From simple log analytics to security information and event management (SIEM) to data loss prevention (DLP) to newer solutions like user and entity behavior analytics (UEBA) – companies have been using all kinds of specialized security software to protect their sensitive data, prevent data breaches or mitigate insider threats. The keyword here is ‘specialized’. Each of these software has their own strengths and weakness and are useful for specific use cases. For example, while a traditional data protection system (legacy DLP, network DLP, older generation of Data Loss Detection or DLD software and to some extent, content monitoring and filtering or CMF systems) can act as a reasonable against data exfiltration, it’s not designed to detect human threats such as, a malicious privileged user. On the other hand, an UEBA or employee monitoring solutions are good at identifying behavioral anomaly and insider threats, but they aren’t very strong on preventing sophisticated data thefts such as steganography.
Let’s take a look at what are other limitations of a traditional DLP and UEBA software. We will then discuss what is a better alternative.
Limitations of traditional DLP software:
Traditional DLPs use a combination of standard data security measures such as signature matching, file tagging or structured data fingerprinting and sometimes intrusion detection and firewall to protect sensitive data. A majority of them are installed at network egress points giving them clear line-of-sight to all incoming and outgoing data. However, such systems become ineffective when the data travels outside the managed environment, for example a user’s mobile device. Their strong focus on the data rather than the data consumer (user) also makes these DLPs useless when it comes to investigation ‘soft’ threats such as insider sabotage, privilege manipulation, social engineering etc. Other disadvantages of traditional DLPs are:
DLP is designed for data, insiders are people
A DLP software, by definition, is designed to protect data. A traditional or network-based DLP is installed at network egress points that analyzes network traffic while enforcing security policies on the data movement. They usually do not distinguish among a user, their intent or the business context of that data. As a result, these DLP solutions cannot detect most of the insider threats or identify the difference between a malicious behavior vs. an accident. Without some sort of behavioral analytics, it’s impossible for them to analyze user actions and human nuances.
Traditional DLPs can be expensive
A survey ran by ComputerWeekly found that the top challenge in implementing DLP was that it was too expensive (32%). While things are getting better, a traditional DLP, especially the hardware-based solutions are still comparatively expensive. It’s not just the software license, a DLP implementation may need professional service support from the vendor which can run into hundreds of thousands of dollars for larger projects. There can also be additional utilities or integration needed either from a third-party or the vendor itself. Sometimes these are sold as separate modules or appliances adding to the overall cost.
DLPs are hard to configure and manage
DLPs aren’t designed to work out of the box. They need to be set up properly for your organization’s specific use cases. Many of them rely on manual data definition, classifications and configuration of complex rules and policies. Configuring the DLP can be time consuming and requires expensive resources for ongoing adjustments and optimization. While larger enterprises can afford to invest for such massive undertaking, smaller companies simply do not have the resources, money or time to implement and maintain such projects even if they can afford to buy the software. Even large companies might give up on the ongoing maintenance of the DLP and simply surrender it to a stale state. As a result, the DLP becomes ineffective over time or worse, starts to generate too many false positives. That, in turn, is a more dangerous outcome as the security team starts to ignore the warnings.
Legacy DLPs can be circumvented by the users
A malicious administrator or privileged user can circumvent DLP rules easily. Since they know how the security system works, they can exploit the gaps and loopholes or even leave backdoors for themselves. For example, if they know certain keywords are flagged by the DLP rule, they can use alternative keywords. Or, they can change a system’s setting to allow them access to sensitive data or resources without raising any flags. Sometimes, a user doesn’t have to be a privileged user to exploit the gaps in a DLP system. Overtime, they can just predict how it works by simple trial and error. Without the knowledge of behavioral intent, a DLP will simply treat such data access as legitimate.
Innocent users can also accidentally cause security breaches. In fact, one of the main causes of data breaches is human errors. Often, they are targeted by external criminals through social engineering or phishing. In majority of these cases, stolen credentials are used by hackers to steal company data without creating any security footprint. The truth is, compromised privileged users and credential misuse are hard to detect.
