Data loss happens in many different ways. Users can delete files. Backups can fail or be incomplete. Ransomware can shut people out of their systems. Disks can become corrupted over time. Systems can crash with the data inside becoming unreadable. Mobile devices can be used to filch information from organizational databases. These are just a few examples.
The high value of information due to the ability of organizations to analyze and cross reference it with other datastores means that the tolerance for organizational data loss is at an all-time low. Data loss prevention (DLP) software and tools have been created to minimize the risk.
Table of Contents
What is Data Loss Prevention?
DLP is all about the various ways that can be employed to detect and prevent data breaches or the loss sensitive data. The various channels it guards against include removable storage devices, mobile connectivity, internet, the web, device control, and malware.
For example, DLP tools can monitor USB ports to prevent data loss. They enforce policies related to how data leaves the network and catch unusual patterns or traffic volumes.
What is DLP Software?
DLP software makes use of policy, procedures, and a variety of technologies to prevent data leakage or misuse. It addresses data leaks, insider threats, malware, human error, and more. It also provides a means of complying with standards and closely monitoring the movement of critical data.
Some tools are fairly simplistic. They establish a framework for who can access what and block unauthorized access. More sophisticated systems can detect and respond to potential data risks while preventing exfiltration. Some tools add sophisticated automatic discovery and classification of data across the enterprise regardless of the device or where the data resides (i.e., on premises, on devices, or in the cloud).
Additionally, some DLP software prevents accidental sharing of data with coworkers, partners, or the public. In the case of sensitive information, there are DLP tools that can prevent USB drives from accessing endpoints to remove data.
Core features include:
- The ability to differentiate sensitive data from non-sensitive data.
- The ability to discover sensitive data wherever it may reside.
- Visibility into all the potential data loss vectors.
- DLP policy that aligns with corporate data protection requirements.
- Being able to take preventative action if a data loss event is detected.
- Reporting on any data loss events.
Top DLP Tools and Software
Enterprise Storage Forum evaluated a number of DLP tools and applications. Here are our top picks, in no particular order:
MVISION Unified Cloud Edge (UCE) is McAfee Enterprise’s device-to-cloud data security solution. It delivers unified data loss prevention across endpoint, network, secure web gateways (SWG), cloud access security brokers (CASB), and Zero Trust Network Access (ZTNA).
- Data Discovery on endpoints, network shares, databases, sanctioned cloud Software-as-a-Service (SaaS) and Infrastructure-as-a-Service (IaaS) services.
- DLP detection engine embedded within endpoint, network, SWG, CASB, and ZTNA components.
- Common set of data classifications – set once and extend across all technologies.
- Unified incident management interface across the solution set.
- Common DLP engine, a common set of classifications, and a common set of incident management tools.
- Remote Browser Isolation and DLP for devices trying to access private, internal applications.
- Data protection from the device to the cloud.
- Converged solution with unified classification, policy enforcement, and incident management (vs. individual point solutions).
- Cloud-delivered Secure Web Gateway extends McAfee Enterprise DLP to web and shadow IT applications.
Check Point Data Loss Prevention pre-emptively protects against unintentional loss of valuable information. Integrated in Check Point Next Generation Firewalls (NGFW), network DLP enables businesses to monitor data movement and empowers employees to work with confidence, while staying compliant with regulations and industry standards.
- Track data movement: Tracks and controls any type or format of sensitive information in motion, such as e-mail, web browsing and file sharing services.
- Pre-emptive data loss prevention: Educates and alerts end-users on proper data handling without involving IT/security teams, and allows for real-time user remediation.
- Centrally managed across the IT infrastructure
from a single console.
- Leverages out-of-the-box best practice policies.
- Check Point Content Awareness is for organizations that want basic data control features.
- Check Point DLP is for those wanting granular control with the ability to use dictionary matches, scan file repositories, match by template, add watermarks to files and create their own data types using the CPcode scripting language.
Code42 Incydr is a SaaS product that allows security teams to mitigate file exposure and exfiltration risks without disrupting legitimate work and collaboration. It monitors all file activity and provides visibility into all corporate file, vector and user activity to ensure product specs, customer pricing plans and source code isn’t being moved to an untrusted or unrecognized place. This includes web browser uploads, cloud sync activity, file sharing, Airdrop, and use of removable media.
- Incydr calls attention to an organization’s data security blindspots by giving teams visibility into activities that fly under the radar and increase data exposure risk.
