Before the world knew Big Data, protecting the perimeter was fine. Then, systems expanded, and the perimeter vanished but we could still protect the containers data was housed in. In fact, that’s how most companies do it today.
But that method is starting to burst at the seams.
As enterprising cybercriminals follow the data, we must too. While security practitioners protect boxes, locations, databases, and networks, Black Hats are following the data itself through all of those – and coming out with the goods. That’s why one of the most recent trends in cybersecurity is Data Detection and Response: the follow-you-anywhere, stick-like-glue methodology that doesn’t protect the place, but the data itself.
What is Data Detection and Response?
Data Detection and Response, or DDR, is the solution that attaches security controls to pieces of actual data so it can keep track of it no matter where it goes – even beyond the network.
Why Did DDR Come to Be?
The problem was – and still is – that data is only really in danger when it travels. Traditional security thinking states that protecting Data at Rest is the way to ensure that it gets there safely. And it does – but if that’s all it does, you’re out of luck as soon as a bad actor finds a way to move it.
This is where traditional Data Loss Prevention (DLP) tools (and encryption protocols, and security solutions) can’t keep up. Nowadays, there are just too many ways to send, receive, store, transfer, and manipulate data, and much gets lost in the shuffle.
This is especially an issue for insider threats. Think about it: an employee could easily:
- Attach a sensitive file and send it through Slack
- Screenshot a confidential slide deck and send protected IP through WhatsApp
- Save “Internal Only” memos to a USB stick
- Email proprietary business plans to her personal email
- Upload a copy of a customer database to their personal Box account
Or any number of subtle, nefarious things. You can protect via your cloud provider, but they can only protect what’s in their repositories – not vet or prevent what goes into them. The same goes for locking down databases, email, and any other form of available storage.
It’s one thing to operate on the Principle of Least Privilege (a very good thing), but that does nothing to prevent someone with that privilege from abusing it. A full 40% of insider threats result from an insider abusing privileged access. Policies like that can do all they can, but at the end of the day, they are forced to operate on at least some basic measure of trust.
Unfortunately, sometimes even the barest level of trust can be too much. That’s why Data Protection and Response tools are trending upward in cybersecurity.
How DDR Operates
Referred to by the Cloud Security Alliance (CSA) as “the new cloud DLP,” or, “a means to introduce dynamic monitoring to cloud environments,” DDR has a few key characteristics that make it different from its last-generation DLP counterparts. These attributes are what make it work so well in the cloud, but also across any network environment it encounters.
According to DDR vendor Cyberhaven, “The problem is partly that data security capabilities are spread across multiple products: Data Loss Prevention (DLP), Insider Risk Management (IRM), Cloud Access Security Broker (CASB), Data Security Posture Management (DSPM) and they all see only part of the picture.”
DDR, on the other hand, sees the whole thing. It’s able to because it can:
- Classify data based on lineage, not content | That means something is classified as “sensitive” or not based on where it’s been, not just what it contains. For example, a giant spreadsheet with names and email addresses could be nothing more than an HR sign-up for a summer potluck. Or, it could be a proprietary customer list. Knowing where the document came from (was this on the company file share, or did it come from Salesforce) is key to making these kinds of judgments.
- Focus on data in motion | Let’s face it, there is a much higher likelihood that data is traveling somewhere nefarious when it’s, well, traveling. Even sensitive data sitting on a server is simply doing just that until a nefarious insider decides to take it somewhere else. And that is where DDR springs into action, following the data itself as it gets maneuvered through the enterprise. A DDR solution only guarding the server, for example, would have lost track of it as soon as the cybercriminal found a way to export it.
- Stop exfiltration in real-time | So, what good is it if your solution can track data but not protect it? Not very good, at least not as a standalone solution. DDR takes action the second someone tries to remove protected information from the network – that means blocking an employee from AirDropping an IP-filled file to their phone or attempting to paste a Teams transcript into a personal email account.
As more and more threat actors become better at hiding their trace, solutions that follow the data – not the storage location, network, or endpoint – are going to be the ones that can keep up with savvy cybercriminals. As bad actors attempt to surreptitiously smuggle data from the network, DDR can follow them through the maze, making it one of cybersecurity’s most trending solutions in 2024.