Finally, the rise of Bring Your Own Device (BYOD), remote work and freelancing practices have made it difficult to maintain a walled-garden approach to data protection. Once the data is out of the managed network, the user can do pretty much anything with the data.
Monolithic DLPs can affect performance
Another disadvantage of traditional DLP is that, it has the tendency to create cumbersome workflows. This CSO article explains it nicely. In short, what it means is, if used inappropriately, your DLP implementation could sacrifice your team’s productivity for security. The reasons this can happen is two-folded. First, a DLP installation can be heavy on your users or network, slowing things down, generating weird application behavior or even crashing some systems. While this can be fixed to some extent by regular upgrades and patches, it’s still extra processing and some mission critical systems may suffer due to the overheads. Second, by keeping important data ‘hostage’, DLP disrupts the free flow of information inside your organization, creating barriers and additional hops that might affect productivity and efficiency.
DLP-only solutions have no productivity benefits
DLP is a single purpose solution. So, if you are looking for additional features like the ability to monitor employee performance, time tracking, payroll etc., you will need a separate solution like employee monitoring or UEBA.
Get the best of both worlds
Data loss prevention of a fully featured DLP and the insider threat protection of a UEBA
Limitations of UEBA software
User and entity behavior analytics (UEBA) software can identify and alert the organization to a wide range of anomalous behavior and potential insider threats. However, they lack advanced data discovery, classification and correlation capabilities of a DLP. After all, the focus of the UEBA is to prevent the compromising of sensitive data by restricting access to it, and not the integrity of the data itself. That’s what the DLPs are for. There are also several other limitations of UEBAs:
UEBA can be overwhelming
UEBA solutions capture volumes of data for each user, from websites activities, emails to individual keystrokes. Some even capture audio/video data. Analyzing all this data and the resulting alerts and system logs can be daunting for a security analyst, especially if they have to deal with large teams. While many UEBA software provides filtering and rules to manage data volumes, sometimes the evil is in the details. It’s not unusual for security analysts to find themselves going through thousands of logs and session recordings when auditing a user or conducting an investigation. Moreover, for an UEBA to be effective, organizations often need to rely on solid access control and identity management process for each user. While this isn’t a bad thing, it can create extra work for the IT as they have to keep their Active Directory in sync with user and group profiles on the UEBA. Finally, to take the full advantage of the UEBA, entity systems such as the HR/CRM needs to be integrated with the UEBA. So, the implementation isn’t as straightforward as it looks.
UEBA has limited reach
Most of the pureplay UEBA solutions relies on an agent for their main data source. This can limit their reach, i.e. monitoring only local machines and leaving gaps in the server or cloud layer. Given how applications are moving towards a cloud/SaaS model, this can be a major limitation when it comes to such localized UEBA monitoring.
UEBA might raise privacy issues
In recent years data privacy has become the topic of conversation due to the introduction of GDPR and similar laws. Since UEBA collects vast amount of user data, it carries certain privacy risks. While some solutions offer anonymization/pseudonymization, dynamic blackouts and configurable monitoring features, not all UEBA has such capabilities to protect employee privacy and still effectively defend the organization from insider threats.
UEBAs are evolutionary dead end
UEBA is increasingly becoming a feature of a wider set of security products such as cloud access security broker (CASB) and identity governance and administration systems, SIEM, Endpoint DLP etc. Gartner research has this to say about UEBA in their Market Guide for User and Entity Behavior Analytics, “ …the market keeps shifting away from pure-play vendors, toward a wider set of traditional security products that embed core UEBA technologies and features to benefit from advanced analytics capabilities.” In time, UEBA will cease to exist as a pure-play product. It’s already happening.
So, the question you need to ask yourself is: should you wait for your CASB/SIEM/DLP vendor to include this feature in their product (if it’s not already)? Or, do you need insider threat protection now and can’t wait? The good news is, in both cases, the answer is: No. There’s already a better alternative that combines the features of a DLP and the insights of an UEBA.
