Beyond DLP: Why DTP is crucial for protecting Intellectual Property
As a CISO, you prioritise safeguarding your organisation’s sensitive data, often relying on Data Loss Prevention (DLP) solutions.
Yet, it is essential to recognise that DLP and Data Theft Prevention (DTP) are not the same. Many in the cybersecurity field mistakenly believe that DLP addresses all data protection needs, leading to a critical gap in safeguarding proprietary information. This misunderstanding can leave your organisation vulnerable to data theft, jeopardising your competitive edge.
In this article, we’ll clarify the differences between DLP and DTP. It will help you understand why incorporating DTP is vital for protecting sensitive, proprietary business data. Let’s explore how to enhance your data protection strategy effectively.
‘Proprietary Business-Sensitive’ data is not the same as ‘Personally Identifiable’ data
Understanding DLP and DTP starts with recognising that businesses hold different categories of data.
Broadly speaking, businesses hold two categories of data:
-
- Personally Identifiable Information (PII) – user-related data
- Intellectual Property (IP) – proprietary, business-sensitive data
PII is personal information that relates to a staff member, client, or contractor. This can include email addresses, credit card details, social security details, religion, et cetera. Any exposure breach of PII must be declared. In Europe, this falls under GDPR rules. In the US, this is covered by CCPA/CPRA.
Intellectual Property is a different type of data. This is information that is proprietary to a business. Which in the wrong hands, may have significant implications for the business’s continued existence. This is intellectual property, like trade secrets, R&D, price lists, financial figures. The value of core intellectual property, trade secrets and intangible assets can account for as much as 50% or more of a company’s worth. What is valuable to a business is usually valuable to someone else.
PII exposure is different from Intellectual Property exposure
It is also necessary to understand the differences in exposing either of these two information types.
Data leakage is the exposure of PII into the public domain. Very often, the root cause is accidental user error. Such as copying unauthorised users in an email holding PII. Or the user who does not understand the impact of exposure posts PII to an internet forum or social post. Sometimes a disgruntled employee exposes records, knowing full well of the outcome.
In the UK, it is mandatory to disclose a PII breach to the ICO. The consequences usually depend on the severity of the breach or its impact on individuals. This tends to range from the ICO offering mitigation advice or issuing a monetary fine. The ICO records all declared exposure events as a public record. So, a breach also has the potential to damage brand reputation. The repercussions of which often far outweigh a fine.
Data theft is the deliberate exfiltration of business-sensitive information. The key word is “deliberate.” Whereas leakage tends to be “accidental.” Theft is a stealth attack. So, theft can go unnoticed if a business is not checking for this type of attack. The first sign could be a competitor undercutting key customers. The aim of a data theft attack is to find something that has resale value on the dark web. Alternatively, it can be to extort money by holding this information to ransom. Either way, this is always going to be information that is both proprietary and sensitive to a business’s operations.
As theft usually involves proprietary business-sensitive data, rather than PII, there is no mandate to declare it. Public knowledge that a business has been a victim of theft can have far greater consequences than a PII breach. It affects brand reputation and shareholder confidence. However, it also signifies to other threat actors that this business is a target unless they have put the correct controls in place. In some instances, theft can result in a business ceasing to trade. One example is when a data theft attack forced the haulage business “Knights of Old” into administration.
Many security professionals are unaware how popular business strategies are inadvertently exposing sensitive information. The include strategies such as hybrid working, migrating services to the cloud, and digital supply chains. All of which transmit increasing volumes of sensitive information beyond the security of the corporate office.
The anatomy of a Data Theft Attack
As mentioned above, the key difference between theft and leakage is that a leak is usually accidental by a user, compared with theft that is intentional via a bad actor.
The most common way for an attacker intent on theft to gain entry to a network, or a device, is through exploitation of a vulnerability, or a misconfiguration. This could be hardware or software. Another common vector is social engineering, such as a phishing attack to obtain login credentials.
Upon gaining access to a device, or network, an attacker will start their search for valuable information. Vulnerabilities, and compromising user accounts, help traverse the network in search of gold.
Documents are then exfiltrated out of the business to a private repository. Usually via a covert channel to minimise detection. Throughout the attack, an attacker may keep backdoors into the network.
Businesses feel inclined to limit the risk of an intruder gaining access in the first place. This could be through antivirus, firewalls, and intruder prevention. These defences are recommended. Yet, the danger in a data theft attack is the exfiltration event itself. Exfiltration needs to be prevented at all costs. And this is often where a data protection strategy is lacking.
Why Data Loss Prevention is not the same as Data Theft Prevention
Above, we have understood how PII is LEAKED, while intellectual property is STOLEN. Also, that leakage tends to be accidental by a user. Compared with theft, which is intentional via a threat actor. This helps us to understand why, operationally, DLP solutions and DTP solutions need to be different.
