Written by Jacob Woodfield – DLP Practice Lead at Gradian | Jul 13, 2023

In October 2022 the International Organisation for Standardisation (ISO) revised the ISO 27001 standard, making Data Loss Prevention (DLP) an integral part of the framework.

In a nutshell, this means that to attain or retain certification, you must have DLP deployed within your organisation by the 31^st October 2025.

Read on to understand more about what DLP is, and how Gradian can help meet the requirements.

What is DLP?

DLP toolsets are configured to identify regulated, confidential, and business-critical data; these identifications are typically driven by regulatory compliance such as GDPR, HIPAA, or PCI-DSS but can be driven by Intellectual Property and other bespoke requirements. Examples include looking for specific keywords or patterns (such as a Regular Expression) or content similarity for your sensitive document templates.

Once those violations are identified, DLP can be utilised to enforce alerting, encryption, user-education, blocking and other preventative/protective actions and more to mitigate, and in some cases negate, the risk to end users from accidentally or maliciously sharing data that shouldn’t be shared.

Furthermore, DLP can build upon existing Data Classification toolsets, integrate with Web Proxies, Firewalls and CASBs. DLP can even be expanded to utilise UEBA technology and enforce stronger measures on users who are exhibiting potentially compromised behaviours.

DLP: The New Cornerstone of ISO 27001:2022

In an era of exponential data growth, DLP has evolved from being a reactive measure to a proactive necessity. Whilst the ISO 27001 standard has always mandated measures for information security, the 2022 revision has specifically called out DLP. As a result, ISO 27001:2022 is the manifestation of the global understanding of DLP’s indispensability in achieving a secure data environment.

The successful implementation of a DLP toolset aligns your organisation with the ISO 27001:2022 standard, showcases your commitment to data security, and instils trust among stakeholders. Therefore, an effective DLP policy forms the crux of the ISO 27001:2022 certification narrative.

Gradian’s role in your compliance journey

We understand the challenges organisations face in embarking on a successful DLP journey. That’s where our expertise and hand-picked best-in-class toolsets come into play.

Expert Consultation and Customisation

Our industry-leading security experts understand the nuances of an effective DLP policy. We customise our approach to your unique security needs, developing a tailored DLP solution that aligns with ISO 27001:2022.

We Listen. We work to understand what data you hold which needs protecting and we tune policies using our Crawl > Walk > Run approach to ensure the all-important balance between productively and security is met.

We also work with Policy Tuning across all DLP toolsets; so even if your toolsets are deployed already, we can work as an extension of your internal teams to ensure you are gaining the best ROI from them possible.

Technological Partnerships

Our strategic partnerships with best-in-class technology vendors enable us to leverage cutting-edge solutions for data protection. All partnerships with our vendors are fully vetted and explored before we put their name against ours. We deconstruct the technology and stress-test it to ensure it is enterprise ready and valuable. This process ensures that we are not only industry-leading experts in all technologies we recommend, but that the technologies are of a platinum standard for our clients.

Continuous Support and Training

Compliance isn’t a one-time accomplishment. It’s an ongoing endeavour, requiring regular updates and monitoring. Gradian provides continuous support to help you stay abreast of the evolving security landscape. Additionally, we offer training programs to empower you in effectively handling data loss incidents and reporting as well as maintaining toolsets internally.

Managed Services

If maintaining DLP toolsets sounds like a daunting task, we can provide our DLP-as-a-Service to you, which will help keep your mind at ease when it comes to things like troubleshooting, upgrading or even understanding how you can get that complex DLP policy just right. Working as an extension of your internal IT Security team, we ensure you always have decades of rich DLP-centric experience on hand.

The story of ISO 27001:2022 certification is one of a proactive commitment to data security, with DLP at its heart. In this narrative, Gradian serves as a guide, empowering you with the tools and expertise needed to navigate the complex terrain of data security and compliance.

Partner with us and let’s create a secure future for your data together.  The first step is to claim your FREE workshop or get in touch to see how else we can help you.

Have you ever looked at your day to day task list and felt like a real clown . . .

Now, I’m not suggesting anyone is stood there with a large red nose, kipper tie, shoes that are just way too big and drive a car where the doors will fall off at any minute.

But if you’re like a lot of individuals that we speak to on a regular basis, there’s a whole heap of juggling going on or plate spinning if you will.

This time of year generates a lot of noise as organisations review current IT projects and plan new projects for the following year, moving  priorities  to ensure that (hopefully) everything  gets completed at the right time, on time. There are conversations  fed down from the top requesting outcomes and solutions. This, as a lot of you will know isn’t always that straight forward…

The idea of cyber security resilience and where to focus the efforts is a conversation that could run for hours, days in-fact and indeed it is one that has many different facets , but what questions should you be asking within the business  for a better security posture:

These are 10 key questions that an organisation really should ask of itself when it comes to focusing on cyber security and data protection:

1. Do we have a data classification scheme to help identify sensitive information and ensure appropriate protections are in place? Do we actually understand the data we have and what we are trying to protect

To secure sensitive or other data of value, you really need to understand what it is, how much you have, who’s doing what with it and ultimately where it is leaving the business. Classification and the work around this is the first point of call. Once you’ve classified the data, you’ll know what you should be protecting.

2. Do we have effective mechanisms for controlling access to resources, such as how we handle new starters, movers or when staff leave our organisation?

Many companies either don’t have a process or if they do, it is very rarely policed. This is particularly prevalent in respect to movers in a business where legacy permissions may and regularly do remain in place where no longer required.

3. Do we review user accounts and systems for unnecessary privileges on a regular basis?

Regularly reviewing policies and rule-based access controls is an essential part of mitigating the risk of data loss.

4. Do we enforce multi factor authentications for all systems and users?

A simple one . . .but you would be surprised that this still needs discussion

5. Do we have regularly rehearsed plans to deal with the most likely cyber events or disasters?

This won’t be applicable to all, but organisations that manage critical infrastructure or hold large quantities of data / intellectual property should have roles and responsibilities mapped out with their staff to ensure the best possible route to fix should an attack / data loss event happen.

6. Are all our hardware and software products free from vulnerabilities, supported by the vendor and regularly patched?

We take this for granted in most cases, but who carries the responsibility from an organisational point to keep on top of this?

7. Are all staff aware of and participate in effective cyber risk management processes?

Education is key and should be regularly revisited. There are plenty of tool sets out in the market to provide cover here but consistent messaging and processes in the business will aid this. We simply cannot rely on good old common sense!

8. Are we doing everything necessary to support our staff and stakeholders to understand and be aware of cyber risk, via training advice and guidance?

This is often a question of whether cyber security training is ingrained in your business processes. For example, is cyber security training a requirement of new starter onboarding and how often is this training updated?

9. Do we adequately understand our business-critical services and functions and their associated data, technology and supply chain dependencies?

A big one for a lot of organisations – people move about this industry regularly bringing with them their own ideas and recommended technologies and as such legacy infrastructure and policies exist with very little information to back it once people have moved on. There is a huge focus on consolidating tech and moving to a single pane of glass approach. This provides a perfect opportunity to review the whole environment which in turn aids better education and more robust processes.

10. Are all staff aware of and participate in effective cyber risk management processes?

Is there a culture of shared responsibility for the management of cyber risk within the enterprise? Are there reporting channels available to help identify gaps in those processes that back this up.

2023 will pose several new challenges for organisations both internally and externally. Data is such a strong conversation now, especially for us here at Gradian. We are finding businesses really waking up to the idea of securing data in the right way from the ground up rather than buying a solution with a quick fix mentality

Top 5 Reasons Why Data Loss Prevention (DLP) Implementation Fails

Written by Emily Walker |24 Jan, 2022

Data Loss Prevention (DLP) is a critical security measure in protecting your company’s confidential data. Unfortunately, DLP implementations often fail due to a number of common mistakes. In this blog post, we’ll disclose the top five reasons why DLP implementations fail.

1. Inadequate Data Classification

Misclassification of data causes both false and negative positives. This can result in distruption of BAU practices as well as allow for exfiltration of critical assets. Data Classification is the strong foundation which supports any successful DLP implementation.

2. Excessive False Positives

With all DLP tools there’s a delicate balance to maintain; bad policies and poor configuration can lead to the generation of false positives. Time and effort is subsequently required to determine the legitimacy of each alert which can easily become overwhelming

3. Poor Integration of DLP Modules

A robust DLP Implementation will seamlessly integrate network, host, and storage protection modules into a centralised management system. If these modules aren’t tightly integrated, the efficacy of your monitoring will be adversely affected.

4. Lack of Training

DLP implementations will often fail due to a lack of training; employees need to be trained on how DLP works. Whenever possible it’s important to use the DLP toolset as a visual reminder to prompt users in real time to their responsibilities.

5. Failure to Monitor and Update

Organisations are continually evolving their IT infrastructure and associated processes. To be effective your DLP implementation requires continuous monitoring and tweaking in support of the changing nature of your business.

Data Loss Prevention is a critical component of any company’s digital protection plan. Your DLP solution should be carefully integrated to ensure all modules work together and provide maximum coverage. If you need help with this, we can do it for you.

What is important with DLP, and in fact any technology, is understanding what its intended function is and how that function can help you and your organisation.

Like most things, when researching DLP many find themselves lost in a rabbit hole of information – to understand one area, you must first understand another and so on until you somehow find yourself on Wikipedia at 2am reading about why Social Security numbers were first invented and how best to protect them without inundating your management console with thousands of false positives a day (Okay admittedly, I may be alone here).

