TrendMicro

Data Exfiltration Prevention with Zero Trust

Learn more about zero trust:

The boom in digital connectivity has made data privacy a top concern for businesses. As businesses use more SaaS and cloud applications existing in public clouds, they lose visibility and control.

Data exfiltration can not only cause operational and reputational harm, but can lead to revenue losses, hefty compliance fines, expensive class-action lawsuits, and even ransomware demand and recovery costs. 

Unfortunately, protecting data is not a simple feat in hybrid- and multi-cloud environments. This challenge is further exacerbated by an ever-growing attack surface and evolving threat landscape. Cybercriminals are actively looking for new ways to exploit businesses, meaning network security professionals need to shift their approach towards data loss prevention (DLP) to reduce cyber risk across the attack surface and achieve zero trust.

What is DLP?

According to Gartner, DLP is defined as a cybersecurity solution that detects and prevents breaches by performing content inspection and contextual analysis of data sent via messaging applications, in motion over the network, in use on a managed endpoint device, and at rest in on-premises servers or in cloud apps and storage. The objective is to prevent users from sharing sensitive or critical information outside the corporate network.

There are two broad categories: enterprise DLP and integrated DLP. The former is a comprehensive, packaged software solution for on-premises servers as well as physical and virtual appliances to monitor network email traffic for data discovery. Integrated DLP is an extension of existing security solutions that offers more compact features that are easy to access.

Why DLP tools struggle to stop data exfiltration

Whether you leverage enterprise or integrated DLP, simply placing it on endpoints, email, or web gateways isn’t enough to prevent data exfiltration. DLP tools can be circumvented by slightly altering sensitive information such as spelling the credit card numbers, changing the numbers to roman numerals, or uploading a screenshot of PPI.

DLP tools can be very restrictive as they force businesses to require specific applications, versions, and file types based on the product’s limitations. And if a vulnerability is discovered in the supported version of software, it can’t be upgraded or downgraded until the DLP environment is updated as well. This is further complicated in modern infrastructures which are perimeter-less and continuously move data from on-premises servers to the cloud—or clouds.

Security teams are often fed up with DLP limitations as well. They’re faced with the task of thinking through every data exfiltration vector and explicitly building a rule for each one—not only is this extremely time consuming, but error-prone as well. As a result, security teams will set the DLP to monitoring mode to log access and data shares but won’t try to stop breaches, leaving sensitive and personal data open for the taking.

A shift in mentality

Organizations must establish a strong detection and response infrastructure for data exfiltration events and a roadmap to filter data streams on the corporate network and protect data in motion. This requires shifting our mentality from thinking of DLP as product to an action. This may sound a bit new age, but stick with us. Preventing data loss is the end goal, but without restrictions on what security solutions you can use to achieve it.

Applying the right cloud infrastructure will maximize speed of detecting risky activities and limits data exfiltration in a proactive manner. When we consider DLP through this lens, we can get find more holistic, risk-based approaches that support modern business practices and reduce SaaS app risks.

Secure Access Service Edge (SASE) combines capabilities from two discrete layers—network and security—that center around the data itself. Zero Trust Network Access (ZTNA), Secure Web Gateway (SWG), and Cloud Access Security Broker (CASB) work to apply risk-based rules and policies to sensitive data at-rest and in-motion, wherever, whenever from any user identity and device. Essentially, SASE does what DLP products intend to, but better, and without an agent.

SASE employs a zero trust strategy to secure and optimize network connections for users and devices by assuming all devices and users are untrusted. The principle of “never trust, always verify” requires authentication and authorization to users both inside and outside the network perimeter before granting access to resources.

Read More HERE