging data correctly. Given how much data organizations handle, the manual process of tagging isn’t viable; employees may label incorrectly or, worse, not do it at all.

Rule-Based solutions

How it works: The majority of DLP solutions rely on rules that take the form of “if-then” statements. These “if-then” statements involve keywords, email addresses, and regular expressions that look for signals of data exfiltration or accidental data loss. For example, “If an employee attempts to download a file larger than 1.0 MB, then block the download and alert IT.”

Why it’s ineffective: Similar to tagging, rule-based solutions are impossible to maintain because data changes in value and sensitivity over time. Beyond that, you simply can’t define or predict human behavior with rules. That’s why 85% of IT leaders say rule-based DLP is admin-intensive and just 18% say it’s the most effective way to prevent data loss

Blocking or blacklisting domains, channels, or software    

How it works: DLP has often been simplified to simply stopping communication with certain accounts/domains (namely freemail accounts like @gmail) or blocking access to certain tools and software (like DropBox, for example). 

Why it’s ineffective: This is a blunt approach that impedes on employee productivity. There are many legitimate reasons to communicate with freemail accounts, such as updating private clients, managing freelancers, or emailing friends and family about non-work issues. What’s more, a determined insider could easily circumvent this by setting up an account with its own domain.

Machine Learning

How it works: Machine learning models are trained off human behavior which means they understand the intricacies and fluctuations of human relationships over time. This way, they can determine whether an action looks like deliberate exfiltration or accidental data loss and prevent it before it happens. 

Why it IS effective: This is the “human” way forward. Machine-intelligent software recognizes what looks suspicious, much like a trained security professional could. However, unlike humans, it can do this thousands of times per second without missing information or getting tired. 

How to choose a DLP solution

Importantly, before a DLP solution is even considered, security teams have to determine which data is considered most sensitive and which threat vectors are a priority.

Step 1: Prioritize your data

Here are just a few of the things security teams should consider:

  1. Industry. DLP efforts should start with the most valuable or sensitive information. What is sensitive within your organization? Naturally, those working in Financial Services will have different priorities than those working in Manufacturing.
  2. Compliance standards and data protection regulations.GDPR, CCPA, and HIPPA are just a few pieces of legislation that CISOs have to consider when putting together a DLP strategy. In addition to identifying which data is the most valuable for your organization, you have to consider which data you’re obligated to protect by law.
  3. How employees communicate. After identifying which data you want to protect and which data you have to protect, you have to figure out how that data is being stored, managed and transmitted by people and teams. Is it via the Cloud? On email? Through text messages? This will help determine which type of DLP solution you need.

Step 2: Identify the biggest threat vectors

Based on how your employees communicate, you can decide which type of DLP solution is right for your organization. 

For example:

  • Network DLP monitors traffic entering and leaving an organization’s network.
  • Endpoint DLP is installed on devices (for example, company laptops or mobile phones) and checks that information is not taken off the device and placed on, or sent to, a non-authorized device.
  • Email DLP is integrated into the email client itself and monitors emails as they are sent. 

While these safeguard different threat vectors, they all do the same thing: monitor, detect, and block sensitive data from leaving an organization. 

Did you know that email is the top priority for IT leaders? In fact, according to Tessian’s new research report The State of Data Loss Prevention 2020, almost half (47%) said it’s the threat vector they’re most concerned about protecting. 

How Does Tessian Next-Gen DLP Work? 

Tessian turns an organization’s email data into its best defense against inbound and outbound email security threats.

Powered by machine learning, our Human Layer Security technology understands human behavior and relationships, enabling it to automatically detect and prevent dangerous activity like data exfiltration attempts and misdirected emails. Importantly, Tessian’s technology automatically updates its understanding of human behavior and evolving relationships through continuous analysis and learning of the organization’s email network. No rules needed. 

Tessian Enforcer detects and prevents data exfiltration attempts by:

  1. Analyzing historical email data to understand normal content, context, and communication patterns
  2. Establishing, mapping, and continuously updating every employee’s business and non-business email contacts into relationship graphs 
  3. Performing real-time analysis of outbound emails before they’re sent to automatically predict whether the email looks like data exfiltration. This is based on insights from relationship graphs, deep inspection of the email content, and previous user behavior
  4. Alerting users when data exfiltration attempts are detected with clear, concise, contextual warnings that reinforce security awareness training

Tessian Guardian detects and prevents misdirected emails by:

  1. Analyzing historical email data to understand normal content, context, and communication patterns
  2. Establishing, mapping, and continuously updating every employee’s business and non-business email contacts into relationship graphs 
  3. Performing real-time analysis of outbound emails before they’re sent to automatically predict whether the email looks like it’s being sent to the wrong person. This is based on insights from relationship graphs, deep inspection of the email content, and previous user behavior
  4. Alerting users when a misdirected email is detected with clear, concise, contextual warnings that allow employees to correct the recipients before the email is sent
Maddie Rosenthal