Of clouds and compliance: DLP + UEBA are back in the spotlight

As CTO and co-founder of a company that specializes in user and entity behavior analytics, it’s no surprise that I’m bullish on the prospects of this technology; but this optimism is increasingly substantiated by a pair of accelerating trends.

The continued and overwhelming momentum of cloud adoption, along with related evolution of compliance requirements in the form of the EU General Data Protection Regulation (GDPR), have elevated user and entity behavior analytics back into the spotlight, particularly related to the use of data loss prevention (DLP) technology.

Behavior analytics had existed in some form for over a decade, first developed in the digital advertising domain, then adapted to serve the needs of a context-hungry IT security audience.  However, the overwhelming sentiment related to its use has often been one of skepticism; specifically, that deployment of behavior analytics tools represented a complex science project that created more work than results.

Data loss prevention technologies came with their own challenges. While DLP provided visibility and protection across data loss channels, it also produced large volumes of security alerts. Manually sorting through and prioritizing the endless mountain of alerts became too labor intensive for organizations’ limited security analysts. Earlier versions of DLP solutions proved great at helping organizations discover and categorize sensitive data, but the process of creating DLP rules that could effectively prevent sensitive data from leaving the network or the device – without creating so many alerts – was extremely difficult.

Most often, organizations focused on using a small subset of enforceable rules related to a fixed subset of crown jewels of data, adhering to the “first things first” principle of good cyber security.  Expanding enforcement to include more data was frequently a future project, because of concerns about creating mountains of alerts that analysts would never have time to look at, or triggering encryption of outbound data that broke existing DLP policies, or other such enforcement tactics, would get in the way of doing business.

Then along came the cloud, and further use of mobile apps, and by 2016, interest in DLP grew rapidly. The notion of a network perimeter faded even further into history, and DLP, despite its challenges, was needed as organizations scrambled for methods of keeping track of what data was rapidly getting sent to the cloud, both to support security practices and maintain compliance with existing mandates like the Payment Card Industry Data Security Standard (PCI DSS). Industry analyst firms like Forrester, among others, picked up its pen and re-launched DLP market coverage.

Now we find ourselves in 2018 and not only is use of the cloud growing even faster, it is the dominant force in all of IT. One of the few concerns of the cloud trend, if there are truly any, is security and compliance. In addition, the impending arrival of the emerging EU General Data Protection Regulation (GDPR), which includes the potential for even more difficult compliance requirements, and those specific to the cloud, has created an even larger opportunity for DLP.

For its part, analyst firm Gartner now predicts that the GDPR has not only generated “renewed interest” in DLP, but posited that the mandate will drive 65 percent of related buying decisions today through 2018, with the total DLP market to grow from $894 million in 2016 to $1.3 billion by 2020.

As part of this expansion, Gartner experts also said that by 2020, 85 percent of organizations will implement at least one form of “integrated DLP”, up from 50 percent today. That last part, the notion of “integrated” DLP is an important one, and it’s where we get back to talking about behavior analytics.

Organizations need a way to increase the volume of processed DLP alerts without added staff, and deliver tools that make needed investigations more time-efficient. They need to comfortably expand their DLP policies with their existing analysts and mitigate DLP incidents more quickly by having a practical set of repeatable workflows on a broadly applicable basis. They also need to drain the bottomless pool of DLP incidents so that only the most critical ones remain.

That’s where behavior analytics comes in, and directly supports Gartner’s position around “integrated DLP.” By directly integrating user and entity behavior analytics with DLP to identify and escalate those alerts that isolate major issues, either in the form of malicious insiders, compromised accounts, or even simply problematic compliance violations, behavior analytics makes DLP a far more effective and efficient proposition. The integration provides behavior-driven escalation of DLP incidents and a prioritized list of higher risk DLP incidents [ex. failed email exfiltration, followed by encrypted transmission] with recommended remediation actions.

Like many technologies before them that have needed to ripen on the vine for many years before accomplishing what they initially set out to do, DLP and user and entity behavior analytics now find themselves on the cusp of doing just that. In partnership, thanks to the cloud, and GDPR.