Why Data Loss Prevention Tools Are Failing To Stop Insider Data Theft

“In the silent exchange of data theft, we’re not just losing information, we’re surrendering fragments of our humanity, leaving us to ponder what it truly means to be secure in an increasingly transparent world.”

– Anonymous

On the 25^th of June 2019, McAfee, one of the biggest security software companies in the world, filed a lawsuit against several former employees, accusing them of stealing trade secrets before starting new positions with Tanium (a competitor).

To carry out the alleged theft, the employees did not use the type of sophisticated technology that you might expect.

Instead, according to the lawsuit, confidential company information was moved to unauthorised USB devices, as well as through private email addresses.

Ironically, a company that professes to be the leader in security solutions around Data Loss Prevention suffered its own fate.

Let’s first identify Data Loss Prevention objectives.

Data Loss Prevention (DLP) is about keeping sensitive data safe from unauthorised eyes and preventing it from ending up in the wrong hands.  

The goal is simple but essential: Ensure that critical data isn’t used improperly or mistakenly shared with unauthorised individuals and prevent intentional theft or unauthorised access to sensitive information.

Critical components of a DLP begin with determining which sensitive data needs extra protection. This means sorting data into categories based on data classification and its importance and sensitivity. This step is super important because it helps decide what kind of security each requires when identifying sensitive data needs.

After identifying this data, it’s crucial to label it clearly and keep an eye on it to ensure it isn’t accessed or shared without permission.

The next big part of DLP is monitoring and controlling how data is accessed data, stored and transferred within the organisation.

Finally, having an automated response to potential data loss threats is vital.

Why didn’t McAfee use its software to protect its trade secrets appropriately?

It’s hard to know the real reason, but here are some probable causes:

• It’s possible the information was encrypted, and the DLP solution couldn’t detect the theft.

• It’s possible that they trusted their employees and decided not to use the DLP solution internally.

• It’s possible that due to the complexity of the software and data, it was misconfigured and could not detect the data theft.

• It’s possible it wasn’t set up to monitor nor detect that specific sensitive information leaving the organization.

• It’s possible, and most likely, that even with all the security controls in place within McAfee, those trusted employees knew how to evade internal security.

Either way, it placed McAfee in a very awkward situation.

• They incurred significant legal costs, including attorney fees, court filing fees, and related expenses, to fight this case.

• They suffered reputation damage, eroding trust amongst its clients, investors and partners.

• Loss of intellectual property. Trade secrets that are no longer secrets lose their value.

• Loss of competitive advantage as they potentially face increased competition and challenges in maintaining their position in the marketplace.

You can find the source of the story here.

Takeaway:

The takeaway from the McAfee and Tanium lawsuit is the importance of employee loyalty and adherence to non-disclosure obligations.

In competitive industries like cybersecurity vendors, where proprietary information and trade secrets are highly valuable, employees must uphold ethical standards and legal agreements even when transitioning between companies. Failure to do so can lead to costly legal battles, damage to professional reputations, and strained relationships within the industry.

The key lesson highlights that placing blind trust in employees’ loyalty always to do what’s right can potentially lead to unforeseen harm to the organisation.

This story vividly illustrates the severe repercussions that can occur when employees prioritise personal gain over loyalty to the organisation and disregard non-disclosure agreements.

What factors contribute to the limited effectiveness of DLP solutions?

Several factors can potentially contribute to a DLP solution’s limited effectiveness. Let’s explore them in more detail.

Part of the challenge is that data has never been more portable. So, taking it has never been easier.

Sales lists, product specs, pricing information, payroll data and even contact lists are just a few examples of small but critically essential files that are simple to take.

Employees can store hundreds of gigabytes on their mobile devices, put 1TB or more of data on removable media, or quickly transfer data to personal cloud storage services like Dropbox.

Side note:

The Insider Threat Division of CERT published several key points when it comes to information theft:

1. Most insiders steal information as they are leaving the organisation.

2. It’s challenging to detect such acts of theft because insiders steal information to which they already have authorised access.

3. It’s difficult to detect the theft of information until that data is actually in the process of being stolen. Hence, the window of opportunity is relatively small.

One area that is particularly vulnerable for organisations is employees bringing their own smartphones, which can present numerous challenges for DLP solutions:

1. Data Leakage via Photos:Smartphones with cameras can be used to capture sensitive information, such as documents, whiteboards, or computer screens, potentially leading to data leakage if these images are not properly secured or monitored.

2. Unauthorised Data Storage:Employees may use their smartphones to store work-related files or data, creating data security risks if these devices are not adequately protected or if they lack encryption and access controls.

