How do you keep your data on lock?
Photo by Patrick Loonstra / Unsplash

CMI #11 - Data Loss Prevention (DLP)

Businesses run on sensitive data. Protecting and limiting the loss or misuse of that data is an ever-evolving challenge.

Mike P
Mike P

Table of Contents

Terms You Might Also Hear

  • Data Leak Prevention
  • Data Loss Protection
  • Data Protection
  • Insider Risk Detection and Response
  • Insider Threat

Associated or Adjacent Product Categories

  • Anti-Phishing (Previous Pro Report)
  • Business Email Compromise
  • Cloud Access Security Broker (CASB)
  • SaaS Management Platform (SMP)
  • Secure Email Gateway

Problem Statement

  • Companies have sensitive and competitive data that run their business. This data comes in both structured (i.e., databases) and unstructured (i.e. Microsoft Office) formats.
  • Companies do not always know where their sensitive data lives, how employees are using that data, and where that data is being shared. As a result, companies do not understand their risk exposure. That exposure can have devastating repercussions from a financial, regulatory, and reputational perspective.
  • Sensitive data can be exposed for both good and bad reasons as part of the normal course of business.
  • Data loss is not a security problem, it's a business problem that can have security impacts.

Market Solution

Enter the Data Loss Prevention (DLP) market space.

  • DLP is a set of tools designed to protect data in various states.
  • DLP technologies exist to intercept, interrogate, and potentially limit the transmission of sensitive or confidential data.
  • DLP technologies can scan and analyze data in various forms and look for patterns in data to determine if sensitive data is present.
  • DLP technologies give cybersecurity and business teams insight into how sensitive data a company is being shared.

Different Flavors

  • Endpoint DLP (web uploads, copy/pasting)
  • Network DLP (data in motion over the wire)
  • Storage DLP (file shares, databases, etc.)
  • Email DLP (data in email message bodies or attachments)
  • Cloud DLP (a subsection of CASB, data moving in and out of SaaS services)
  • Cloud-Native DLP (DLP products in cloud service providers like Macie and Cloud DLP from Google)

Players in the Space

  • Checkpoint
  • Code42
  • CoSoSys
  • CipherCloud
  • Cyberhaven
  • Digital Guardian
  • Fidelis
  • Forcepoint
  • McAfee
  • Metomic.io
  • Netskope
  • Nightfall.ai
  • Palo Alto
  • Proofpoint
  • Symantec
  • Zscaler

Predictions

  • With remote work being here to stay, the concept of where the "data endpoint" is will shift. Players will look to expand to focus more on cloud-based services.
  • DLP as an endpoint technology will be less common. DLP at the endpoint is a heavy end-user burden that fewer businesses are tolerating. Business drivers will always win.
  • Companies that have many, bespoke DLP products for the endpoints, network, and cloud will begin to merge.
  • Look for clever terms like "Zero-trust DLP" to be a new marketing approach to an old product space.
  • DLP as a capability will become more of a compliance checkbox over a focused practice as seen in the last decade. Regulation will continue to push insider threat and user behavior edge cases over pure DLP (as they should).

Opportunities

  • Managed Security Service Providers (MSSPs) should bundle DLP and insider threat coverage as a unique offering. Make this a part of the threat detection and response "secret sauce."
  • Create a network and email-based DLP that uses AI and ML to solve the data classification problem. Stop making people write RegEx and having to review each event that pops up.
  • Make DLP a self-guided learning experience. A solution that can combine DLP capabilities with developer-like feedback could be a huge success.
  • Shift the conversation of DLP to privacy-focused regulations. DLP was originally designed to protect sensitive PII (Personally Identifiable Information). Change what DLP can do by focusing on data lineage and helping companies understand how their data is being used better. Understanding how your data is being used is actually one of the main overlooked keys of a good data loss prevention program.

Key Insights

  • Bet on your biggest ecosystem. Are you already a large Microsoft, Box.com, or Unified Communications & Collaboration (UCC) customer? Look for where data moves the most and you'll find your biggest points of risk.
  • DLP technologies won't solve all of your data loss problems. Companies still have to understand, classify, and locate sensitive data.
  • Implementing a DLP technology without having a grasp on what you are protecting will lead to a subpar rollout and not being able to realize the value of the investment.
  • DLP technologies are relics of the cybersecurity product world. With more data being encrypted by default, DLP point solutions that are invasive to the end-user will become less effective and less common.

Pro Positions


What type/size/stage company should leverage these platforms?

  • Startups - This shouldn't even be on your radar. Focus more broadly on good data protection and data privacy routines like data encryption, data tokenization, and data lineage to support ever-expanding data privacy regulations.
  • Small and Medium-sized Businesses (SMBs) - Same as above. There are many other things you can take advantage of at this stage and size. Focus on your threat detection and response activities and vulnerability remediation over DLP.
  • Larger Companies (>500-1,000 employees) - Same as above for SMBs. Think hard about how far you go down this path. It's likely not the area where you have the most risk or biggest gaps in your environment.

What makes one of these platforms “good?”

  • Look for workflow automation - automated discovery and classification.
  • Look for automated scanning, tagging, and classification of user actions.
  • Look for platforms that integrate with your email providers and broader Unified Communications & Collaboration (UCC) stack (i.e., like Microsoft M365).
  • Look for cloud-native over only endpoint-based. Meet data where it moves over meeting data where people manipulate it.
  • Look for the convergence of threat detection and response with DLP. Insider threat detection and response is the new DLP

Out of the Players listed, who are the top to consider?

  • Code42 and Cyberhaven

References

An Interesting Counter to DLP

There are many who think this product space is a failure. It's certainly ripe for change. 
category-report