Data Lineage is the Future of Data Loss Prevention

Organisations are experiencing a significant leakage of sensitive data, from customer data to the confidential inner workings of software source code. Surprisingly, the source of many of these breaches are not external cybercriminals or ransomware groups, but rather, it stems from their own employees, with nearly one in 10 employees doing so in a six-month period.

According to Cyberhaven’s 2022 Insider Risk Report , one in ten employees (9.4%) will exfiltrate data over the period of 6 months and are much more likely to steal sensitive information during the two weeks before they resign (84% increase from the baseline). Some common means of exfiltrating data are through the use of personal cloud storage (27.5% of incidents) – with Dropbox being the most used tool – and personal email (18.7% of incidents).

So how can companies prevent such data theft from happening?

What is Data Loss Prevention (DLP)?

Data Loss Prevention, also known as DLP, is a cybersecurity solution that detects and intercept data breaches, by blocking the extraction of sensitive data. It allows businesses to detect any misuse of data, such as the unlawful transfer of data outside of the organisation for personal purposes, and also prevents the undesirable destruction of sensitive and personally identifiable data.

Traditional DLP is ‘Dying’ : The Issues

Organisations have been relying on traditional DLP solutions to protect digital information and prevent them from being misused. Chris Hodson, Chief Security Officer of Cyberhaven, a system software company and a portfolio company of Vertex Ventures US, however presents the challenges behind DLP, in his words - “DLP is broken”.

With experience in running security organisations governed by mandates that required the necessary implementation of such controls. Hodson reveals that outdated DLP solutions often only creates more friction, generating often false positives. This causes organisations to be unprotected against new and imminent threats as they solely relied on pattern matching algorithms or regular expressions that produced numerous false positives.

“For example, an executive urgently needs to ship a file to a supplier. The DLP solution provides a false positive by identifying this action as harmful when it is not. This action is then blocked the DLP solution, preventing the executive from sending the file for business purposes.” - Chris Hodson, Chief Security Officer Cyberhaven

Such instances of multiple false positives bring large inconvenience to the organisation, causing companies “to turn off their DLP solutions or tune it to such a flexible level that is basically letting everything in and out of the environment anyway,” says Hodson.

He added, “I've seen isolated cases of well-functioning DLP implementations, but the operational costs are exorbitant — dedicated teams watering and feeding platforms. 

Data Lineage as the Next Evolution to DLP

Cyberhaven believes is crucial to know the data they are trying to safeguard and how it is used – by knowing how the data is being used with a solution that traces data after the initial access. This way, they can educate users to handle data better and investigate malicious insider activity.

Just like how Endpoint Detection and Response (EDR) product monitors actions on an endpoint, Cyberhaven’s Data Detection and Response (DDR) tracks everything that happens to an organization’s data – not just on a single user’s machine, but also across all the devices and applications of the company .

Source: cyberhaven.com

To trace data lineage, Cyberhaven relies more on the context of a file, rather than the content of the file. The information of the origin of the metadata – where it is going to, and the actions that happened on that file – is essential to identify the context of the actions without the need to read the contents.

Let’s take a dive into what how that works.

Cyberhaven’s DDP: The Solution to the Challenge

After being deployed, Cyberhaven Sentry will start to collect events as data moves throughout your company and take real time action to protect your data from theft, misuse and exposure [6].

They have three deployment modes that works together to give full visibility and control over your organisation data, allowing them to cover data and users that traditional security tools cannot.

1.    Cloud API connectors – connects to sanctioned applications like Office 365 and Google Workspace to get visibility into content created and shared in the cloud.

2.    Modern, lightweight endpoint agent – designed from scratch to use modern operating system APIs such that it does not slow down or crash devices.

3.    Browser extension – The browser plugin can support all major web browsers and gathers data about web-based cloud applications that are not available from other sources.

Cyberhaven Graph will then automatically build a lineage for every piece of data collected, starting with its origin. It will be continuously updated as new events takes place to track data everywhere it goes.

Source: cyberhaven.com.

With data lineage, Cyberhaven Policies allows company to define what is risky for your organisation, enforce actions to protect your data and educate your workforce at the same time. This would also get better results with fewer false positives, compared to when they are determined by content analysis alone.

Source: cyberhaven.com. Enforcing actions to protect data across all channels including web, sharing via corporate email and applications, personal email and applications, AirDrop, and USB devices.

Cyberhaven Incident Response creates a workflow to allow the incident responder to quickly investigate and decide if that is something they should investigate, or if that is benign and happens as part of the user’s day-today roles and responsibilities.

Source: cyberhaven.com. With a clear view of the users’ tasks, it would help them effectively give them the full context of what happened, to determine if there is a clear risk from the action. For example, whether somebody had copied and pasted from a protected source (i.e., sensitive documents) to a location that is considered risky.

Securing & Embracing the New Era of Digitalisation

In today’s new era of a digital workforce, the risk of data leakage is extremely high, and the consequences are dire if organisations fail to take immediate and careful steps to safeguard sensitive information. Data breaches can occur through various channels such as cloud devices, personal emails, and even the use of Generative AI such as Chat-GPT.

Information added into the chat window – be it personal data, financial records, and confidential data – may be processed and transmitted through the Generative AI model and stored in its memory Given that Chat-GPT’s limited control over the data, the imminent threat of data leakage remains high. This stored data could inadvertently find its way into the public discourse, putting your organisation’s reputation and integrity at risk.

To lower the chances of such risk, refrain from any actions that could expose your sensitive data to such vulnerabilities. This includes the use of Chat-GPT when handling sensitive data. Time is of the essence in securing your organisation’s data integrity. Cyberhaven stands as the paramount solution to bolster your company’s data security.

To find out more about Cyberhaven, visit them at www.cyberhaven.com or drop us an email here. 

Follow us on social media: