SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image

Why data still leaks through enterprise DLP solutions

Wed, 19th Jun 2024

Data Leakage Prevention (DLP) solutions are designed to protect personal data, intellectual property, and other critical business information from being lost, misused, or accessed by unauthorized parties. And yet, data leaks remain ever so common, and the average cost of a data breach reached an all-time high in 2023 of USD 4.45 million (Source: IBM).

Almost every SASE/SSE player now offers DLP along with their primary offering through CASB and Secure Web Gateways (SWGs). SWGs enforce DLP by monitoring the network traffic and controlling data transfer based on predefined policies, thereby supposedly preventing the leakage of confidential information across the web. This is typically achieved through content inspection, keyword matching, and detecting anomalies in data movement. With cloud-based proxies, DLP uses network traffic analysis, which is stateless, hence unaware of context and lacks visibility in what is happening on the client. SWGs are also easy to bypass through numerous client-side manipulations on the browser itself.

Limitations of Cloud-Proxy Based DLP / Network DLP

Network DLP solutions analyze the traffic post SSL decryption and cannot analyze data that itself is encrypted (i.e. application encrypted data or encrypted files), making it easy to bypass them by explicitly encoding/encrypting the traffic at the endpoint before transmitting. Certain sites, such as banking sites, use encrypted/encoded data transmission for secure communication to protect against interception and theft, rendering the content opaque to SWGs. As a result, they are unable to inspect or verify the nature of the encoded data being transmitted, creating holes in the organization's data protection strategy and allowing sensitive information to slip through undetected. Attackers can take a similar approach by driving employees to a phishing site where the data is encrypted.  This will bypass network-level scanning of confidential data, as the content will not match any repositories of classified company data.

Moreover, due to their lack of context awareness, it is easy for attackers to circumvent network scanning by breaking up confidential data into many small parts and sending it over the network. Each of these chunks can easily bypass the network DLP, while the attackers still get full access to the confidential data.

Network DLP solutions are also unable to identify authorized users or the attacker who is attempting to exfiltrate data. This lack of visibility into the user or account attempting to exfiltrate data further limits the effectiveness of network DLP solutions in protecting sensitive information as security admins are unable to create mitigation policies to prevent such attempts from recurring. If Google Drive is whitelisted, an employee could be opening an external Google Drive shared folder link, from a third party or a personal google drive link and upload the document about the company to that shared folder. More granular, conditional policies on whitelisting only the company's Google Drive cannot be done through a purely network-based DLP solution.

While traditional DLP solutions offer some level of protection, they are insufficient on their own. The growing reliance on browsers for daily operations in remote work environments calls for the integration of browser-based DLP solutions. These solutions can fill the gaps left by network and endpoint DLP systems by providing better visibility and control over data in transit. This addition will enhance their ability to monitor and protect sensitive information, reducing the risk of costly data breaches.

The Missing Puzzle Piece: Data Leak Detection & Mitigation with Browser Security Agents

Browser security plugs the gaps in preventing data leaks on the internet. Be it a browser extension - like SquareX - or an enterprise browser, sitting directly in the browser gives security solutions full visibility to the context, user interaction and client-side scripts. As a browser agent has access to the user's clipboard and keyboard, any client side manipulation to the data done on the browser itself, would not affect the browser agent's detection of data leak. This allows instant and accurate detection and mitigation of data leak, even before a network request is sent.

Browser security agents like SquareX make it easy for enterprises to create context specific policies, with the help of AI policy generators, such as "Allow paste into Google Document only when user is using Enterprise's Google Workspace and login". Even in the cases where an employee is using a device for both personal and work purposes, DLP policies like this ensures that confidential data is never leaked through the personal channel.

In the cases where an employee is uploading an encrypted file, admins can set up policies to mandate that all encrypted files require the user to provide the password for analysis of content before it can be uploaded anywhere on the internet. Likewise, if a file is encrypted in transit through the network and decrypted and dropped on the client side, a browser security agent will be able to analyze the file on the client's browser before allowing the download to go through to their system.

As a cherry on the cake, enterprises can instantly enjoy the benefits of a browser security agent deployed within minutes to all their employees.