Let me fall back on the much-loved (read: overused) analogy in our industry – cars. Much like buying a brand-new car, DLP is a significant investment. You want it to be fast and flashy, but mostly you want it to be functional. After all, it’s still a car, regardless of how much money you spent on it. It’s great to have a large touch screen display, a GPS, high quality speakers and the ability to go back in time when it hits 88mph, but all these features are kind of redundant if you don’t know how to drive. You can sit in it on the drive and play around, but you can’t use it to drive the kids to the Zoo on the weekend or drop the in-laws off at the airport to buy yourself a few days of peace.

What you have in this scenario, isn’t a car, but a small room on wheels you can sit in and listen to some music and watch your local neighbourhood go about it’s business. It may be a car by name, but not by function.

The same is the case with DLP. It’s great to have a solution with all the bells and whistles, which is lightning fast and can calculate the meaning of life, but if you can’t use it to perform it’s basic, rudimentary intended function – why are you calling it your DLP solution?

I’ve seen this too many times in my career to count; organisations who need to essentially tick a box for clients or partners to say “Yes, we have DLP”. They look to their email gateways, or their web proxies and they see the ability to enable some level of pseudo DLP protection. Six months down the line they discover a data exfiltration incident has occurred and they then need to explain that they “Have DLP on our email gateway only”.

So, what is DLP?

In our eyes, DLP (Data Loss Prevention) is the ability to define your sensitive data within your organisation and protect it across the entire estate regardless of digital exfiltration method. True DLP isn’t stopping a handful of keywords going through your email gateway or preventing all users from writing to USB drives unless they’re on a whitelist. DLP requires a centralised management console which unifies components from across your organisational span of control; Cloud, Endpoint, Web & Email as a minimum to ensure a comprehensive security posture.

This brings me back to our original success criteria, and the point of this entire blog:

Understanding

Unlike cars, DLP tool sets aren’t a requirement for day-to-day life (no matter how much they may feel like they are sometimes). This means there are far fewer people with the ability to “drive” them and even less with the ability to drive them well.

If you don’t have a car, you still need to get about. In the analogous world, you could hire a taxi but in the DLP one, you’d hire a Professional Service engineer to get you from point A to point B (installation and configuration – I think this analogy is being a little stretched, but we’re almost there). However, if you’re fortunate enough to have a car, but no ability to drive it, you might hire a full-time chauffeur (in the DLP world we’d call this a Managed Service).

No matter if you need a taxi, a chauffeur or even a bus (you’ll need to use your imagination for that one), the most important thing is the understanding of the risks associated with trying to drive it yourself. Sure, you may make it to the shop down the road a few times a week without being pulled over or getting into an accident, but when you try to make that long-distance journey, still not fully aware of what all the road signs mean, the chances of you getting yourself into serious trouble increase exponentially.

Gradian have been driving (this is the last one I promise) every day for two decades. We remember back before the bypass down the road was put in and we used to have to sit in traffic for 2 hours every morning to get to work. Whether you need driving lessons, a lift to the airport or someone full time to drive you anywhere you need to go, we know the cars, we know the roads and we’re always happy to get you to where you need to go, click here to get in touch today.

DUP… It’s easy as 1,2 3!

Okay, that wasn’t my best line, but I hope it served its limited purpose of grabbing your attention.

Over the span of my career, I have seen toolsets come and go in our industry which promise astonishing things. Very rarely, can they deliver on some increasingly bold claims. When Forcepoint unveiled their Dynamic User Protection (DUP) as a SAAS offering, I wasn’t convinced it would be as simple as they claimed. Anyone following the world of Forcepoint can tell you that the UEBA on which DUP is based, is not a simple toolset to deploy. It requires comical levels of hardware and extremely qualified Professional Services (PS) to deploy. It’s in fact so complex, it could not be sold to clients without mandatory Forcepoint PS.

So when we at Gradian were lucky enough to get our hands on it towards the start of this year, I cleared out an afternoon, grabbed a coffee, logged into my portal and got cracking on deploying it within my lab. I knew it would be simple, but grossly overestimated the time I would need. Here’s what happened in my lab environment:

1. Logged into portal
2. Downloaded the NEO Agent following a pop-up telling me to (my first time login)
3. Copied the agent to my lab machine (also running Forcepoint ONE Endpoint)
4. Checked the status in my DUP Tenant to see “Installing” as the status for my lab machine
5. Rebooted my lab machine and saw the client report into my tenant

And that was it. My coffee was still hot and my afternoon was suddenly free. The NEO Agent communicates with my ONE Agent locally. The ONE Agent feeds all relevant information back to my Forcepoint Security Manager and the NEO agent autonomously updates in the background.

Obviously there are more considerations for an enterprise deployment, such as testing, change requests and pushing the agent to all users, but the takeaway here is that the deployment process really is that simple.

