In a networked world, data that is created, stored, retrieved and transferred between servers and from servers to endpoints around the globe is the basis for billions of corporate and governmental transactions. Just a few minutes without access to this data network can severely affect companies and government entities, bringing their operations to a standstill. In a world where data has become the focal point around which human activities revolve, it is of vital importance for organizations to ensure the availability, access to and most importantly, security of their data at all times.
The emphasis on data security has increased in recent years as many countries have imposed stricter rules on the collection, storage of, and access to personal data. Organizations and people have become increasingly aware that a lot more is at stake today than it was 20 years ago if documentation, records and logs containing personal information are stolen or lost. In their bid to safeguard their assets and their market reputation, organizations’ efforts towards the safeguarding of data, both sensitive and insensitive, have intensified.
What is data loss prevention?
Collectively, these factors have resulted in the adoption of more comprehensive data loss prevention (DLP) measures. DLP refers to a standalone software or a component of a wider set of cyber-security solutions used to manage and protect an organization’s data. According to experts, implementing DLP starts with a deep understanding of the type of data managed by the organization, its business nature, transaction types, distribution of digital assets, endpoints, connectivity, access privileges and existing security policies.
One of the most important aspects of DLP implementation is being aware of the organization’s individual risk, as the cyber-world hosts threats that are quite different from those of the physical world. In the cyber-world, threats relating to data loss span from espionage to complete destruction of all records, with the more prevalent data loss taking the form of data breaches and exfiltration. Each type of loss occurs differently, has different impacts on the business, is perpetrated for different reasons by different types of threat actors and requires different prevention measures.
What motivates attackers?
As in non-virtual crimes, the motivation behind cyber-attacks is often financial. Threat actors seeking financial gains are either well-funded organizations or individual hackers motivated by system loopholes and insider information. A good example of how financial gains motivate cyber-attacks is the use of ransomware, which encrypts the victim’s data and decrypts it only upon receipt of a ransom payment effected in crypto-currencies.
While financial motivations abound, it is surprising to see that political motivation is about to cause more upheaval in the cyber-world as nation state actors deploy spyware to learn more about opponents and rivals in a world where a few peeks into their strategic information can provide a competitive advantage in terms of politics and economy. Government data and data managed by strategic state-controlled and state-linked corporations is particularly at stake.
When threats are just a click away
DLP measures focus on data classification as a means to protect data resource-efficiently with certain types of data and applications receiving more scrutiny than others. According to ‘The State of Email Security 2020’2 by Mimecast, email communication is the highest risk factor for data loss in companies. Phishing techniques, for example, only require a click by the unsuspecting recipient to launch an attack to the user device that is subsequently replicated network-wide to create a full-fledged botnet attack capable of corrupting or destroying stored data. DLP classification categorizes data in many ways – by type of applications (such as email, video, file transfer, cloud access), source, access control, current state of data, etc. Each classification is accorded its own DLP rules and policies based on the identified risks and vulnerabilities.
Email communication calls for security measures aimed at data in transit, i.e. data that is crossing the corporate network gateways towards external domains. A firewall that is able to read the email content and identify any malicious elements or suspicious patterns based on regular expressions will be able to block suspicious traffic and alert the system administrator (SA). Data in transit can also be protected using encryption or encrypted connections such as SSL, HTTPS and FTPS. While data in transit is typically more at risk of interception and attacks, data in storage, data in use, and data at the endpoints is also susceptible to attacks as these attacks often go unnoticed for a long time. Encryption, for example, can also be deployed for sensitive data in storage such as intellectual property or personally identifiable information (PII) in medical, financial or other personal records.
DPI for DLP
DLP essentially means filtering data across the entire corporate network 24/7. To effect this kind of large-scope filtering, technologies such as Deep Packet Inspection (DPI) are required. DPI software, such as R&S®PACE 2, is able to identify not just the application types and application attributes, it also helps to detect traffic anomalies to reveal possible cyber-attacks, all in real-time.
Identifying traffic anomalies is particularly important in DLP as according to the Data Breach Investigations Report by Verizon1, 30 % of threats come from the inside. Privilege abuse and negligence often result in employees themselves becoming involved in data breaches and data leaks. Additionally, there is a consistent rise in identity theft. Both insiders and external actors with unrestricted access to corporate data can easily bypass the conventional security measures including firewalls, IPS and IDS. Anomalies such as unusual data transfer, repeated login attempts and unusual access locations show up on the radar of a DPI engine and these anomalies become immediately visible to the SAs. DPI extracts not just this data, but a host of other information such as device types, frequency of access, downloads of encrypted traffic such as encrypted files, access to the corporate cloud outside the usual hours and others. Customized DPI reports can then be used to issue alerts to SAs and the enterprise SIEM system.
Filtering out unwanted traffic
Apart from anomalies, real-time identification of suspicious traffic patterns by DPI enables certain traffic to be routed through additional firewalls and antivirus software. When cyber-threats, such as malware or DDoS attacks, are identified, the associated packets are quarantined or blocked. DPI-driven granular reporting on applications and files accessed, user identities and locations makes way for a faster diagnosis and resolution of security events.
A key tenet of DLP is total visibility of the enterprise-wide data landscape. DLP vendors as well as security vendors can leverage DPI to combine analytics from network links, servers, cloud and enterprise endpoints onto a single dashboard so that SAs can keep tabs on the corporate network at all times. As cyber-attacks exploit human weaknesses and machine vulnerabilities, profound insights in real time are key to ensuring that no data is lost and that companies can wake up to data that is secure and ready for another day of operations.
Download our whitepaper on why network security requires deep packet inspection here.