Data loss prevention software

Last updated

Data loss prevention (DLP) software detects potential data breaches/data exfiltration transmissions and prevents them by monitoring, [1] detecting and blocking sensitive data while in use (endpoint actions), in motion (network traffic), and at rest (data storage). [2]

Contents

The terms "data loss" and "data leak" are related and are often used interchangeably. [3] Data loss incidents turn into data leak incidents in cases where media containing sensitive information is lost and subsequently acquired by an unauthorized party. However, a data leak is possible without losing the data on the originating side. Other terms associated with data leakage prevention are information leak detection and prevention (ILDP), information leak prevention (ILP), content monitoring and filtering (CMF), information protection and control (IPC) and extrusion prevention system (EPS), as opposed to intrusion prevention system.

Categories

The technological means employed for dealing with data leakage incidents can be divided into categories: standard security measures, advanced/intelligent security measures, access control and encryption and designated DLP systems, although only the latter category are currently thought of as DLP today. [4] Common DLP methods for spotting malicious or otherwise unwanted activity and responding to it mechanically are automatic detection and response. Most DLP systems rely on predefined rules to identify and categorize sensitive information, which in turn helps system administrators zero in on vulnerable spots. After that, some areas could have extra safeguards installed.

Standard measures

Standard security measures, such as firewalls, intrusion detection systems (IDSs) and antivirus software, are commonly available products that guard computers against outsider and insider attacks. [5] The use of a firewall, for example, prevents the access of outsiders to the internal network and an intrusion detection system detects intrusion attempts by outsiders. Inside attacks can be averted through antivirus scans that detect Trojan horses that send confidential information, and by the use of thin clients that operate in a client-server architecture with no personal or sensitive data stored on a client device.

Advanced measures

Advanced security measures employ machine learning and temporal reasoning algorithms to detect abnormal access to data (e.g., databases or information retrieval systems) or abnormal email exchange, honeypots for detecting authorized personnel with malicious intentions and activity-based verification (e.g., recognition of keystroke dynamics) and user activity monitoring for detecting abnormal data access.

Designated DLP systems

Designated systems detect and prevent unauthorized attempts to copy or send sensitive data, intentionally or unintentionally, mainly by personnel who are authorized to access the sensitive information. In order to classify certain information as sensitive, these use mechanisms, such as exact data matching, structured data fingerprinting, statistical methods, rule and regular expression matching, published lexicons, conceptual definitions, keywords and contextual information such as the source of the data. [6]

Types

Network

Network (data in motion) technology is typically installed at network egress points near the perimeter. It analyzes network traffic to detect sensitive data that is being sent in violation of information security policies. Multiple security control points may report activity to be analyzed by a central management server. [3] A next-generation firewall (NGFW) or intrusion detection system (IDS) are common examples of technology that can be leveraged to perform DLP capabilities on the network. [7] [8] Network DLP capabilities can usually be undermined by a sophisticated threat actor through the use of data masking techniques such as encryption or compression. [9]

Endpoint

Endpoint (data in use) systems run on internal end-user workstations or servers. Like network-based systems, endpoint-based technology can address internal as well as external communications. It can therefore be used to control information flow between groups or types of users (e.g. 'Chinese walls'). They can also control email and Instant Messaging communications before they reach the corporate archive, such that a blocked communication (i.e., one that was never sent, and therefore not subject to retention rules) will not be identified in a subsequent legal discovery situation. Endpoint systems have the advantage that they can monitor and control access to physical devices (such as mobile devices with data storage capabilities) and in some cases can access information before it is encrypted. Endpoint systems also have access to the information needed to provide contextual classification; for example the source or author generating content. Some endpoint-based systems provide application controls to block attempted transmissions of confidential information and provide immediate user feedback. They must be installed on every workstation in the network (typically via a DLP Agent), cannot be used on mobile devices (e.g., cell phones and PDAs) or where they cannot be practically installed (for example on a workstation in an Internet café). [10]

Cloud

The cloud now contains a lot of critical data as organizations transform to cloud-native technologies to accelerate virtual team collaboration. The data floating in the cloud needs to be protected as well since they are susceptible to cyberattacks, accidental leakage and insider threats. Cloud DLP monitors and audits the data, while providing access and usage control of data using policies. It establishes greater end-to-end visibility for all the data stored in the cloud. [11]

Data identification

DLP includes techniques for identifying confidential or sensitive information. Sometimes confused with discovery, data identification is a process by which organizations use a DLP technology to determine what to look for.

