Exactly why Traditional Data Loss Prevention plus UEBAs Fail (And Where Endpoint DLP Shines)
From simple log analytics to security information and occasion management (SIEM) to data reduction prevention (DLP) to newer options like user and entity actions analytics (UEBA) – companies are using all kinds of specialized security software program to protect their sensitive data, avoid data breaches or mitigate insider threats. The keyword here is ‘ specialized’. Each of these software has their very own strengths and weakness and are helpful for specific use cases. For example , whilst a traditional data protection system (legacy DLP, network DLP, older generation associated with Data Loss Detection or DLD software and to some extent, content monitoring plus filtering or CMF systems) can work as a reasonable against data exfiltration, it’ s not designed to detect individual threats such as, a malicious happy user. On the other hand, an UEBA or even employee monitoring solutions are good with identifying behavioral anomaly and insider threats, but they aren’ t quite strong on preventing sophisticated data thefts such as steganography .
Let’ t take a look at what are other limitations of the traditional DLP and UEBA software program. We will then discuss what is a better choice.
Traditional DLPs utilize a combination of standard data security steps such as signature matching, file marking or structured data fingerprinting plus sometimes intrusion detection and firewall to protect sensitive data. A majority of options installed at network egress factors giving them clear line-of-sight to all inbound and outgoing data. However , this kind of systems become ineffective when the information travels outside the managed environment, one example is an user’ s mobile gadget. Their strong focus on the data as opposed to the data consumer (user) also can make these DLPs useless when it comes to analysis ‘ soft’ threats such as insider sabotage, privilege manipulation, social architectural etc . Other disadvantages of conventional DLPs are:
DLP is designed for data, insiders are usually people
The DLP software, by definition, is made to protect data. A traditional or network-based DLP is installed at system egress points that analyzes system traffic while enforcing security insurance policies on the data movement. They usually never distinguish among an user, their purpose or the business context of that information. As a result, these DLP solutions are not able to detect most of the insider threats or even identify the difference between a destructive behavior vs . an accident. Without some form of behavioral analytics, it’ s extremely hard for them to analyze user actions plus human nuances.
Traditional DLPs can be expensive
A study ran by ComputerWeekly found the fact that top challenge in implementing DLP was that it was too expensive (32%). Whilst things are getting better, a traditional DLP, especially the hardware-based solutions continue to be comparatively expensive. It’ s not simply the software license, a DLP execution may need professional service support in the vendor which can run into hundreds of thousands associated with dollars for larger projects. Right now there can also be additional utilities or incorporation needed either from a third-party or maybe the vendor itself. Sometimes these are marketed as separate modules or devices adding to the overall cost.
DLPs are hard to set up and manage
DLPs aren’ t designed to exercise of the box. They need to be setup properly for your organization’ s particular use cases. Many of them rely on guide data definition, classifications and settings of complex rules and guidelines. Configuring the DLP can be time intensive and requires expensive resources intended for ongoing adjustments and optimization. Whilst larger enterprises can afford to invest regarding such massive undertaking, smaller businesses simply do not have the resources, cash or time to implement and maintain this kind of projects even if they can afford to purchase the software. Even large companies may give up on the ongoing maintenance of the particular DLP and simply surrender it to some stale state. As a result, the DLP becomes ineffective over time or even worse, starts to generate too many false advantages. That, in turn, is a more harmful outcome as the security team begins to ignore the warnings.
Legacy DLPs can be circumvented with the users
The malicious administrator or privileged consumer can circumvent DLP rules simply. Since they know how the security system functions, they can exploit the gaps plus loopholes or even leave backdoors meant for themselves. For example , if they know particular keywords are flagged by the DLP rule, they can use alternative key phrases. Or, they can change a system’ s setting to allow them entry to sensitive data or resources without having raising any flags. Sometimes, a person doesn’ t have to be a happy user to exploit the gaps in the DLP system. Overtime, they can simply predict how it works by basic trial and error. Without the knowledge of behavioral intention, a DLP will simply treat this kind of data access as legitimate.