The solution: user-centric endpoint DLP with behavior analytics
A natural progression of any technology market is that, it starts with desperate products and then as the market matures, vendors move towards integration. That’s what is happening with the cybersecurity market at the moment. A new generation of DLP solutions, called Endpoint DLP or eDLP are entering the market that incorporates benefits from both of the worlds – user focused threat detection powered by the UEBA and data-centric loss prevention from the matured DLP technology.
Teramind DLP is a perfect example of such a suit. It includes all the user activity tracking capabilities of Teramind’s employee monitoring platform, intelligent analytics from a fully functional UEBA product coupled with a powerful endpoint DLP and compliance features. Here are some advantages to using such an endpoint DLP solution:
Endpoint DLPs have better threat context
An ideal endpoint DLP can monitor a user’s day-to-day behavior on apps, websites, email even raw inputs such as keylogging, onscreen activity and more. This is helpful in detecting ‘human’ risks such as malicious employees, collusion, sabotage, thefts and other insider threats. Combining this user activity monitoring and behavior analytics with automated data classification, threat discovery with machine learning, content sharing rules, fingerprinting, tagging, OCR and other advanced data protection features gives endpoint DLPs a broader coverage than a traditional or network DLP.
Endpoint DLPs are privacy friendly
As mentioned before, using a UEBA solution alone might expose you to privacy risks. Endpoint DLP eliminates many of the weakness of UEBA’s privacy implementation by letting you filter out sensitive data such as PII, PHI and PFI while still providing a strong defense against insider threats. When it comes to privacy compliance, a modern endpoint DLP have support for common regulatory compliance standards including GDPR, HIPAA, PCI DSS, ISO 27001, NIST, FISMA etc. Additionally, detailed alerts, session logs, anomaly and risk analysis, and incident reports available in such an endpoint DLP can help you demonstrate to the DPO and compliance auditors that you have established data security best practices and are ready to fulfill breach reporting and burden of proof requirements.
Endpoint DLPs generate fewer false positives
Endpoint DLPs have access to better context thanks to the integrated UEBA layer. Such a system can not only detect or stop a data breach, but also track where the threat originated from, what was the cause of the threat and the affected data sets or resources. Some endpoint DLPs go one step further by dynamically analyzing current and future risks while allocating weighted risk scores to vulnerable users, data and applications, thus preventing future threats. This holistic view of threats incorporating user-intent and context, significantly reduce false positives compared to solutions that rely on the target data only.
Endpoint DLP is easy to configure and run
This may not sound like an obvious benefit, but it can save you a ton of time at the initial stage of your DLP implementation. On an endpoint DLP, you can create a single rule performing tasks of multiple rules easily. By utilizing the UEBA-generated behavioral baselines, rules can react to anomalies dynamically vs. creating separate rules with fixed parameters such as black/white lists, IP filtering and other rigid methods. Also, as we explored in this article, having the behavioral analytics at hand also create opportunities for the DLP to apply machine learning models to automatically process large volumes of data and build threat models further reducing the dependency on human operators.
Endpoint DLPs comes with additional benefits
Modern endpoint DLPs like Teramind DLP bundles extra features such as, productivity analysis, time tracking, payroll widgets etc. They might not be as essential to large enterprises, SMEs might find them quite attractive. A single software that can serve security, productivity and HR needs is quite useful for startups and small businesses.
Endpoint DLPs are budget friendly
Endpoint DLP products are relatively cheaper when considering the fact that it serves the purpose of multiple products: employee monitoring, UEBA, identity management etc. They are also competitively priced by the vendors looking into disrupting the traditional security market.
The goal of this article is not to criticize traditional DLP or UEBA solutions. As I’ve mentioned in the introduction, all the security solutions have their purpose. If you are already using such a product that meets your needs, then by all means keep using it. However, if you are not happy with your current solution or you are in the market looking for the latest employee monitoring, insider threat detection, data loss prevention and compliance management solutions, then you should give endpoint DLPs a try.