Data is classified as either structured or unstructured. Structured data resides in fixed fields within a file such as a spreadsheet, while unstructured data refers to free-form text or media in text documents, PDF files and video. [12] An estimated 80% of all data is unstructured and 20% structured. [13]

Data loss protection (DLP)

Sometimes a data distributor inadvertently or advertently gives sensitive data to one or more third parties, or uses it themselves in an authorized fashion. Sometime later, some of the data is found in an unauthorized place (e.g., on the web or on a user's laptop). The distributor must then investigate the source of the loss.

Data at rest

"Data at rest" specifically refers to information that is not moving, i.e. that exists in a database or a file share. This information is of great concern to businesses and government institutions simply because the longer data is left unused in storage, the more likely it might be retrieved by unauthorized individuals. Protecting such data involves methods such as access control, data encryption and data retention policies. [3]

Data in use

"Data in use" refers to data that the user is currently interacting with. DLP systems that protect data in-use may monitor and flag unauthorized activities. [3] These activities include screen-capture, copy/paste, print and fax operations involving sensitive data. It can be intentional or unintentional attempts to transmit sensitive data over communication channels.

Data in motion

"Data in motion" is data that is traversing through a network to an endpoint. Networks can be internal or external. DLP systems that protect data in-motion monitor sensitive data traveling across a network through various communication channels. [3]

See also

Related Research Articles

<span class="mw-page-title-main">Packet analyzer</span> Computer network equipment or software that analyzes network traffic

A packet analyzer, also known as packet sniffer, protocol analyzer, or network analyzer, is a computer program or computer hardware such as a packet capture appliance that can analyze and log traffic that passes over a computer network or part of a network. Packet capture is the process of intercepting and logging traffic. As data streams flow across the network, the analyzer captures each packet and, if needed, decodes the packet's raw data, showing the values of various fields in the packet, and analyzes its content according to the appropriate RFC or other specifications.

An intrusion detection system is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically either reported to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources and uses alarm filtering techniques to distinguish malicious activity from false alarms.

Network security consists of the policies, processes and practices adopted to prevent, detect and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves the authorization of access to data in a network, which is controlled by the network administrator. Users choose or are assigned an ID and password or other authenticating information that allows them access to information and programs within their authority. Network security covers a variety of computer networks, both public and private, that are used in everyday jobs: conducting transactions and communications among businesses, government agencies and individuals. Networks can be private, such as within a company, and others which might be open to public access. Network security is involved in organizations, enterprises, and other types of institutions. It does as its title explains: it secures the network, as well as protecting and overseeing operations being done. The most common and simple way of protecting a network resource is by assigning it a unique name and a corresponding password.

An information security audit is an audit of the level of information security in an organization. It is an independent review and examination of system records, activities, and related documents. These audits are intended to improve the level of information security, avoid improper information security designs, and optimize the efficiency of the security safeguards and security processes. Within the broad scope of auditing information security there are multiple types of audits, multiple objectives for different audits, etc. Most commonly the controls being audited can be categorized as technical, physical and administrative. Auditing information security covers topics from auditing the physical security of data centers to auditing the logical security of databases, and highlights key components to look for and different methods for auditing these areas.

Database security concerns the use of a broad range of information security controls to protect databases against compromises of their confidentiality, integrity and availability. It involves various types or categories of controls, such as technical, procedural/administrative and physical.

Check Point Integrity is an endpoint security software product developed by Check Point Software Technologies. It is designed to protect personal computers and the networks they connect to from computer worms, Trojan horses, spyware, and intrusion attempts by hackers. The software aims to stop new PC threats and attacks before signature updates have been installed on the PC. The software includes.

<span class="mw-page-title-main">Symantec Endpoint Protection</span> Computer security software

Symantec Endpoint Protection, developed by Broadcom Inc., is a security software suite that consists of anti-malware, intrusion prevention and firewall features for server and desktop computers. It has the largest market-share of any product for endpoint security.

In computer science, secure transmission refers to the transfer of data such as confidential or proprietary information over a secure channel. Many secure transmission methods require a type of encryption. The most common email encryption is called PKI. In order to open the encrypted file, an exchange of key is done.

Computer security software or cybersecurity software is any computer program designed to influence information security. This is often taken in the context of defending computer systems or data, yet can incorporate programs designed specifically for subverting computer systems due to their significant overlap, and the adage that the best defense is a good offense.

Database activity monitoring is a database security technology for monitoring and analyzing database activity. DAM may combine data from network-based monitoring and native audit information to provide a comprehensive picture of database activity. The data gathered by DAM is used to analyze and report on database activity, support breach investigations, and alert on anomalies. DAM is typically performed continuously and in real-time.

Cloud computing security or, more simply, cloud security, refers to a broad set of policies, technologies, applications, and controls utilized to protect virtualized IP, data, applications, services, and the associated infrastructure of cloud computing. It is a sub-domain of computer security, network security, and, more broadly, information security.

