Detecting malicious insiders: a new use case for data loss prevention

A discussion with Symantec’s Nico Popp about how DLP has evolved over the years.

4 prevention

Considering the upcoming GDPR, increasing migration to the cloud and BYO-everything, data loss prevention (DLP) technologies are making a resurgence. However, today’s DLP technologies have significantly evolved from what they once were. While traditional DLP technologies were effective at keeping sensitive data inside the organization, they created an avalanche of alerts, burying analysts to the point where they couldn’t catch up.

With limited resources, DLP analysts scrambled to piece through the endless pile, trying to find the needle in the haystack and too often wasting time on false positives. Meanwhile the alert backlog only grew, elevating the risk of critical alerts being overlooked.

I recently chatted about this topic with Symantec Senior Vice President of Information Protection, Nico Popp. As Nico described how DLP has evolved over the years, he brought up some good points. More enterprises are integrating DLP with user and entity behavior analytics (UEBA) to pare down and prioritize the mountain of alerts so that analysts only receive the most critical ones.

And, most interestingly, he mentioned that today’s DLP, because of its UEBA capabilities, has a new use case – detecting malicious insiders – a problem that shot to the top of most priority lists ever since Edward Snowden.

I captured my discussion with Nico in a Q&A:

I liked what you had said about the new use case for DLP. Can you elaborate on that?

NP: Sure, Ryan. If you think of yesterday’s DLP, it protected companies against non-malicious, innocent mistakes such as employees sending high sensitivity data to their personal email to work from home, exposing confidential data in open file shares, etc. By integrating UEBA, the use cases for DLP have expanded to include the malicious insider. DLP can now find insiders who want to harm the company as well as external bad actors who compromise a legitimate employee, masquerading as that person to access and steal sensitive data.

Let’s say, for example, you hired a contractor for a two-year project however after one year he gives his resignation. DLP can see if that contractor starts to act in a way that’s abnormal for himself, his peers and overall team, as well as if he’s acting in a way that’s inconsistent with other contractors and staff planning to leave the company.

Everyone wants to find the rogue employee or the user who was compromised by a nation state hacker and has taken on the persona of a trusted employee. That’s actually a second new use case for DLP – detecting malicious outsiders.

That’s where data protection meets threat protection. Today’s DLP tells me what data someone has accessed and if the person is a malicious insider or outsider.

NP: Precisely. DLP gives you a complete view of data activity. DLP is on the endpoint, in the network, scanning your file share cloud applications, in cloud email, mobile, etc. Today’s DLP shows what users are doing with companies’ data and, with UEBA as its big sister, determines if abnormal behavior is a malicious or compromised insider. For example, if I suspect that an employee is stealing data, I can look further to determine if the employee’s laptop has been infected by malware that is impersonating the employee to obtain the data. DLP can detect and make that determination.

You had mentioned something you called, “The Last Integration.” Can you elaborate what you mean by that?

NP:  Yes. Today, companies keep their technology stacks between data and threat protection very separate. We need to start integrating the two. The threat technology stack doesn’t know about the confidentiality of the data; it’s looking for indicators of compromise. It cannot decipher if a file being sent outside a company is a picture of someone’s kid or the latest source code for a new project.

The data protection stack knows if the information is indeed the latest source code, but it doesn’t know if the person emailing it is a threat. They are fighting the good fight in siloes. One side thinks indicators of compromise, files, hashes, URLs and IP addresses. The other thinks, “How is the data classified? Is there personally identifiable information?”

We need to put it all together. Integrate DLP with endpoint protection tools, for example. Endpoint protection can tell DLP to monitor data that is unknown or a suspicious application because it could be a zero-day attack. Then, DLP can tell the endpoint tool, “That process is trying to access highly confidential data,” to which the endpoint tool responds, “I am going to stop it right now because an unknown application should not be allowed to do that. It could be an APT, ransomware, etc.”

If you think about it, all threats have one thing in common that they cannot hide: they want to steal critical information. Threat security control points should be data aware to be able to block access to confidential data, so a potential threat cannot do anything with it.

You talked about the DLP of today. What about the DLP of the future? Where do you see it headed?

NP: For starters, the “L” should be dropped in DLP. The technology should just be called, “Data Protection.” And, it needs to be much easier to use. Look at antimalware tools. Most of us, from consumers to businesses, use an antimalware tool without thinking twice about it. They’re easy to deploy and update, to the point where we forget they are there.

DLP, or shall I say DP, needs that same kind of simplified applicability. It needs to be accessible and easy, something you can turn on and get instant gratification. That should be the DLP of the future.

Copyright © 2018 IDG Communications, Inc.

How to choose a SIEM solution: 11 key features and considerations