Data Loss Prevention: A Strategy, Not a Product

Tyler Young Chief Information Security Officer

01.11.2022 2 minute read

Data Protection

The Security industry is notorious for creating point solutions and making it a category. This continues to make things more difficult as security practitioners have to spend countless hours on demos “cutting through the noise”, deciphering buzzwords and acronyms into outcomes and strategic programs.

To some extent, we’re still going through ZeroTrust evolution. What started as a security concept evolved into practice with Beyond Corp ideology (at Google), had a mad rush of vendors creating “Zero Trust products”, and now it’s embedded into Government legislation.

The real problem with all of this? ZeroTrust was not meant to be a product.

It was meant to be a holistic security strategy that decoupled networks, enabled second and third authn/authz mechanisms, and ultimately allowed the modern workforce to work securely from wherever they chose.

We’re now in the same boat with Data Loss Prevention (DLP). It’s been superficially adopted as a point solution running on an endpoint, and hopefully blocking data on exfil. Anyone reviewing customer security addendums/exhibits during contract reviews comes across this as well, “Do you have a DLP solution?”…

Fundamentally, Data Loss Prevention needs to be a strategic initiative. Whether we look at the MITRE ATT&CK or Lockheed Kill Chain, the step all the way to the right is “Data Exfiltration”.

It’s no longer good enough to wait for data to get to the “edge” to stop it from leaving your environment. Instead, you need to build a defense-in-depth approach for protecting your data.

Now you may be wondering… What are the core elements to a successful Data Loss Prevention and Defense in Depth strategy?

1. Establish a Data Governance program

Data Classification, Handling, and retention requirements
Define allowed access

2. Data Discovery & Classification

Where Data is located?
Who has access?
What types of data is in your environment
Understand where stale and duplicate data lies
Label/Classify all data in your environment

3. Enable detection on suspicious activity

Establish alerting around files exposed/shared externally
Establish alerting around data exfiltration
Establish alerting on anomalous access

4. Identify sensitive data in transit

Discover sensitive data contained in emails, chats, etc.
Analyze anomalous file movement activity (USB, external storage sites,bluetooth transfer, printer, etc.)

5. Take action on your data

Delete stale or duplicate data to reduce your attack surface
Automate access removal to files being share with external parties
Automate the removal of publicly shared data
Ensure the right people in your organization are accessing the data they are authorized to access; if not revoke access

6. Operationalize you Security stack

Now that you have established and removed potential root cause issues impacting your data, you should set blocking policies within your security tooling.
This means blocking emails with sensitive data, external file sharing capabilities, file uploads external sharing sites, or USB/Mass storage.