Can DLP be effective and how?
This is the nub of most of my conversations with DLP clients. Those already have it are up against its natural limitations. Those without it want to know if it’s worth the investment.
TL:DR :: Yes it is worth it, but you have to be realistic.
‘Traditional’ DLP approaches involve applying a content policy and a context policy. The context turns out to be hugely important in this day and age. Just blocking sensitive data leaving the company is no longer good enough – your DLP policies need to reflect increasingly complex business uses of data.
Detecting the content is now reasonably mature – vendors have some incredible capabilities. Although automatically mapping data to an organizations somewhat subjective classification or retention level is not something computers are good at. But what causes DLP analysts pain is the context – the need to evaluate each instance and decide whether Alice should be allowed to do that, Bob this, and Chris the other.
The bottom line is that security people struggle to have the insight to make those decisions and business managers are reluctant to block things when productivity is on the line. In any event, most DLP solutions still need you to predict the rules and maintain them. This is formally known as HARD WORK.
Static DLP solutions are struggling to cut it, and they aren’t going to fare better in the future. But we are seeing some changes: for example the use of attribute based access control in CASB systems is probably moving in the right direction.
The key word here is ‘telemetry’.
What happens if my static DLP rules are dynamically mutable AT THE TIME OF INTERCEPT based on other information about the user, the device, location, recent behavior, inputs from other controls and so on? What if I can link an attempt to email a spreadsheet to an authorization workflow so a line manager can temporarily approve that activity without a DLP incident being raised or having to log into an unfamiliar console?
With this kind of dynamic evidence based decision making, supported by DLP analyst affirmation, the great pain point for the DLP program starts to recede. And with it, DLP starts to become a usable tool in a complex business ecosystem. It also works at scale, which is a notorious problem for static DLP approaches today.
Let me be clear – the SIEM may play a part in this, but the vendors that seem to be looking at this problem are not including the SIEM as an integral part of their solution.
As I’ve been talking with vendors of DLP through 2020 I’ve started to see these concepts be considered, which is marvelous news for all of you suffering the slings and arrows of DLP misfortune. But it’s a slow path and the available solutions today still look very siloed and isolated.
The DataWall is important
In my last post I talked about the possible end of DLP for data at rest. An ex-colleague jokingly asked (I think he was joking) if DLP as a gateway (the “DataWall”) will die? To be honest, I don’t think it can – as a concept DLP for data on the fly seems to enable and solve a number of issues. But in today’s market, it’s like running a horse and wagon on a modern highway – right idea, wrong execution, potentially dangerous and HARD WORK.
I suggest instead, based on my clients feedback, that the demand for DLP for data in motion is getting bigger and will continue to do so. But the scenarios are getting more complex and DLP vendors need to rethink to enable them to reset their solutions and allow clients to realize value. There have always been issues here – the number of passive and overly simple DLP implementations has always been too high – with CISO’s limited because it’s too hard to get DLP aligned with the business.
But the situation has become critical because of mobility, business interconnections, data type proliferation, regulation, and of course, the cloud.
So I’m now looking for DLP vendors to go beyond the static rules. Start using machine learning based on real time telemetry for context decisions rather than just content analysis. Provide solutions that are easy to use by non-security professionals (business managers) – who are the ones who SHOULD be making the decisions.