WORKFORCE CYBER
INTELLIGENCE AND SECURITY

BLOG

A Human-centric Approach to Operational Awareness and Risk Management.

Thoughts on Gartner’s 2022 Market Guide for Data Loss Prevention

With another Summer comes another addition of the Gartner Market Guide for Data Loss Prevention. More key findings, more great analysis and more well thought out recommendations for Security Risk Management (SRM) leaders. But this year was a bit different than previous. You see, this year Gartner analysts Ravisha Chugh and Andrew Bales made it clear that the data loss prevention (DLP) landscape is evolving. Finally!

To quote the research published on July 19th, 2022, “DLP is a mature technology, but the emergence of tools with a focus on cloud and insider risk management use cases has provided SRM leaders with the option to invest in a next-generation data security tool.”

As a vendor who has been innovating in the endpoint DLP space for years, we celebrate the acknowledgement that the next generation is here and ready for enterprise investment. And not only is the next generation here, but Gartner’s findings also underscore the shortcomings of traditional DLP vendor product strategies SRM leaders have been screaming mad about for years—a focus on conventional and data specific content inspection methods that lead to incident fatigue and a siloed view of data movement.

Our customers were most pleased to see Gartner recognize the importance of the convergence of DLP with insider risk management solutions. In the ‘Market Direction’ section of the Market Guide, the research states, “We also see convergence of DLP with insider risk management solutions (see Market Guide for Insider Risk Management Solutions). This brings together the capabilities of insider risk management solutions and UEBA in one single solution. Vendors are using terms like people-centric DLP, human-centric DLP, data detection and response, and next- gen DLP for such solutions. So, apart from providing the content-inspection capabilities, these solutions also analyze day-to-day behavior of the users and thus enrich DLP events with contextual analysis. They track who, what, when, where, and how for any data exfiltration scenarios.”

In addition to IRM capabilities, Gartner recognizes native cloud support, data classification services, and dynamic enforcement to block the exfiltration of data as must-have capabilities for next generation DLP.

Let’s dig a bit deeper on each of these. First, support for cloud and SaaS applications is a must with the accelerating proliferation of these apps to enable the remote workforce. This data can be some of the most sensitive an organization’s employees can handle and process including customer, supply chain, and employee information governed by compliance regulations such as GDPR, HIPAA, SOX, ITAR, and more.

DTEX InTERCEPT provides continuous profiling of endpoint access to all web-based resources to detect suspicious SaaS-based uploads and anomalous behavior in real-time. This gives SOC teams and IR analysts the ability to detect both user and peer group anomalies occurring across the entirety of their IT environment including Windows, macOS, Linux, Citrix, VMWare, and other cloud-based environments such as AWS Workspaces.

When it comes to data classification services, simple data structure matching to identify regulated information is not enough. More and more, unstructured data such as source code, design documentation, and other unregulated data types and formats are becoming the target of cyber criminals. These criminals are actively recruiting insiders via social media to help them steal this data and are finding exposed credentials they use to exfiltrate data without triggering alerts.

These scenarios, as well as the presence of a truly malicious insider, can often render traditional data classification tools less than effective. Hence Gartner’s recommendation that SRM leaders. “…invest in a DLP solution that not only provides content inspection capabilities, but also offers extra features such as data lineage for visibility and classification, user and entity behavior analytics (UEBA), and rich context for incident response.”

DTEX InTERCEPT extends Help Systems’, as well as Microsoft Information Protection and Governance module’s, data classification capabilities with policy templates and multi-factor data sensitivity algorithms to identify the precursors associated with intentional data loss incidents and protect non-regulated intellectual property. With DTEX InTERCEPT, SOC teams and IR pros get a full audit trail of who is involved and when each file is created, modified, aggregated, obfuscated, archived, encrypted, and deleted. These added attributes provide a clear distinction between normal activity and true data loss scenarios.

Additionally, DTEX InTERCEPT’s sensitive data profiles and analytics addresses issues caused by traditional DLP solutions by inferring sensitivity based upon file lineage, file location, creation, user role, file types, and many additional file attributes. This telemetry is correlated with a user’s behavior profile, as well as leading data classification tools, to detect data loss without reliance on content-aware rules. This dramatically decreases false positive events, the time needed for administrators to tune rules, and analyst time to investigate data loss alerts.

Lastly, but perhaps most importantly, is stopping data exfiltration. What every SRM professional knows is that ‘blocking’ capabilities are almost never enabled in traditional DLP tools. Why? Simply, because false positives are common and stop users from being productive.  ‘Dumb’ rules and legacy policies create friction between the business, IT, and SecOps and the result is ‘blocking’ gets turned off because ‘prevention’ stops the business from executing. What’s the point of a data loss prevention solution if it doesn’t prevent data loss?

DTEX InTERCEPT protects sensitive data and IP from leaving an organization with multiple, highly accurate, and dynamic enforcement capabilities. Data loss is prevented intelligently when a user’s behavioral risk score exceeds an organization’s threshold by blocking specific application processes and network connections that are not part of normal or approved workflows. This includes blocking FTP, large files in email, and access to certain cloud services. Additionally, SOC teams and analysts can remotely remove a user’s credentials and lock them out of their device. These risk-based blocking features best meet the requirements of today’s distributed workforce, reduce operational overhead, and eliminate false positives.

Bottomline, we are thrilled, as are our customers, to see Gartner take a forward-looking, innovative driven view on the future of DLP. We are excited to work with our customers, and those ready to move on from their traditional DLP vendors, to protect enterprise data and IP from unapproved removal and use.

To learn more about DTEX’s Behavioral Data Loss Prevention solution, watch: DTEX InTERCEPT for Behavioral DLP – DTEX Systems Inc.