3 Ways Dynamic Data Protection Impacts the Future of DLP

Jeremy Wittkop, CTO

08.01.2019

3 Ways Dynamic Data Protection Impacts the Future of DLP

What is Dynamic Data Protection?

Dynamic Data Protection is a conceptual shift introduced by Forcepoint, a longtime leader in the field of data security and DLP solutions. A few years ago, Forcepoint acquired the User and Entity Behavior Analytics (UEBA) company Red Owl, which had developed a solution for parsing through logs from a multitude of sources in order to baseline normal behavior and identify behavioral risk anomalies in a user base.

Many technologies have the ability to build similar models to identify risk, but what Forcepoint did next was revolutionary. They decided they were going to integrate those risk scores into their DLP product so that the decision to block or allow a specific data transaction over a specific channel could be determined by the risk level of the user.

Let’s look at how the ability to dynamically adjust user controls is a game changer for three of the most common use cases you’ll encounter.

 

Establishing Probable Cause with UEBA

In some countries, it’s common to require companies to present a data protection program to a worker’s council before implementing the program. Users then evaluate the program to determine whether it meets their standards for workers’ rights, especially a worker’s right to privacy. Two of these countries, Switzerland and Germany, have many companies that depend primarily on Intellectual Property (IP) for revenue generation, including biotechnology, manufacturing, and pharmaceutical companies, so the approval process has been well tested.

One of the major issues that workers’ councils raise with data protection programs is that all traffic from all users must be inspected for the program to be effective, and the rules engines are not 100% accurate. The councils argue that workers are exposed to monitoring that may unintentionally violate their privacy and that level of intrusion isn’t proportionate to the necessary protection.

To make such a control acceptable to workers, the councils recommend that the control only be activated for individuals when the organization has probable cause to look into their behavior. To establish probable cause, the analysis should be automated and free from human bias.

When faced with that challenge, organizations have either abandoned their programs or used rudimentary manual mechanisms to identify risk and turn monitoring on. But manual programs, while better than nothing, were hardly effective.

UEBA meets the standard of an automated system free from human bias, allowing us to assess the risk of users without collecting any additional information about them; we are simply analyzing logs that contain data we’ve already collected. With Dynamic Data Protection, we can configure a policy to report a violation only if a user has a risk score that’s over a specified threshold. Therefore, we can satisfy the requirements of the workers’ council and potentially deploy data-centric information security programs in more countries than we could previously.

 

Compromised Credentials and the Three-Week Notice: Protecting Intellectual Property

An account belonging to a trusted user may suddenly begin exhibiting risky behavior for a variety of reasons. The two most common are 1) compromised credentials and 2) the three-week notice.

If a user’s credentials are compromised, that user’s behavior will change. Whoever compromised the credentials will begin exploring the access permissions they now have, what information they can access, and what they may want to exfiltrate.

With Dynamic Data Protection, that change in behavior will be detected, and the policy can be dynamically updated to prevent the user from downloading sensitive information or emailing it outside the organization. Security personnel then have time to remediate the compromised account. This approach is vastly superior to what normally happens—which is that the compromise is discovered after large volumes of data have left the company.

The three-week notice (a term I believe I “borrowed” from Scott Gordon, a Cloud Strategist for Symantec) begins when, during the week before an employee gives their formal notice, they start downloading company information that may be helpful to them in their next job. Many studies have verified this behavior, and it’s estimated that more than half of people take data with them from one job to another.

This behavior isn’t necessarily malicious, but they shouldn’t be doing it, and they know it. Most employees have a pretty specific skill set, and when they leave one organization and go to work for a competitor, they take that knowledge with them. With this behavior, they are also taking information with them. Typically, they intend only to make their own lives easier, not necessarily harm their former employer. But they do harm their former employer in one way or another.

Dynamic Data Protection will identify that behavior and restrict that users’ ability to take data with them by applying a more restrictive policy when their behavior changes. InteliSecure client organizations that have a UEBA or Insider Threat program can generally identify users that are going to leave between one and four weeks ahead of formal notice based on behavior patterns alone.

 

Preventing Intellectual Property Theft

According to IBM’s Security Intelligence news site, annual cybercrime proceeds have exceeded $1.5 trillion. If cybercrime were a country, it would have the thirteenth-highest GDP in the world, ranking just above Spain and slightly below Russia. Global proceeds of cybercrime exceed the GDP of countries such as Australia, the Netherlands, Switzerland, Saudi Arabia, and Turkey.

One third ($500 billion) of that annual cybercrime revenue comes from stealing IP and trade secrets. In contrast, ransomware generates $1 billion annually, or about .2% as much as IP and trade secret theft. It’s common knowledge that very well-funded actors and nation states are often behind IP theft. Contrary to popular belief, however, those attacks are generally not launched using zero-day threats or sophisticated malware.

Take the case of American Semiconductor, a wind turbine component manufacturer who was the victim of Chinese IP theft which resulted in massive long-term impacts and almost put the company out of business. The Chinese didn’t hack into their systems. Instead, a Chinese government operative met a privileged user at a coffee shop and offered him $2 million to download some important files and turn them over.

Many employees would be tempted by such an offer, and all of the fancy anti-malware engines and perimeter defenses you hear so much about would be completely powerless to stop such activity.

However, Dynamic Data Protection could stop it.

As soon as that user returned from the coffee shop and logged in, his behavior would change. He would immediately begin looking for the data and downloading specific information to a USB file. UEBA could detect that behavior change and Dynamic Data Protection could stop that download.

 

The Future Offers Streamlined Protections for Sensitive Information

I am vendor-neutral in everything that I do, and this is not an advertisement for Forcepoint. Forcepoint has come up with a game-changing capability in my view that revolutionizes the art and science of data protection.

However, the approach isn’t perfect in its current form. It could be easier to deploy, faster to react, and integrated with many other Forcepoint and third-party products.

That being said, the idea of Dynamic Data Protection is amazing and should be embraced across the industry. Our focus as a security community on networks and endpoints is antiquated and failing. To move our data protection models into the future, we need to focus on people, data, and cloud. Dynamic Data Protection takes a meaningful step towards that future.

 

Discover a more dynamic approach to data protection.

Are you looking for a meaningful way to transform your approach to data protection—and help secure the future of your company? Talk to the experts at InteliSecure and learn the options that are available to you today.