Innocent users can also unintentionally cause security breaches. In fact , one of the main causes of data breaches is certainly human errors . Often , they are targeted by exterior criminals through social engineering or even phishing. In majority of these instances, stolen credentials are used by cyber-terrorist to steal company data with out creating any security footprint. The fact is, compromised privileged users and abilities misuse are hard to detect.
Finally, the rise associated with Bring Your Own Device (BYOD), remote control work and freelancing practices make it difficult to maintain a walled-garden approach to data protection. Once the information is out of the managed network, the consumer can do pretty much anything with the information.
Monolithic DLPs can affect performance
Another disadvantage of traditional DLP is the fact that, it has the tendency to create troublesome workflows. This CSO content explains it nicely. In short, what it takes is, if used inappropriately, your own DLP implementation could sacrifice your own team’ s productivity for protection. The reasons this can happen is two-folded. First, a DLP installation could be heavy on your users or system, slowing things down, generating strange application behavior or even crashing a few systems. While this can be fixed to some degree by regular upgrades and sections, it’ s still extra digesting and some mission critical systems might suffer due to the overheads. Second, simply by keeping important data ‘ hostage’, DLP disrupts the free circulation of information inside your organization, creating obstacles and additional hops that might affect efficiency and efficiency.
DLP-only solutions have zero productivity benefits
DLP is a single purpose remedy. So , if you are looking for additional features such as the ability to monitor employee performance, period tracking, payroll etc ., you will need another solution like employee overseeing or UEBA .
Consumer and entity behavior analytics (UEBA) software can identify and notify the organization to a wide range of anomalous behaviour and potential insider threats. Nevertheless , they lack advanced data finding, classification and correlation capabilities of the DLP. After all, the focus of the UEBA is to prevent the compromising of delicate data by restricting access to this, and not the integrity of the information itself. That’ s what the DLPs are for. There are also several other restrictions of UEBAs:
UEBA can be overwhelming
UEBA solutions capture quantities of data for each user, through websites activities, emails to person keystrokes. Some even capture audio/video information. Analyzing all this data and the producing alerts and system logs could be daunting for a security analyst, particularly if they have to deal with large teams. Even though many UEBA software provides filtering plus rules to manage data volumes, occasionally the evil is in the details. It’ s not unusual for protection analysts to find themselves going through a large number of logs and session recordings whenever auditing an user or conducting a study. Moreover, for an UEBA to be effective, businesses often need to rely on solid gain access to control and identity management procedure for each user. While this isn’ big t a bad thing, it can create additional work for the IT as they need to keep their Active Directory within sync with user and team profiles on the UEBA. Finally, to consider the full advantage of the UEBA, organization systems such as the HR/CRM needs to be included with the UEBA. So , the execution isn’ t as straightforward because it looks.
UEBA has limited reach
Most of the pureplay UEBA solutions relies on an agent for their major data source. This can limit their achieve, i. e. monitoring only nearby machines and leaving gaps within the server or cloud layer. Provided how applications are moving in the direction of a cloud/SaaS model, this can be a main limitation when it comes to such localized UEBA monitoring.
UEBA might raise privacy issues
In recent years data personal privacy has become the topic of conversation because of the introduction of GDPR and comparable laws. Since UEBA collects huge amount of user data, it bears certain privacy risks. While some options offer anonymization/pseudonymization, dynamic blackouts plus configurable monitoring features, not all UEBA has such capabilities to protect worker privacy and still effectively defend the business from insider threats.
UEBAs are evolutionary deceased end
UEBA is increasingly becoming a feature of a broader set of security products such as impair access security broker (CASB) plus identity governance and administration techniques, SIEM, Endpoint DLP etc . Gartner research has this to say about UEBA in their Market Guide meant for User and Entity Behavior Analytics , “ … the market keeps shifting away from pure-play vendors, toward a wider group of traditional security products that add core UEBA technologies and functions to benefit from advanced analytics features. ” In time, UEBA will vanish as a pure-play product. It’ s i9000 already happening.
Therefore , the question you need to ask yourself is: in case you wait for your CASB/SIEM/DLP vendor to incorporate this feature in their product (if it’ s not already)? Or even, do you need insider threat protection at this point and can’ t wait? The good thing is, in both cases, the answer is: Number There’ s already a better substitute that combines the features of the DLP and the insights of an UEBA.
