Why Data Loss Prevention and Insider Threat Management are Converging

Chris Roney August 10, 2023August 28, 2023 Data Loss Prevention Insider Threat Management

The cybersecurity landscape is constantly evolving as a result of technological advancements and global shifts. The pandemic, for example, resulted in many unexpected and rapid changes in cybersecurity resulting from a shift to remote work and increased migration to cloud services, and the aftershock is still being felt today. However, one of the most significant ways in which cybersecurity is progressing is a proactive change in order to achieve its goals more effectively. Companies are always looking for better ways to deal with long-standing threats that aren’t going away, while also having to focus on new disciplines such as cloud security.

Data loss prevention (DLP) is one of the cybersecurity disciplines that has seen many paradigm shifts. The most significant one has been the attempt to sway away from an integrated, enterprise approach to DLP and toward integrating DLP with specific security solutions focusing on specific technologies – so much so that this has resulted in the abandonment of the Gartner Magic Quadrant for DLP and a switch to a Market Guide. For example, it was thought that DLP for email should be integrated with other aspects of email security to provide comprehensive coverage.

A similar shift is taking place in insider threat management (ITM) as well as data loss prevention. These two disciplines are merging, or rather, ITM is increasingly being viewed as a component of DLP.

The Importance of the Right Focus

Many large enterprises have decided to move away from large, multi-level DLP systems and toward integrated DLP, which works in conjunction with other types of solutions and focuses on specific technologies and aspects of the cybersecurity landscape. While such integrations provide excellent functionality for associated technologies, sometimes even including incident response and remediation, their use leaves significant vertical gaps that must be filled with specialist DLP software.

What is the cause of this? It’s all a matter of focus. Integrated DLP does not prioritize the most important aspect – your data. Instead, it focuses on a single technology and covers it completely. For example, in the case of email, such solutions ensure that every aspect of email transmission is secure, including that any data included in emails is not sensitive data. The goal of such solutions is to make email secure, not prevent data theft, data leakage, data exfiltration, or data breaches. And which is more important to you – access or securing your data?

Such an approach appears to be akin to attempting to cure diseases by addressing symptoms rather than focusing on a root cause and keeping the body healthy and strong. Organizations will miss out if they do not focus on protecting their valuable intellectual property and instead focus on the technologies used to access that property.

Organizations that realize how important it is to have the right focus are, similarly, now realizing that many other cybersecurity techniques such as insider threat management need to refocus from “what bad things can happen and how can we prevent them” to “what we need to protect and what can we do to protect it better.” As a result, those organizations are increasingly interested in data loss prevention solutions and approaches that converge with ITM and provide full functionality, with the primary goal of sensitive data protection.

What are the Differences Between DLP and ITM?

Although they appear to be very different, data loss protection and insider threat management disciplines frequently share a lot of similar technologies and approaches. The true distinction is their focus. Data loss prevention focuses on data security, with sensitive data as the primary focus. Insider threat management focuses on the user, with data access behavior as the primary focus.

DLP and ITM systems frequently conflict with one another or provide duplicate functionality. A DLP system, for example, monitors the clipboard in real time because it can be used to copy protected information from an internal system and paste it into insecure media and apps. An ITM system for the same endpoint, on the other hand, monitors the clipboard for any suspicious user behavior, such as copying data from an internal system and pasting it into insecure media and apps. Depending on the implementation, the ITM systems may even view DLP checks as threatening, reporting false positives.

It should come as no surprise that the two approaches are convergent. When there is a lot of common functionality, it makes sense to extend rather than duplicate. A DLP system, for example, can extend its functionality to include ITM by incorporating user entity and behavior analytics, as well as endpoint detection and response (EDR) techniques such as machine learning to detect unusual user activities (e.g., accessing sensitive data after hours) or deep monitoring of processes and connections.

It’s also no surprise that data loss prevention trumps insider threat management. Organizations that have already had negative experiences with shifting the focus away from core information protection and toward specific access technologies are more likely to want solutions that put their information security front and center.

Insider Threat Management vs Insider Risk Management

The transition from ITM to DLP is also causing insider threat and risk management to be viewed as more distinct than before. While insider threat management focuses on threats and suspicious user behavior, insider risk management, like DLP, focuses on the root cause, in this case, the core reasons for insider threats.

With the focus of insider threat management shifting more towards the sensitive information that it is designed to protect, insider risk management can now focus even more on the reasons why users pose a threat to this information. It can address both unintended threats caused by factors such as insufficient training and awareness, as well as intended threats caused by factors including employee dissatisfaction or insufficient screening for new hires.

The Winner? Your Sensitive Data

Convergence between DLP and ITM may appear difficult at first because organizations that want to benefit from this convergence must ensure that their chosen solutions do not create any cybersecurity gaps. When phasing out ITM, companies must ensure that all of the security benefits provided by ITM remain, and these benefits are frequently approached from two different perspectives: the objects being protected and the individuals accessing these objects. As a result, before companies jump on the bandwagon and believe the promises of a DLP solution that provides comprehensive protection, they must conduct a thorough gap analysis.

Finally, once this convergence is mature enough to treat ITM as part of DLP, sensitive data will win because it will remain in the spotlight.

Frequently Asked Questions

What are the primary drivers of convergence between DLP and insider threat management?

DLP and ITM share many technologies and approaches, which can lead to software conflicts or overlapping functionality. Such similarities, as well as an increased interest in organizations focusing on what is protected rather than potential threats, are the primary drivers of convergence between these two technologies. Another motivator is that implementing and maintaining a single solution rather than two solutions is always much easier and less expensive for the organization, and it provides better automation options.

How can organizations best manage the risks associated with the convergence of these two disciplines?

The convergence of DLP and ITM means that organizations will most likely phase out ITM, the functionality of which will be included in DLP solutions, sooner or later. However, before phasing out, organization’s security teams must assess potential gaps and ensure that the functionality scope of the chosen DLP solution is sufficient.

What are the benefits of having a unified approach to DLP and insider threat management?

Aside from the obvious benefit of only having to buy and maintain one solution rather than two, the biggest advantage is that the resulting solution is entirely focused on what is most important to organizations – their data. The new, converged solutions will, of course, address cyber attacks such as phishing, as well as any activities by untrustworthy or malicious insiders, but their primary goal will be to ensure that valuable data such as personally identifiable information (PII) or protected health information (PHI) are secure from theft, destruction, or manipulation. Better compliance with GDPR, HIPAA, PCI-DSS, and other standards that prioritize the value of information is a much-needed benefit.