Detection and Response
Data Exfiltration Prevention with Zero Trust
Data exposure from SaaS and cloud applications is an increasing risk factor facing businesses today. Discover how SASE capabilities can help prevent data exfiltration, achieve zero trust, and reduce cyber risk across the attack surface.
Learn more about zero trust:
- A Secure Access Service Edge (SASE) Guide for Leaders
- ZTNA vs VPN: Secure Remote Work and Access
- What is Secure Web Gateway’s (SWG) Role in Zero Trust?
- Reduce SaaS App Risks with Cloud Security Broker & Zero Trust
The boom in digital connectivity has made data privacy a top concern for businesses. As businesses use more SaaS and cloud applications existing in public clouds, they lose visibility and control.
Data exfiltration can not only cause operational and reputational harm, but can lead to revenue losses, hefty compliance fines, expensive class-action lawsuits, and even ransomware demand and recovery costs.
Unfortunately, protecting data is not a simple feat in hybrid- and multi-cloud environments. This challenge is further exacerbated by an ever-growing attack surface and evolving threat landscape. Cybercriminals are actively looking for new ways to exploit businesses, meaning network security professionals need to shift their approach towards data loss prevention (DLP) to reduce cyber risk across the attack surface and achieve zero trust.
What is DLP?
According to Gartner, DLP is defined as a cybersecurity solution that detects and prevents breaches by performing content inspection and contextual analysis of data sent via messaging applications, in motion over the network, in use on a managed endpoint device, and at rest in on-premises servers or in cloud apps and storage. The objective is to prevent users from sharing sensitive or critical information outside the corporate network.
There are two broad categories: enterprise DLP and integrated DLP. The former is a comprehensive, packaged software solution for on-premises servers as well as physical and virtual appliances to monitor network email traffic for data discovery. Integrated DLP is an extension of existing security solutions that offers more compact features that are easy to access.
Why DLP tools struggle to stop data exfiltration
Whether you leverage enterprise or integrated DLP, simply placing it on endpoints, email, or web gateways isn’t enough to prevent data exfiltration. DLP tools can be circumvented by slightly altering sensitive information such as spelling the credit card numbers, changing the numbers to roman numerals, or uploading a screenshot of PPI.
DLP tools can be very restrictive as they force businesses to require specific applications, versions, and file types based on the product’s limitations. And if a vulnerability is discovered in the supported version of software, it can’t be upgraded or downgraded until the DLP environment is updated as well. This is further complicated in modern infrastructures which are perimeter-less and continuously move data from on-premises servers to the cloud—or clouds.
Security teams are often fed up with DLP limitations as well. They’re faced with the task of thinking through every data exfiltration vector and explicitly building a rule for each one—not only is this extremely time consuming, but error-prone as well. As a result, security teams will set the DLP to monitoring mode to log access and data shares but won’t try to stop breaches, leaving sensitive and personal data open for the taking.
A shift in mentality
Organizations must establish a strong detection and response infrastructure for data exfiltration events and a roadmap to filter data streams on the corporate network and protect data in motion. This requires shifting our mentality from thinking of DLP as product to an action. This may sound a bit new age, but stick with us. Preventing data loss is the end goal, but without restrictions on what security solutions you can use to achieve it.
Applying the right cloud infrastructure will maximize speed of detecting risky activities and limits data exfiltration in a proactive manner. When we consider DLP through this lens, we can get find more holistic, risk-based approaches that support modern business practices and reduce SaaS app risks.
Secure Access Service Edge (SASE) combines capabilities from two discrete layers—network and security—that center around the data itself. Zero Trust Network Access (ZTNA), Secure Web Gateway (SWG), and Cloud Access Security Broker (CASB) work to apply risk-based rules and policies to sensitive data at-rest and in-motion, wherever, whenever from any user identity and device. Essentially, SASE does what DLP products intend to, but better, and without an agent.
SASE employs a zero trust strategy to secure and optimize network connections for users and devices by assuming all devices and users are untrusted. The principle of "never trust, always verify” requires authentication and authorization to users both inside and outside the network perimeter before granting access to resources.
How does it all work? First, it starts out with knowing your users and environment. By deploying sensors and integrating with common SaaS apps directly, a profile is built around the user and environment to determine the risk imposed to the organization and suggest access control polices.
ZTNA protects organizationally owned resource access, while SWG security blocks threats from inbound and outbound web traffic and content on infrastructure not owned by the organization. Going further, CASB functionality allows you to not only restrict access to the SaaS app based on a user’s risk profile, but also the functions they can perform within the app. For example, a user whose risk score surpasses the pre-configured limit can visit Dropbox™, but they won’t be allowed to upload or download any files. This enables administrators to secure the organization and reduce the risk of data exfiltration.
Four questions to ask when choosing your SASE vendor
Like all security solutions, the quality of SASE capabilities varies from vendor to vendor. Consider asking vendors the following baseline questions to help you make an informed decision:
1. What is your approach to SASE and what’s on your roadmap?
You need a vendor that has your back not only for today, but for the threats of tomorrow and beyond. Are their current products easily updated and upgraded, or will you be forced to constantly rip and replace? Look for a partner with a track record of innovation with solutions that leverages automaton and global threat intelligence to keep you protected against the latest threats.
2. Does it integrate with other security solutions?
Adding another security solution can exacerbate visibility problems and create more challenges for security teams. Look for SASE capabilities that are part of a larger cybersecurity platform backed by broad third-party integrations and powered with extended detection and response (XDR). This enables comprehensive visibility across your attack surface and implements a zero trust strategy.
3. Are all my critical apps supported?
As we mentioned, some DLP products require users to switch to certain software providers. Not only is this costly, but it’s certain to annoy your employees. Taking stock of which cloud applications your users depend on can help to trim down your options. You should look for a solution that minimizes business interruptions by supporting your most crucial apps but offering added control to support your administrators.
4. What are the deployment options?
Don’t adapt your needs to fit the deployment option, make sure the vendor can support you and make the process as smooth as possible. Post-deployment support is equally important; some vendors will sell you a product and then ghost you. A good partner will ensure you are supported pre-sale and post-sale with built-in support services, product education and training to get your team successfully onboarded and speed up time to value.
For more information on preventing data exfiltration and reducing cyber risk across the attack surface, check out the following resources: