I’m Taking Data, and DLP Can’t Stop Me (Video)

Here’s my confession: I plan to take data with me whenever I leave my employment at Code42. I know exactly what data I will take and how I will take it. Am I concerned about getting caught? Not really. Most data loss prevention products won’t even see me doing it, let alone prevent me.

I’m not alone in my data scheming. Code42’s 2018 Data Exposure Report revealed that up to 72 percent of employees admit to taking data from their previous employer to their new one­—and that’s just those who will admit to the data theft. On top of that, 90 percent of companies feel vulnerable to insider threat.

Thankfully, in my case, all of the data on my list consist simply of pictures of me and my dog. But when I’m taking data with me upon my departure, shouldn’t the company security team be able to tell? Ideally, yes. The challenge is that humans are unpredictable, and prevention toolsets don’t take our chaotic nature into account.

“ At its core, data loss prevention (DLP) isn’t new. In fact, the desire to prevent data from disappearing is universal. Sadly, the failures to prevent data loss are as common as they are ancient—just ask the librarians at Alexandria how well their plans to prevent data loss worked. ”

While Code42 isn’t in the business of securing burning libraries, we do focus on data loss protection. Unfortunately, data loss prevention as a software category has experienced innumerable failures. Whether it’s trying to prevent the loss of source code, client lists, CAD drawings, or the latest episode of a certain winter-obsessed TV show: people put their date into places they shouldn’t—and they’re able to do this regardless of how good their data loss prevention tools and polices are, or how large a security team they have in place, or how many ports on their machines are disabled: data loss prevention is failing. If you have data loss prevention deployed, there’s a good chance it is failing you right now.

Scared yet? Concerned?

You should be. People, even when set loose in a perfectly architected, immaculately maintained environment, will still wreak havoc intentionally or accidentally. If you build a wall, someone will build a taller ladder. If you block USB access, someone will use any number of other options to obtain that access. For everything else, there’s Florida Man. The TL;DR version: No plan survives first contact with the enemy.

What does all of this mean for data loss prevention tools? It means policies don’t stop people from taking data. One can’t out-engineer the malicious intent of a determined human. This is why Code42 moves beyond prevention to data loss protection; in other words, prevention on its own simply doesn’t work—and it doesn’t work for all of the reasons I just cited. At Code42, we focus on protecting from data loss. That’s because it’s possible and it’s critical to be able to rapidly detect, investigate and respond to a potential data loss incident.

To these ends, there are three additions we’ve made to our product that will help you to better protect your organization from data loss. Here they are:

Data Exposure Dashboards

Our data exposure dashboards enable you to quickly visualize exfiltration events across removable media as well as personal and corporate cloud accounts. They provide a 1-, 7-, 30-, or 90-day view of events across your organization in order to quickly investigate anomalous findings. Additionally, these dashboards reveal which files have been shared externally in your corporate Google Drive, OneDrive, and Box environments over the same period of time.

Data Exfiltration Alerts

The new data exfiltration alerts enable the creation of alert profiles for some, or all, of the users in your organization based upon how much data are being moved to removable media and cloud services. These alerts show exactly what data were moved, down to the specific file content. This makes it easy to assess whether the exfiltration poses a data loss risk to your organization.

SOAR BABY SOAR

Alerts are great, but they don’t work in a vacuum. Alerts need context. Previously, we’ve written about our integration with Splunk Phantom, and now we’re happy to announce support for IBM’s Resilient Security Orchestration and Automation (SOAR) platform. With this new integration, it’s now possible to include Code42’s data exfiltration and forensic metadata in your existing incident response automations. You can learn more and download the Code42 Resilient app by visiting IBM Security App Exchange.

And with that, I’m afraid this post has come to an end.

But not before I take a moment to brag. Code42 keeps racking up hardware in the form of industry awards. Most recently, we were honored with the Black Unicorn award from CyberDefense. If you want to see how awesome we are, head over to our honors page.

Stay safe out there.