'Western' and 'Eastern' Approaches in DLP Solutions

Written by

Our analysts have recently observed some interesting differences in the use of DLP solutions. These were titled as ‘western’ and ‘eastern’ approaches and as it turned out, and apparently due to differences in business cultures, they are really linked to the western and eastern regions. So, what are these differences?

Security specialists of the ‘western’ location use the system to block sensitive information. In practice it looks like this: the system is installed, sensitive information is determined, security rules are set, the blocking options for certain operations are placed and ...  they forget about the DLP solution until the incident has occurred.

After the incident, the system is used only to investigate, document the leak and provide the evidence to the court.

Meanwhile, the ‘eastern’ approach manages the received tool in a different way. If the company wants it to, the DLP could collect a huge mass of information, decrypt and pass it through its dictionaries and analyze and process the information according to its customized settings.

This data is presented in a clear form of graphs, diagrams, tables, etc. A correct analysis of the information received can help prevent the moment where actions that put the information and economic integrity of the enterprise at risk have been committed.

This ‘eastern’ approach attempts to identify an internal threat to the enterprise at its initial stage, rather than use the system solely as an evidence base to present in court.

Let's say a security officer noticed something strange in the interactions of an employee and under their responsibilities a manager had an access to the client base. Via e-mail, the security officer receives a notification that the manager communicated a lot with the user whose account name partly consisted with the name of the competing firm. The officer read the correspondence that indirectly hints of disloyalty and the intent to interact with a competing company.

In the end, after discussions, the parties dissolved the contract. Since the board decided that in this case that there were serious suspicions that the purpose of communication (although it could not be directly found) was to persuade the employee to copy and leak an important commercial information.

In another case, a user activity module indicates that a workstation was working through the whole night. After checking the running processes it was found out that the employee had started the process of cryptocurrency mining before leaving.

Do not forget that the economic security of the company includes not only protection from real malefactors, but also from ‘passive’ ones. What do I mean? Imagine that you have 50 employees and only half of them really do their job. How could you reveal this if they are the middle management who use the reports of their subordinates? In this case, the DLP function that analyzes the workload of workstations will help.

It’s important to mention that when a company decides how to increase the efficiency of working time, protecting business activity from disloyal or undisciplined employees should not violate the right to privacy, and the implementation of DLP should be made carefully.

The board should notify in writing to all of the employees about the use of DLP. Otherwise, dismissal and prosecution are more likely to affect the employer. Moreover, if an incident occurred the company would not be able to legally present the evidence if it were collected in this way. Also, there shouldn’t be too harsh monitoring, as it will cause irritation and a further loss of efficiency.

So the difference between the ‘western’ and ‘eastern’ approaches among other could be explained by the west European inherent careful attitude toward privacy while the eastern looks to be more analytical of the data. 

The capabilities of DLP technology remains disputed, and its uses can be flexible depending on the intention of the company. What our analysts at the Falcongaze SecureTower see is a definite cultural difference in the use and deployment of DLP which vendors of the technology should consider.

What’s hot on Infosecurity Magazine?