A natural progression associated with any technology market is that, this starts with desperate products and after that as the market matures, vendors proceed towards integration. That’ s what is going on with the cybersecurity market at the moment. A brand new generation of DLP solutions, known as Endpoint DLP or eDLP are usually entering the market that incorporates advantages from both of the worlds – consumer focused threat detection powered with the UEBA and data-centric loss avoidance from the matured DLP technology.
Teramind DLP is a perfect example of such a suit. It provides all the user activity tracking features of Teramind’ s employee checking platform, intelligent analytics from a completely functional UEBA product coupled with a powerful endpoint DLP and compliance features. Here are a few advantages to using such an endpoint DLP solution:
Endpoint DLPs have better danger context
A perfect endpoint DLP can monitor the user’ s day-to-day behavior upon apps, websites, email even natural inputs such as keylogging, onscreen action and more. This is helpful in discovering ‘ human’ risks such as destructive employees, collusion, sabotage, thefts along with other insider threats. Combining this consumer activity monitoring and behavior analytics with automated data classification, risk discovery with machine learning, articles sharing rules, fingerprinting, tagging, OCR and other advanced data protection functions gives endpoint DLPs a wider coverage than a traditional or system DLP.
Endpoint DLPs are privacy friendly
As mentioned before, utilizing an UEBA solution alone might reveal you to privacy risks. Endpoint DLP eliminates many of the weakness of UEBA’ s privacy implementation by allowing you to filter out sensitive data such as PII, PHI and PFI while nevertheless providing a strong defense against insider threats. When it comes to privacy compliance, a contemporary endpoint DLP have support designed for common regulatory compliance standards including GDPR, HIPAA, PCI DSS, ISO 27001, NIST, FISMA etc . Additionally , comprehensive alerts, session logs, anomaly plus risk analysis, and incident reviews available in such an endpoint DLP may help you demonstrate to the DPO and conformity auditors that you have established data protection best practices and are ready to fulfill infringement reporting and burden of evidence requirements.
Endpoint DLPs generate fewer false advantages
Endpoint DLPs have access to better context thanks to the included UEBA layer. Such a system cannot only detect or stop the data breach, but also track in which the threat originated from, what was the cause of the particular threat and the affected data models or resources. Some endpoint DLPs go one step further simply by dynamically analyzing current and upcoming risks while allocating weighted danger scores to vulnerable users, information and applications, thus preventing upcoming threats. This holistic view associated with threats incorporating user-intent and framework, significantly reduce false positives in comparison to solutions that rely on the target information only.
Endpoint DLP is easy to configure plus run
This might not sound like an obvious benefit, however it can save you a ton of time at the preliminary stage of your DLP implementation. With an endpoint DLP, you can create an individual rule performing tasks of several rules easily. By utilizing the UEBA-generated behavioral baselines, rules can respond to anomalies dynamically vs . creating individual rules with fixed parameters like black/white lists, IP filtering along with other rigid methods. Also, as we investigated in this article , having the behavior analytics at hand also create possibilities for the DLP to apply machine understanding models to automatically process huge volumes of data and develop threat models further reducing the particular dependency on human operators.
Endpoint DLPs comes with additional benefits
Modern endpoint DLPs such as Teramind DLP bundles extra functions such as, productivity analysis, time monitoring, payroll widgets etc . They might not have to get as essential to large enterprises, SMEs might find them quite attractive. Just one software that can serve security, efficiency and HR needs is quite helpful for startups and small businesses.
Endpoint DLPs are usually budget friendly
Endpoint DLP products are relatively less expensive when considering the fact that it serves the objective of multiple products: employee monitoring, UEBA, identity management etc . They are also competitively priced by the vendors looking into disrupting the traditional security market.
The goal of this article is not in order to criticize traditional DLP or UEBA solutions. As I’ ve stated in the introduction, all the security options have their purpose. If you are already making use of such a product that meets your requirements, then by all means keep using it. However , or else happy with your current solution or you have been in the market looking for the latest employee overseeing, insider threat detection, data reduction prevention and compliance management options, then you should give endpoint DLPs a try.