- When it detects suspicious activity, it gives security teams the ability to view the file content and confirm if it’s sensitive or to decide if it’s just a harmless activity, like uploading files to a trusted corporate domain.
- Investigations to make fast, informed decisions about how to respond before files are loaded onto thumb drives or sent to personal cloud storage accounts.
- Automated detection when data lands someplace unexpected, or in an untrusted destination (like a personal shared drive).
- Flag events for further scrutiny.
- Address insider risk, while still allowing teams to collaborate.
Endpoint Protector By CoSoSys discovers, monitors, and protects sensitive data across multiple OSes, devices, and channels. It includes a wealth of security features as well as the ability to monitor compliance.
- USB & peripheral port control to monitor and manage devices.
- Granular control based on vendor ID, product ID, serial number.
- Monitor, control and block file transfers that include content and context inspection.
- Encrypt, manage, and secure USB storage devices by safeguarding data in transit.
- Discover, encrypt, and delete sensitive data.
- Detailed content and context inspection through manual or automatic scans.
- N-gram-based text categorization to discover intellectual property, such as source code.
- Scan and safeguard Personally Identifiable Information (PII), including Social Security Numbers, bank account numbers, and credit card numbers.
- Prevent data loss or theft by monitoring activity related to device use and file transfers.
- Achieve compliance and meet the requirements of data protection regulations such as HIPAA, PCI-DSS, GDPR, SOX and others.
Forcepoint DLP addresses human-centric risk with visibility and control where people work and where data resides. Security teams apply user-risk scoring to focus on the events that matter most and to accelerate compliance with global data regulations
- Secure regulated data with a single point of control for all the applications and data.
- Protect intellectual property by analyzing how people use data.
- Secure sensitive customer information and regulated data to prove ongoing compliance.
- More than 370 policies applicable to the regulatory demands of 83 countries.
- Coach employees to make smart decisions, using messages that guide user actions, educate on policy, and validate user intent when interacting with critical data.
- Policy-based auto-encryption that protects data as it moves outside the organization.
- Integrates with data classification solutions such as Microsoft Azure Information Protection, Titus, and Boldon James.
- Two versions: DLP for Compliance and DLP for Intellectual Property (IP) protection.
- Optical Character Recognition (OCR) identifies data embedded in images while at rest or in motion.
- Identification of PII for data validation checks, real name detection, proximity analysis, and context identifiers.
Digital Guardian is about the convergence of data loss prevention and managed detection & response. Delivered in the cloud via Amazon Web Services (AWS), it promises to simplify deployment, lower overhead, and provide scalability.
- Locate, understand, and protect sensitive data.
- Get full coverage at the endpoint, on the network, and in the cloud.
- Team of analysts continuously hunting for cyber threats.
- Understand the sensitivity of data at risk to prioritize threats.
- Detailed attack sequences for advanced threat hunting.
- Coverage for Windows, macOS, or Linux operating systems and all applications, both browser based and native.
- Fine-grained controls, ranging from log & monitor to automated blocking.
- See where sensitive data is located, how it flows, and where it is put at risk — all without policies.
Google Cloud DLP can help classify data on or off cloud with insights that assist proper governance, control, and compliance. It is a fully managed service designed to discover, classify, and protect sensitive data.
- Inspects structured and unstructured data to help IT and users make decisions to properly secure data.
- Reduce data risk with de-identification methods like masking and tokenization.
- Create dashboards and audit reports.
- Automate tagging, remediation, or policy. Connect DLP results into Security Command Center, Data Catalog, or export to SIEM or another governance tool.
- Schedule inspection jobs directly or stream data into our API to inspect or protect workloads on Google Cloud, on-premises, mobile applications, or other cloud service providers.
- Native support for scanning and classifying sensitive data in Cloud Storage, BigQuery, and Datastore.
- Measure statistical properties such as k-anonymity and l-diversity.
Cyberhaven’s Data Detection and Response (DDR) platform protects enterprise data and intellectual property, and manages risk. It offers a comprehensive view into data while protecting all sensitive data.
- Cyberhaven can use data lineage and other enterprise context to identify and track sensitive data whether the content is unstructured, modified, or encrypted.
- Non-text data, source code, csv files, instant messages, design files, ML models, and other type content can be protected.
- Automatically discover and classify sensitive data even in unexpected locations.
- Define policies in terms consistent with the business and as situations change, data can be included or excluded.
- Instantly see where a piece of data came from, how it’s been shared and modified, and all the associated risks.