Federal agencies have a data problem. Data that was traditionally inside four walls is now everywhere. Employees and vendors access it from all kinds of devices, located in all kinds of places, making it increasingly challenging for security teams to see what those users are doing with that data.
In a nutshell, agencies have lost control of their data, devices and users. We have seen the repercussions in the headlines. Contractors leaking classified reports, employees getting infected with malware, Harold Martin III. As we head into 2018, agencies must shift their approach. The traditional strategy of fortifying the perimeter is no longer effective. The strategy of the present and future must focus on protecting data wherever it is.
If you’re a security practitioner at a Federal agency, you most likely are all too familiar with Data Loss Prevention (DLP) technology. It was known as the security solution for blocking the transmission of data outside the organization. Considering today’s data problem, DLP is going through a rebirth. Its capabilities are expanding so it can protect sensitive data both inside and outside the organization, while not overburdening limited analyst resources.
The expansion entails DLP being integrated with newer technologies such as Cloud Security Access Broker (CASB) tools to protect data not just on premise, but also in the cloud. Encryption is being added to the mix to protect the data while in transit. Tagging is another important technology to leverage DLP. The tool enables agencies to label documents (i.e. classified, not classified) to give their DLP technology hints as to what’s important and what’s not. For example, if a document is tagged “classified” then DLP knows to block or encrypt it. Multi-factor authentication is also important because it requires the user receiving the data to properly identify herself before the data can be opened.
One more technology that also integrates with DLP, and serves as the glue for tying the other tools together, is User and Entity Behavior Analytics (UEBA). UEBA technologies collect the telemetry data created from the tools mentioned above, identifies potential malicious and non-malicious insider and outsider activities, and delivers a prioritized list of the most critical incidents that DLP analysts must investigate immediately. The integration significantly reduces false positives because, whereas DLP focuses strictly on the data, UEBA determines whether the user that’s elevating the risk of the data being compromised is indeed a threat or business-justified.
For example, let’s say “Joe” from accounting was working on a lengthy project that required him sending a series of classified documents over an extended period of time to a third party contractor outside the agency. Every time Joe sent over the data, DLP would flag it and alert analysts, who would then waste their time investigating each alert and questioning Joe (interrupting his work and potentially lowering morale). And it would all be for nothing, an action that was business-justified.
UEBA would prevent this situation from happening. The technology would learn the first time that Joe’s actions were business-justified, and white label the event as business as usual so that analysts would never again receive an alert about Joe’s behavior.
On the flip side, if Joe was not given permission to send the information, UEBA would prioritize the alert based on the fact that the information was classified, and that Joe’s behavior was unusual compared to himself, his peers and overall team.
Under either circumstance DLP, integrated with UEBA and the other tools mentioned above, is protecting data well beyond the four walls of the agency. The technology has evolved to help analysts understand what’s truly sensitive in terms of data, which data does and does not need protecting, how data should be tagged, how it should be protected, whether it needs to be encrypted, who is handling it and what’s important to investigate. The goal being to protect agencies’ most sensitive data, enable collaboration, discover malicious behavior and prioritize investigation. That’s the DLP of today, tomorrow and beyond.