The Two Keys to Zero Trust: Data Loss Prevention and Machine Learning

Data is the raw material of business. There is more data than ever, from more sources than ever. Whether creating, modifying, analyzing or communicating, nearly everyone’s job involves working with data in some way. But much data is sensitive. It may contain proprietary information, confidential information, or personally-identifiable information. Inadvertent employee actions can compromise sensitive data, with severe consequences for an organization.

It would be great if all workers would behave perfectly, but that will never happen. Negligent actions include oversharing sensitive data on cloud apps, using private email accounts or shadow applications for data sharing, using removable storage devices for data distribution and printing from a home printer or an unattended printer in a public place. Let’s not forget that many employees leave their systems unlocked when they go home at the end of the day, despite admonitions to the contrary. And no matter how many warnings are given, some employee, somewhere, at some time, will click on a phishing email.

Protecting against data leakage caused by user negligence is a significant responsibility of IT leaders, many of whom are fighting back by implementing Zero Trust cyber security strategies. The idea of Zero Trust is to move beyond a peripheral defense and assume that all persons, devices or entities -- even longstanding employees -- should be considered as potential threats. As MIT professor of information technologies Stuart Madnick puts it, “There are only two types of organizations: those that know they have been attacked, and those that do not yet know they have been attacked.”

Data loss must of course be protected against, but any exposure of personally identifiable information (PII) could make an organization liable to severe fines under major privacy ordinances, such as the European Union’s GDPR, HIPAA in healthcare or the California Consumer Privacy Act (CCPA) which will become effective in 2020. More costly than fines might be class action lawsuits filed by “data subjects” (those whom the data concerns) and reputational damage.

Multiple technologies and practices are needed to implement Zero Trust, beginning with data loss prevention (DLP), two-factor authentication, least-privilege access, encryption and digital-rights management (DRM). One of the most significant weapons in the Zero Trust arsenal is user and entity-based analytics (UEBA), which uses AI and machine learning to search for anomalies in user behavior patterns. 

Symantec DLP and ICA

Keeping data under lock and key defeats the purpose of digital business. Workers need to work with data, even sensitive data, and sometimes move it outside an organization. For example, a hospital administrator might need to send an insurance company HIPAA-protected information from a patient’s health record. However, that administrator would not need to save the data to a removable USB drive. Symantec DLP stands guard by automatically discovering sensitive data, enforcing protective measures such as encryption and DRM, and preventing it from leaving the enterprise in unwanted or noncompliant ways.                

Symantec DLP doesn’t stop there. It enables you to surveil behaviors relating to suspicious user-installed applications and prevent exfiltration of sensitive data. Symantec DLP also is configured to identify GDPR-protected information, enabling you to track its use and location, and regulate its flow. And it integrates with encryption and cloud-access security broker (CASB) technologies to protect email, removable media, individual files and data in the cloud.

Working hand-in-hand with DLP, Symantec Information-Centric Analytics (ICA) implements UEBA, providing AI-and ML-enabled insight into user behavior. Every employee has a normal behavior pattern, which ICA observes, records, and compares to that of employees with similar responsibilities. When an employee’s behavior, or usage of an employee’s system, departs from the normal pattern – a 3AM download of sensitive data, for example -- ICA takes note, assigning a risk score and reporting to an organization’s security operations center (SOC).

Zero Trust is not a silver bullet. It is a process that is best implemented with the goal of continuous improvement. Measures must be put in place and then enforced so they become part of daily routine for IT and for employees. For example, an employee committing a negligent action should receive a data incident notification along with recommended self-remediation actions, such as visiting a self-remediation portal to get up to speed on corporate data policies.

The goal is to achieve steady risk reduction over time by mitigating negligence and reducing mistakes without impairing productivity. When employees sense that complying with cumbersome security measures makes getting their jobs done more difficult, they are likely to work around those measures, using shadow IT applications and taking work to unsecured locations.

Negligent behavior will always be with us. As you fight back with a Zero Trust strategy, make sure that Symantec DLP and ICA are on your side.