Introduction DLP

Data Loss Prevention has been a fundamental in Enterprise level Cyber Security for almost 30 years. In that time, we have witnessed the advancement of countless tools to enhance our ability to both detect and act on potential data breaches. Some of these are extremely niche in their ability, such as machine learning. Most however, are now relied on heavily by organisational strategies – Browser level inspection, Optical Character Recognition, Cloud-Based API integration for online storage solutions; all of these and more provide enhanced protection and control of sensitive information.

In the past ten years, we’ve seen the rise of Data Classification, CASBs and GDPR. Data Loss Protection is no longer the elephant in the room which we awkwardly skirt around from fear of project implementation time or costs – DLP is now a foundation for any mature security posture with even non-DLP specialist tools providing some level of DLP integration.

The issue is however that DLP has remained overall very static in its approach since its inception in the 90s. Requiring a specific reaction to a specific action. If you wish to protect credit card numbers for example, you have granularity in defining how many unique matches must trigger, where they can go without impedance and where they absolutely must not be sent, you have granularity in who is allowed to send this and who is not, but this is a manual process requiring knowledge and understanding of your individual users.

Backdoors

Very often I will be working with an organisation who wish to protect specific, potentially damaging information. I will meet with data owners and security personnel, to be told that X business unit can send this to Y location externally as part of an approved business processes. There are multiple technical aspects of allowing such nuances to happen, but broadly speaking, we will be tasked with creating “back doors” for specific users. This is an extremely common practice and almost every organisation will implement it in some form – be it the CEO whitelisted from all policies (which despite extremely impassioned protests, does still happen), an entire business unit allowed to write anything they want to USB drives… the list is extensive.

The Issue

What these back doors do not account for however is the security of the individuals we are creating them for. Taking our (admittedly extreme) CEO example, what would happen if the CEO’s account were compromised? The organisation now sits with a compromised account leaking sensitive information with tools purchased, implemented and configured specifically set-up to ignore this account. Even if the organisation still allowed for DLP to create an audit of all sensitive data exfiltrated, it is still too late – this data has left the span of control of the organisation.

Is there a Solution?

So, what is the solution? If it were as simple as convincing companies not to allow back doors, this entire blog post would be moot. We could implement drip DLP and start triggering blocking enforcement after a specific threshold is met, but that still allows data to leave, and it still doesn’t account for organisations who wish to whitelist all activities over a specific channel. It’s an issue which requires static policies to be configured for dynamic variables – users.

The solution then, must be something automated which can change our static policies depending on the current variable.

This is where User Engine Behaviour Analytics (UEBA) comes in.

Working in the background, UEBA toolsets use tens of thousands of indicators of behaviour (IOB) to run complex algorithms and output a human-readable risk score. This risk score is assigned to each user in the organisation to highlight if a user is acting suspiciously. This could be in reference to spending more time on LinkedIn and sending out CVs, logging in at uncharacteristic hours, sending more emails externally… everything is logged, fed into the UEBA and analysed.

Of course, historically a UEBA has come with extremely complex and unique deployment challenges, requiring gargantuan hardware resources and dedicated teams to keep things running smoothly. With the rise of cloud computing and SAAS offerings however, UEBA is becoming more approachable every year.

Then there is the issue that UEBA has no real integration to DLP. I’ve had multiple client meetings where I’ve been asked if the UEBA toolset costing substantial time and resources can be leveraged into a DLP solution. Though the answer is yes, it comes with significant caveats. User scores would need to be manually checked and DLP policies would need to be manually refined with these scores in mind. Several years ago, I was working with a large manufacturing enterprise who had a “Leaver’s Policy”. This required a resource to manually check the UEBA service each morning and then update the AD records of users in this policy so that high flight risk users were being inspected much more closely. Not only was this a huge time-sink, it also created extreme levels of incident generation and a 99.9% false positive rate.

Could this be it?!

This is why Forcepoint’s latest innovation, Dynamic User Protection (DUP) is so exciting. Providing a SAAS based UEBA, the toolset integrates quickly and seamlessly into Forcepoint’s DLP solution. This allows for policies to be created which apply an action on a user’s individual risk score. For example, a user with a low-risk score could be allowed to send confidential data without impedance. When that risk score creeps up, we can configure DLP to perform more restrictive actions, such as requiring user interaction in the form of pop-up warnings, to quarantining emails, all the way up to blocking the transaction entirely and autonomously emailing the user’s manager.

The time has come for DLP to be more intelligent, and Forcepoint’s DUP is leading the charge on this. Without the need for complex management of the UEBA solution or the hardware to run it on and with the benefits of seamless, automated integration with DLP, the possibilities of allowing users to perform their usual activities without the need for security back doors just broadened extensively.

If you want to know more about DUP you might be interested in our other blog post – DUP it’s Childs Play