Most information security professionals would agree that any comprehensive data protection program should have a centralized management component. After all, security professionals have long had the ability to centralize the information from monitoring tools, provisioning systems, firewall rules, and data security tools.
The key, of course, has been that the disparate tools were brought together in an on-premises device that aggregated feeds from across your corporate environment. Your data security analysts were able to receive and respond to alerts within the system and follow either an automated or manual workflow for response and remediation.
But today, your business no longer operates on premises. If your company is like most in 2020, your digital transformation initiatives have sped up. You’re deploying applications, data repositories, and infrastructure in the cloud. In addition, you are supporting remote workers, who are connecting to those cloud-based resources from hundreds or thousands of endpoints.
Today, centralizing your security operations center (SOC) and security event management has become vastly more complex—if not impossible. A 2020 Gartner study revealed that among organizations that are embracing a secure access service edge (SASE) architecture model, only 20% will rely on a single security technology vendor by 2023. That’s up from the 5% estimated in their 2019 study, but still a limited percentage of companies are taking that single-vendor path. Why? Because currently, no single vendor can cover all the elements needed for comprehensive data protection.
If, you’re also discovering that juggling multiple DLP technologies has become overwhelming, you’re not alone. Organizations across industries are struggling to deal with more complexity and more security event volume—while their budgets and resources have remained the same.
Closing Gaps and Overlaps: Multi-Vendor DLP Solutions
At InteliSecure we frequently see organizations using tools and platform elements from 2-3 vendors as they attempt to fill the gaps in their cloud security posture. Accelerated digital transformation initiatives have already required monumental shifts to allow remote work, provide access to legacy applications, ensure 24/7 availability of those applications, and migrate large amounts of data to cloud repositories. Now, internal data security teams must add layers of data security technology tools, further increasing their burden and reducing their effectiveness.
Consider a typical scenario:
A company wants to leverage its Microsoft license to enable data loss prevention (DLP) for Exchange—but does not want to lose endpoint protection at the end user level. Since Microsoft 365 Endpoint DLP is still in beta, the company may look at a Broadcom, Forcepoint, or McAfee solution to fill that gap. Naturally, this requires unwinding policies, events, and responses into different security applications.
For example, suppose an alert is produced by a cloud access security broker (CASB) system that shows an unmanaged device has accessed the network; then a cloud-based DLP system detects data theft under that user’s ID and triggers a DLP event. Immediately, you have questions:
- Where does the correlation between these alerts happen?
- Was the user’s account compromised?
- If so, is there a separate identity protection tool that caught the compromise?
As you can see, an influx of information from multiple sources quickly multiplies the time it takes to get to a succinct answer. That is valuable time that could be better spent in addressing the issue.
The complexity goes beyond just correlating information about events. With multiple technologies in place, security teams must reconcile different approaches to applying policies, the granularity of those policies, and what systems or applications they can be applied to.
You are bound to end up with gaps.
For example, in Broadcom DLP, we can fingerprint a document and only trigger an alert when the document is filled out. However, Microsoft DLP will index the document and trigger an alert based on a percentage match. The two systems could cover different areas of responsibility. So, while the sensitive form is caught during a data-at-rest (DAR) scan by Broadcom, the Microsoft system might easily miss the detection because the completed form does not match the original document.
These kinds of overlaps and gaps—previously handled inside an on-premises centralization system—now become glaringly apparent and increasingly time consuming for your internal staff.
Solutions: Three Approaches to Centralize Data Protection Tools
To reduce data protection complexity, it’s essential to centralize the information you get from multiple tools. Three options can offer practical solutions.
1. Engage an MSSP
A traditional managed security service provider (MSSP) will take on the burdens of correlating, reporting, and responding to events. As your program complexity grows, the provider will be responsible for determining how to build in efficiency. This option allows you to cover your KPIs, eyes on glass, and compliance requirements. However, your MSSP will also recognize the additional level of effort—and you will be charged accordingly.
2. Stick with a single security technology vendor
Another approach is to take a single vendor to its completion, accepting the gaps or changing your internal processes to restrict the areas that the vendor cannot cover. For example, if your technology vendor’s solution doesn’t have a way to control the type of data that users share or upload to the cloud, you may have to disable sharing in your cloud collaboration tool of choice.
Many vendors have extensive functionality in their platforms and can cover 70-80% of the requirements for most enterprises. You may also be able to take advantage of integrations between the security vendor’s solution and its technology partners to achieve a desired outcome. For example, Z-Scaler is a Microsoft technology partner that provides cloud-native security controls. Microsoft does not provide DLP for web channels (HTTP/S, FTP) to prevent users from acquiring malware from malicious sites. By adding Z-Scaler to Microsoft cloud application security (MCAS), you would be able to manage both web and cloud traffic. When considering this option, it’s important to check the roadmaps of your vendor’s partners.
3. Work with a provider that provides technology integration
A highly workable option is to work with a managed data protection partner that can provide a true integration solution to centralize the tools you require from your vendors of choice.
For example, Microsoft has a strong suite of tools, dashboards, policies, and security tools that are included in its E3 and E5 licenses. Although each of these tools provides value, they are not integrated, so there’s no single way to manage the events and guide the outcomes. InteliSecure created our Aperture platform to link all of these data protection systems under one umbrella, providing a way to view and interact with them in one place.
With the visibility and actionable information that Aperture provides, you can leverage the value of Microsoft’s tools without getting stuck in the miasma of alert fatigue, auditability, escalations, and workflows that your traditional security tools demanded.
Centralization Simplifies Your Data Protection Strategy
Whether you’re eagerly heading to the cloud or being pushed there by circumstances beyond your control, you don’t have to forgo the benefits of security tool centralization.
You have the same staff, same resources, and probably the same budget. What really will determine the success of your digitally transformed security solution is the effort you allocate to validating vendors, determining roadmaps, and managing and mitigating security events. If you can reduce the complexity of those activities, you’ll be leaps and bounds ahead.
You don’t have to do it alone.
A managed data protection provider like InteliSecure can help you. Through our comprehensive, modular managed data protection services and our purpose-built technology augmentations, we can reduce the burden of data security management—and your overall security costs. Contact us to talk about your requirements.