What is Data Loss Prevention?
It is common for businesses to deploy a DLP solution. The role of DLP is to protect PII from exposure. DLP is often sold as a way of meeting compliance requirements, such as GDPR. Often the complexity and cost of DLP can push it beyond the reach of smaller businesses.
DLP technologies are generally based on data classification or tagging. DLP is usually applied to emails, social posts, and web technologies such as forum posts. The content of which gets inspected for data that meets these classifications. Any email disclosing PII is stopped. Classifying the risk profile of all assets can be very resource-hungry, although AI is starting to become a way to remove some of this burden.
One example of a DLP solution is Microsoft’s Purview, which inspects email content and social forum posts for PII disclosure. Other types of DLP can be deployed on a perimeter security system, email server, or endpoint.
Because of the human element in handling PII, it is unlikely that PII exposure can ever be 100% prevented. This means that the protection strategy for PII exposure is to mitigate the risk. One of the main mitigations is a strong company-wide cyber awareness culture. This should include regular user training, including making sure that users are aware of how to recognise phishing emails. Furthermore, devices should be hardened to prevent physical data loss. Together with good account hygiene to limit the range of data accessible to each user.
What is Data Theft Prevention?
There are DLP solutions that claim to prevent theft. For these, it is important to understand the scope of what they are preventing theft of. Usually, these solutions prevent user theft via email. Rather than hacker or malware theft via covert backdoor channels.
The two primary ways to mitigate data loss do not apply to theft prevention:
-
- user awareness – Theft is via a bad actor such as a hacker or malware. As the user is not involved in a data theft attack, user education does not help.
- classification – It is relatively easy to classify PII, as either public or not. Conversely, business-sensitive data tends generally to be non-public. So, classification cannot help here either.
As theft is a stealth attack, unless you are checking for theft, you are unlikely to know it has occurred. Monitoring for theft means it can be stopped in real-time, before becoming a breach. This means that the strategy for DTP is prevention (stopping it). As opposed to DLP where the strategy is mitigation (limiting the scope).
To prevent theft, it’s important to know two parameters of each data flow. Where has it come from? And where is it going to? A flow originating from an untrusted application, such as malware, should be blocked from transmission. Likewise, a flow headed to an untrusted destination, such as a malicious server, should also be blocked.
This all means that DTP is different from DLP. DLP involves monitoring egress traffic for classification or tags. DTP involves monitoring egress traffic for flow integrity. DTP must start with a zero-trust stance for all outbound data flows. Only once the integrity of the flow can be proven should the traffic be transmitted. In this way, proprietary business-sensitive data theft can all but be eliminated.
Firewalls and Intruder Detection Systems (IDS) can be used to prevent theft. But only with significant challenges. Particularly implementing and managing the multitude of permissible protocols and IP addresses. Not only is this volume of rules prone to error, but the continual management of them is resource-intensive and expensive. Additionally, a seasoned threat actor can bypass firewalls and IDS.
Who are the data theft actors to worry about?
Data loss occurs mainly due to user error. The root course of data theft is hugely different. It is most likely to be through a hacker, insider attack, or via malware. Although disgruntled users can be tempted to steal.
Hackers will typically enter a system through a vulnerability or misconfiguration. Hacking tends to be slow, but more deliberate in what is taken. Compared with malware, which automates a general data theft attack over a much wider range of targets, much more quickly. Often looking for anything valuable, rather than specifics.
The diverse types of malware involved in data theft can include:
-
- botnets, such as Mirai, Emotet or Dridex.
- ransomware is, nowadays, more likely to exfiltrate data than encrypt it for a ransom.
- trojans and RATs (remote access trojans), such as Agent Tesla, Gh0st or Nanocore.
- infostealers, such as Redline or Lumma Stealer.
- spyware, such as SpyEye or Red Shell.
Furthermore, both hackers and malware can also be expected to evade defence tools such as antivirus or IDS.
Conclusion
Preventing data theft attacks is as much, if not more, important than preventing data loss. Theft is often overlooked in the belief that it is mitigated via DLP.
The takeaway from this article should be that one protection strategy does not fit all. DLP is not the same as DTP. Because proprietary business data, such as sensitive intellectual property, is distinctly different to PII. They have different exposure risks, so require difference protection techniques.
ZORB employees the concept that outbound data is ‘untrusted, until proven trusted.’ Combined with a default ‘deny everything’ stance, all egress data is blocked from transmission, until the data flow integrity can be proven. Thereby protecting a business’s trade secrets, revenues, and competitive edge.