4 Misconceptions About a DLP Solution
DLP is vital in protecting sensitive data from leaks and unauthorized access. However, misunderstandings about its capabilities and implementation can undermine its effectiveness. In this discussion, we will clarify these misconceptions, focusing on the scope of DLP’s detection and protection, the balance between technology and methodology, the role of endpoint agents, and the challenge of internal threats.
1.DLP brings complete and comprehensive detection and protection against (sensitive) data leakage — Many CISOs explain to their senior management what DLP is, but don’t clarify what DLP isn’t. For a DLP solution to monitor, detect, and block ANY data leak attempt (whether by mistake or by malicious actor) it should have additional capabilities like IPS, DB Firewall, WAF, Configuration hardening, etc. Consider the following use case: You use a file transfer solution in your company (e.g. an SFTP-based app) to share files with external entities over the Internet. Once you expose your server and app to the internet, it immediately becomes a target for threat actors and bot scanners trying to find and exploit a vulnerability in the overlaying system infrastructure. If they find it, rest assured that they will use it and extract all sensitive data stored on it. The next step will be to threaten to expose it in the wild and extort your company to pay the ransom. Now — you are asking yourself what it has to do with a DLP solution. Well, if the CISO of the company “forgot” to mention that the top-notch DLP solution will not prevent such kinds of attacks, then the CEO will probably not like the fact that someone “bypassed” the Data Leak Prevention system and managed to steal sensitive data out of the company infrastructure.
Tip #1 — Define a clear scope and expectations from your DLP solution. Basing your DLP plan on risk management and focusing on the core DLP capabilities will help non-technology stakeholders understand what risks your DLP system is going to mitigate (And what is not going to be covered under the DLP solution).
2. DLP is a pure technological solution. I’m sorry to burst your bubble. DLP is based on methodology and only then on technology. I might even say that it is a 50–50 split. Let’s assume that the CISO of a company clearly defined his problem and figured out that the best solution would be to implement a DLP system. Great — now what? He needs to define a data classification policy, identify where sensitive data is stored (e.g., Shared drives, SaaS, Workstations, File servers, DBs…), and map/tag all data types according to the classification policy. Now, can he implement the DLP system? Not even close! He first needs to understand the main business processes that involve data sharing (internally and externally), Discover any regulatory and legal requirements, assess the risks of the relevant threats to the sensitive data, and agree upon needed use cases and controls to mitigate them. You can move on to the DLP product implementation only now that you have worked on a solid DLP methodology.
Tip #2: Before choosing and implementing your DLP solution, define your methodology: What are the most important data assets you want to protect? Who is using it and how? Map the business stakeholders who can decide if a DLP alert is a false positive or a real incident, and regularly validate your DLP policies and rules.
3. DLP solution is all about agent deployment on employee’s endpoints. As written above, to have a successful DLP plan, you must first understand where the sensitive data resides, who uses it legitimately, and how it should be shared with external parties. As you can probably imagine, data usage and sharing are not only done from the company’s employees’ workstations. Think about the next use case: your company is using Google Workspace and, of course, Gmail. Do you allow them to send emails from their mobile phones? Great, the DLP agent is useless in this case. Also — what happens when one of your employees wants to authenticate to Gmail from his private computer at home? Now multiply it with all of the company’s SaaS that could hold sensitive data/files (Gdrive, Google apps, Dropbox, Box, Salesforce, etc) and you have a DLP nightmare! When thinking about DLP, consider all “edge” use cases and work on a solution that will bring answers and value (and not more questions and Headache…).
Tip #3: Map the technology stack you will connect to your DLP system: SaaS-based systems, Internal file servers, Local workstation activities, Mail transfer analysis, DM apps, etc. Then, make sure that the chosen DLP solution can answer your needs.
4. DLP is enough to stop “internal threats” — There is a general misconception about this one. From my experience working with several DLP vendors, there is no guaranteed way to stop internal employees with malicious intentions from exfiltrating sensitive data from the company network. All measures deployed by the DLP system can be bypassed by a skilled employee if he has the right motivation (You better hope he didn’t watch the Mr Robot TV show…). DLP addon for browsers? Anonymous browsing. DLP agent on the workstation? Ask Generative Chat AI how to disable it. DLP inspection for outbound emails? Zip the file with WinRAR and add a password, or use the Microsoft Word/Excel password option. And, in case you truly managed to prevent all those easy ways to bypass the DLP system, there is always the good old camera on every mobile phone on planet Earth.
Tip #4: Be realistic. Your DLP tool will probably not stop advanced internal threats aiming to exfiltrate sensitive data. Try to map such use cases and design adequate compensating controls to deal with them.
In conclusion — a DLP solution is essential for protecting sensitive data across the company. When starting your DLP journey make sure you are scoping and defining clear expectations, defining the right DLP methodology for your company, mapping essential technologies that will be integrated into your solution, and make sure to clarify to your senior management about residual risks and additional controls needed to mitigate them.
