Many organizations spend years investing significant resources into data loss prevention (DLP) tools designed to identify, classify, and monitor data, in an effort to prevent data exfiltration.
But the fact of the matter is: data doesn’t exfiltrate itself. People, or the insider threats, exfiltrate data.
Unfortunately, DLP tools alone aren’t stemming the consistent rise of insider threat-related incidents. Trusted insiders (your employees and third-party contractors) are still finding ways to get around the system.
For many organizations, the solution to the insider threat problem isn’t as simple as ripping and replacing a DLP software already in place. These tools often take a great deal of time and resources to implement; including an extensive data classification process; which requires an in-depth audit of all data, and then fine-tuning that classification architecture year after year.
Instead, supplementing a DLP with an Insider Threat Management solution focused on user activity solves both the data and the people sides of the insider threat equation — and could be the best way to detect and prevent insider threats.
Three Reasons Why You Need a DLP Supplement
The Consumerization of IT
These days, IT has become increasingly decentralized, meaning that it’s a lot harder to for DLP tools to get a comprehensive look at data, and how it moves. To get a clearer picture of how and why data is being exfiltrated, companies need to understand how insiders are using that data.
Traditional DLP tools require organizations to know where the data is located, and how to categorize it with the appropriate tags, policies, and rules. If employees are accessing data via software-as-a-service (SaaS) applications, sharing it with external vendors and contractors, and tapping into corporate systems with different devices, the task of knowing exactly where the sensitive data lies becomes infinitely more complicated.
A more holistic, user activity-centric approach can serve as a compliment to a DLP solution, by giving security professionals visibility into how users are most commonly accessing, interacting with, and sharing data, rather than just locking it down.
This level of visibility empowers the security team to be more proactive with educating and training users on the appropriate use of digital systems in real time — which becomes even more important when you consider that two out of three insider threat incidents are caused by user error.
The Workaround Crowd
Many users, whether they’re privileged or non-technical power users, can circumvent a DLP solution — especially if it’s impeding their productivity.
Heavyweight DLP agents can bog down endpoints for individual employees, causing them to find workarounds that might involve out-of-policy actions or unauthorized use of technologies. If a DLP tool is only applied to perimeter, the potential for an insider workaround becomes even higher.
Ultimately, data doesn’t move itself; people move data. With user activity monitoring, security teams can track access and interactions with sensitive databases, files, and applications, delivering a more complete picture of activity over time. This is particularly useful for speeding up insider threat investigations and eliminating the guesswork.
What’s more, if there’s a system in place that sets up guardrails rather than barriers, people will be less likely to try to find a workaround in the first place.
The Need for Context
In cases where data does leave an organization through a data leak or exfiltration event, cybersecurity professionals are inevitably faced with the question: “How did this happen?”
Unfortunately, investigating an incident can get complicated quickly after a DLP alert is triggered. In many cases, the systems aren’t always meticulously maintained, increasing the likelihood of false positives or sending security teams on a wild goose chase to discover the root cause of a potential incident.
By supplementing your DLP tools with a bonafide user-centric Insider Threat Management solution, you can improve upon key functionality to validate incidents, gather forensic data, and verify DLP alarms from a user activity standpoint. This validation should include data on the behaviors that indicate a risk of data loss, such as a user’s file, application, Internet, and window activity.
Since people are unpredictable, strict data monitoring rules and policies aren’t always fail-safe — it’s important to allow for some flexibility to detect suspicious or out-of-policy behavior from the people using your corporate systems on a daily basis.
The Perfect Data Protection Tag Team
We get it. A “rip and replace” isn’t always the best option for improving your internal systems. The phrase says it all – ripping something out doesn’t sound pleasant, or particularly easy. So why do it?
If you still find value with your DLP solution for compliance or locking down data, that’s just fine. Just be sure that you also consider the people-side of the data exfiltration equation with user activity monitoring, so you can fully prevent sensitive data from leaving your organization, once and for all.
Don’t just take our word for it: give ObserveIT a try for free.