In computing, a firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted network and an untrusted network, such as the Internet.

<span class="mw-page-title-main">Information security operations center</span> Facility where enterprise information systems are monitored, assessed, and defended

An information security operations center is a facility where enterprise information systems are monitored, assessed, and defended.

The following outline is provided as an overview of and topical guide to computer security:

Endpoint security or endpoint protection is an approach to the protection of computer networks that are remotely bridged to client devices. The connection of endpoint devices such as laptops, tablets, mobile phones, Internet-of-things devices, and other wireless devices to corporate networks creates attack paths for security threats. Endpoint security attempts to ensure that such devices follow a definite level of compliance to standards.

Data-centric security is an approach to security that emphasizes the dependability of the data itself rather than the security of networks, servers, or applications. Data-centric security is evolving rapidly as enterprises increasingly rely on digital information to run their business and big data projects become mainstream. It involves the separation of data and digital rights management that assign encrypted files to pre-defined access control lists, ensuring access rights to critical and confidential data are aligned with documented business needs and job requirements that are attached to user identities.

<span class="mw-page-title-main">Digital Guardian</span>

Digital Guardian is an American data loss prevention software company that offers products to detect and prevent malicious actions by users and malware on endpoints. Its software is designed for both individual users and corporate networks, servers, databases, and the cloud.

Network eavesdropping, also known as eavesdropping attack, sniffing attack, or snooping attack, is a method that retrieves user information through the internet. This attack happens on electronic devices like computers and smartphones. This network attack typically happens under the usage of unsecured networks, such as public wifi connections or shared electronic devices. Eavesdropping attacks through the network is considered one of the most urgent threats in industries that rely on collecting and storing data. Internet users use eavesdropping via the Internet to improve information security.

Data center security is the set of policies, precautions and practices adopted at a data center to avoid unauthorized access and manipulation of its resources. The data center houses the enterprise applications and data, hence why providing a proper security system is critical. Denial of service (DoS), theft of confidential information, data alteration, and data loss are some of the common security problems afflicting data center environments.

In computing, defense strategy is a concept and practice used by computer designers, users, and IT personnel to reduce computer security risks.

References

  1. Hayes, Read (2007), "Data Analysis", Retail Security and Loss Prevention, Palgrave Macmillan UK, pp. 137–143, doi:10.1057/9780230598546_9, ISBN   978-1-349-28260-9
  2. "What is Data Loss Prevention (DLP)? A Definition of Data Loss Prevention". Digital Guardian. 2020-10-01. Retrieved 2020-12-05.
  3. 1 2 3 4 5 Asaf Shabtai, Yuval Elovici, Lior Rokach, A Survey of Data Leakage Detection and Prevention Solutions, Springer-Verlag New York Incorporated, 2012
  4. Phua, C., Protecting organisations from personal data breaches, Computer Fraud and Security, 1:13-18, 2009
  5. BlogPoster (2021-05-13). "Standard vs Advanced Data Loss Prevention (DLP) Measures: What's the Difference". Logix Consulting Managed IT Support Services Seattle. Retrieved 2022-08-28.
  6. Ouellet, E., Magic Quadrant for Content-Aware Data Loss Prevention, Technical Report, RA4 06242010, Gartner RAS Core Research, 2012
  7. "What Is a Next-Generation Firewall (NGFW)?". Cisco. 2022-01-02. Archived from the original on 2022-11-05. Retrieved 2023-01-02.
  8. "What is Data Loss Prevention (DLP)? [Beginners Guide] | CrowdStrike". CrowdStrike. 2022-09-27. Archived from the original on 2022-12-06. Retrieved 2023-01-02.
  9. Seltzer, Larry (2019-03-18). "3 ways to monitor encrypted network traffic for malicious activity". CSO Online. Archived from the original on 2022-09-20. Retrieved 2023-01-02.
  10. "Group Test: DLP" (PDF). SC Magazine. March 2020. Retrieved September 7, 2021.
  11. Pasquier, Thomas; Bacon, Jean; Singh, Jatinder; Eyers, David (2016-06-06). "Data-Centric Access Control for Cloud Computing". Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies. SACMAT '16. New York, NY, USA: Association for Computing Machinery. pp. 81–88. doi:10.1145/2914642.2914662. ISBN   978-1-4503-3802-8. S2CID   316676.
  12. "PC Mag - Unstructured Data". Computer Language Co. 2024. Retrieved 14 January 2024.
  13. Brian E. Burke, “Information Protection and Control survey: Data Loss Prevention and Encryption trends,” IDC, May 2008
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.