All we are able to do, all that’s been done, is to build a massive perimeter defense that guarantees only authorized people will gain access. The problem here is that attackers steal authorization credentials. So to these defenses, the attackers still appear authorized. Perimeter network defenses are completely blind to the fact this person is a bad actor.
It’s a lot like this scenario: you’re building a bank and you invest your security budget into reinforcing the perimeter walls, exterior security cameras, security guards, alarms, etc. People must pass your guard gate and show their credentials before being admitted. They finally enter and find all the money piled on the floor. They can take whatever they want and walk right out the door because they are authorized. That’s basically the present state of data protection at the majority of companies.
Some organizations are using specialized software tools called Data Loss Prevention, or DLP, that are supposed to protect valuable company data. DLP software looks at files being sent off the network and tries to determine if they are sensitive. If it’s determined that they are sensitive and the action is risky, then the operation will be cancelled. That’s one for the good guys!
Unfortunately, attackers have learned to adapt to traditional DLP software. Going back to our bank example: if the company had deployed a DLP solution it would be a lot like a security guard approaching you as you try to exit the building. They see that you’re carrying money and they stop you. You’re caught. But what if you stuff the money in your pocket? These traditional DLP guards don’t see it and you’re able to walk out.
Why don’t the traditional data loss prevention guards see the money you hid in your pocket? Because cyber attackers encrypt the sensitive data they are looking for and send it out of your enterprise without you being able to see that it was sensitive data. That is just like stuffing the money in your pockets and exiting the bank without incident. Traditional DLP tools cannot fully address this problem and that is why we see so many public breaches. And many of the current headline breaches had these traditional DLP tools in place.
So what can be done to solve this problem? Build the defense into the data itself.
To mitigate the current risks to our sensitive data, the defense has to be built into the valuable data itself. It has to be a part of the internal emails, the salaries, the formulas, CAD drawings, client data, employee health data, and anything else that is valuable to you and must not be leaked out. The defense must be able to work even if only parts of that valuable data are copied, printed, emailed, or sent to the cloud, smartphone, USB drive, and every other egress from a computer. Even sensitive data living in machines that are offline, or at someone’s house, or not connected must still be protected. And forensic records must be included so you can submit non-repudiation evidence to U.S. Courts and beyond.
Going back to our bank example, if the bank has Digital Guardian data loss prevention installed and an authorized user decides to pick up a pile of money, stuff it in their pockets, and try to exit, then the money will explode in a puff of red paint. Because the money itself has its own defense built right in, because the money itself is the thing of value.
This is how to solve the problem and that’s how Digital Guardian works.
