DLP systems are preventing data leaks. It’s a rule of thumb. But DLP can do more than just that, writes Sergio Bertoni, leading analyst at SearchInform.
DLP systems are the part of information security infrastructure. They monitor data in motion on endpoints and over data transfer channels. DLP systems have complex and powerful analytical capabilities to ensure detection of incidents on the fly. Thus, such monitoring and analyzing competencies can be used to solve a long list of cybersecurity tasks, more than just simple prevention of data leaks.
DLP capabilities can be enhanced and enriched by the means of the integration of such a system with other pieces of information security infrastructure. Let’s take a closer look at what elements of protection structure can be connected to the DLP system and the potential benefits of such integration.
Good out-of-the-box DLP system is the key to successful integration
One of the main DLP system’s duties is monitoring of data processing inside of the company’s perimeter. In order to be an effective monitoring tool and data source for other cybersecurity tools, DLP systems should match and fulfill the next requirements:
- Ability to seamlessly integrate with the company’s infrastructure at the level of operating system, DBMS level, software level, and level of other system, which are used in the company. For example, SearchInform Risk Monitor can be deployed on platforms based on Windows, Linux, and Mac operating systems. Moreover, the DLP system can work with different databases from MS SQL, Jatoba, Pangolin, to PostgreSQL. The system can be used in cloud-based infrastructure, hybrid, or on-premises platforms. Moreover, it can monitor even virtual machines. Basically, you can deploy the SearchInform DLP system on any platform.
- Supervise and ensure the transparency of data transmission. Nowadays, Risk Monitor, even in out-of-the-box state, is one of the most advanced and comprehensive DLP systems in terms of the amount of data monitoring capabilities. Moreover, the DLP solution can supervise outer perimeter data from the provider’s services, which aren’t located on the user’s endpoint machine. In addition, if the service is not immediately supported, it can be connected manually with in-built tools.
- Efficiently analyse and structure data for reliable incident detection. Data analysis is based on search engines, which are embedded into the DLP system. For example, Risk Monitor is using a custom tailor-made search engine. It has a variety of search algorithms that can be used to analyse various data from audio files, text documents, archives, to hidden objects and layers. On the next step, the Risk Monitor system indexes all analyzed data and categorises it in a single form for further processing.
- Support of universal data transfer technologies to allow the seamless integration with other systems and services. Usually, support of protocols such as REST API, SYSLOG/GEF, SMTPs, ICAP, ODBC is more than enough. Any connectivity issue can be easily solved – the Risk Monitor has a couple of dozen embedded integration technologies. They can be accessed directly from DLP’s GUI, without necessity of additional coding.
Summing up, DLP systems have to ensure the deep integration of agents with the endpoints and supervise data transfer channels in any type of networks. Only by achieving these capabilities DLP system can fully protect the data processing. Hence, the DLP system will be able to share information with other security tools in order to provide a robust security posture.
Let’s take a closer look at how we are able to empower and enhance the company’s security perimeter by means of potential DLP integrations.
It fits like a glove
DLP systems per se can perform two different roles: they can be used as a data source and as an analytical center for data gathered by other security tools.
A DLP system can import data from:
- Physical security systems – It could be various systems such as a physical access control system, a CCTV system, or signaling systems. Data from the mentioned above systems can be used by the DLP system for matching physical traces with an employee’s activity in controlled endpoints. In this case, such an approach can be used to detect cases of fraudulent activities or thefts, when criminals are using stolen or compromised credentials and access rights. The Risk Monitor has a set of pre-made schemes for integration with popular physical security systems by the API-based connection or direct connection with the database.
- DCAP/DAG systems – DLP can be integrated with the DCAP system to enhance and speed up the search and management of sensitive data. IF the DLP system identifies a file marked by the DCAP system, it won’t spend time on file rereading. Thus, security policies could be applied immediately. Risk Monitor is able to read labels marked by DCAP systems such as MS Information Protection. Moreover, the DLP system is based on the same client as SearchInform FileAuditor. Thus, both of them can be seamlessly integrated.
- Data encryption and protection systems – DLP systems have to have encryption keys to be able to manage secured files and archives. It will automatically apply such keys during the file analysis process in order to prevent potential data leaks. Thereby, Risk Monitor interacts with the StarForce service. The latter provides access to internal company documents in encrypted form in a secured external environment.
- Tailor-made databases, including utility and enterprise software – A DLP system can process data gathered from custom sources such as enterprise CRM systems, industry-specific databases, and consequently apply security rules to this data. In such cases, data from external channels will be managed in the same way as if it was gathered from a DLP-controlled channel. As a result, data from custom channels will be properly analyzed and treated in accordance with security rules. Moreover, you can import filters and settings for automatic incident search and apply them to custom data sources.
A DLP system can export data to:
- Antivirus software and EDR/XDR tools – Firstly, such integration is a dire necessity, so both security tools won’t perceive each other as a threat. Secondly, data from the DLP system will enrich information about normal infrastructure status, so cybersecurity tools will have enhanced threat detection. Risk Monitor is compatible with all popular endpoint protection solutions—integration with all common antivirus tools is its out-of-the-box capability. Moreover, it can transfer logs or pre-selected data sets to endpoint protection tools from its own database.
- SIEM/SOC systems – Risk Monitor can share data on system performance, reports, and incidents with SIEMs and SOCs of any type. Usually transfer is carried out with the use of SYSLOG/CEF messages, but data can be directly transferred to our SearchInform SIEM system. Moreover, Risk Monitor’s agent integrates bypassing OS; respectively, it is not limited by OS boundaries. Thanks to this, the DLP system receives extended information about the status of infrastructure processes, activities, connected devices, active sites, etc. Such data can be used by SIEM and SOC services to detect advanced persistent threats and complex information security incidents.
- Operating system and third-party software – A DLP is able to issue the commands for other processes and systems by RPC/MMC services or (Power)Shell/SHH powered scripts. For example, a security specialist can abort the current user session and block the account, if a DLP system detects that someone is using another person’s credentials. Thus, Risk Monitor can share its own security data and detected incidents with preselected systems.
- IRP – Risk Monitor has a special interface for integration with various incident response platforms. Thereby, the DLP system shares data about an incident and additional information, while IRP tools provide an immediate and potent reaction. It is also capable of compiling and exporting reports on incidents and ongoing investigations in accordance with local data protection legislation.
Moreover, Risk Monitor can be integrated with different business analytical systems, HR applications, accounting software, etc. But we will talk about it in another article.
To sum up
Integration of a DLP system with other cybersecurity tools is aimed at several goals. The most important are mutual data exchange, synchronization of security policies, and coordination of incident response measures. I see it as one console, where specialists can see all information about the company and control all security measures and tools.
There are a number benefits to such an approach:
- Complex approach to security is more effective than several disconnected detection tools. You can trace the whole history of the incident from the beginning to the end, detect structural issues and weak points of the security perimeter. Thus, information security officers will have an easier time during the investigation of an incident and collecting insights about its nature.
- Integrated systems can be synchronised. Thus, it will be easier to automate them and simplify control over them. It will free up precious time and expertise of IS specialists.
- Security systems that are based on the same platform, are saving company’s resources for the purchase of server hardware, data storage systems, and software licenses. All of these are necessary for security systems.
Control of security systems isn’t the main goal of Risk Monitor. However, it is an important and effective part of cybersecurity infrastructure.
Consequently, we are doing our best to enhance Risk Monitor’s data transfer capabilities. At the same time, we are trying to build our own mini-ecosystem on the basis of our next-gen DLP. Because internal threats and the human factor are often staying away from attention by other information security services.