3. Cloud Storage Integration:Many smartphones allow seamless integration with cloud storage services, allowing employees to easily upload and share files. However, this can bypass traditional DLP measures implemented within the corporate network.

4. Communication Apps:Smartphones often have various communication apps installed, such as messaging or email applications, which can be used to share sensitive information outside the organisation’s secure environment.

The second part is that implementing data loss prevention technologies is somewhat difficult, and realising the full value is problematic (incomplete deployments are common). Here are some additional challenging points that organisations have often raised:

• They are complex to deploy. Modern organisations deal with vast amounts of data in various formats (text, images, videos, etc.), making it challenging to create comprehensive DLP policies that effectively cover all data types.

• Diverse IT environments:Organisations often have heterogeneous IT environments with a mix of on-premises systems, cloud services, and mobile devices, requiring DLP solutions to be compatible and integrated across these diverse platforms

• Data classification:Proper DLP implementation requires accurate data classification to identify sensitive information and apply appropriate security controls. However, manually classifying data can be time-consuming and error-prone.

• False positives and negatives:DLP solutions may generate false positives (incorrectly flagging legitimate actions as violations) or false negatives (failing to detect actual violations), impacting the trust and reliability of the system.

• Continuous monitoring and updates:Data threats constantly evolve, requiring DLP solutions to be regularly updated, fine-tuned and monitored to detect new threats and vulnerabilities. This ongoing maintenance can be resource-intensive.

• Resource and budget constraints:Implementing DLP solutions often require significant technological, training, and personnel investments. Organisations with limited resources or budget constraints may find deploying and maintaining robust DLP capabilities challenging.

However, the main challenge with DLP solutions is trying to solve a technology problem that isn’t a technology problem. It’s a “people” problem.

“Data by itself does not walk out of the door. It requires the action of a human person.”

Let’s look at the following equation:

A cause-effect relationship is well known globally, and it describes the connection between two events or variables, where one event (the cause) leads to or influences the occurrence of another event (the effect).

This relationship is fundamental in understanding how actions, phenomena, or conditions interact and produce specific outcomes.

Here’s a breakdown of a cause-effect relationship:

• Cause: This is the event that initiates or triggers a change. It can be a single event, a series of events, a condition, or a behaviour. The cause is what brings about the effect.

• Effect: This is the result or consequence of the cause. It can be a direct outcome or a chain of events influenced by the initial cause. The effect is what happens as a result of the cause.

• Relationship:The cause-effect relationship establishes a link between the cause and the effect, demonstrating how changes in one variable lead to changes in another variable.

Let’s take the example of data theft by an insider.

• The cause: The intentional breach of security measures by a trusted person

• The effect: Sensitive information copied, stolen or exfiltrated.

How do DLP solutions act?

• Preventing (cause):The DLP solution is part of the preventive measures implemented by the organisation to address potential causes of data theft. It helps establish policies and controls that define how sensitive data should be handled, accessed, and shared within the organisation.

• Monitoring & Detection (effect):DLP solution actively monitors and detects suspicious or unauthorised activities related to data access, transfer, and usage by trusted employees. It uses content inspection, contextual analysis, user behaviour analytics, and policy enforcement technologies to identify anomalies and potential data breaches.

What is the root cause?

It’s essential to recognise that the root cause of data theft often lies in human behaviour and intention.

At its core, data theft involves individuals or groups with specific intentions and motivations. These motivations can range from financial gain, competitive advantage, espionage, retaliation, or even simple curiosity. These human factors drive the decision-making process behind data theft incidents.

What is the underlying problem of DLP?

Dealing with human intent.

As we know, organisations come in all shapes and sizes.

The same can be said about employees. Some are enthusiastic, some considerate, some engaged, some productive, and some not. You get the idea. Employees are different and have different motivations, values, beliefs, and behaviours.

The discussion of intent is viewed in the following:

Motive: This is the reason for doing something. Think of it as the “why” that motivates the “what.”

Agenda: Grows out of motive. It’s what you intend to do because of your motive.

Behaviour: This is the manifestation of motive and agenda.

Intent matters.

While we tend to judge ourselves by our intent, we judge others by their behaviour.

Most people have good intent. They sincerely want to do what is right and seek the best for others.

Some people genuinely have poor intent. Though they may not be aware of it or even admit it, deep inside, they seek their own profit, position or possession above others.

As a result, DLP solutions alone cannot solve the underlying actions driving human behaviour, such as the desire to steal information for personal gain or malicious intent.

Policies and technological controls can act as deterrents and barriers, but they cannot eliminate the motivation of the trusted employee wanting to carry that action.

DLP solutions are not designed to prevent human behaviours from intentionally committing malicious acts.

In short, DLP does not understand intent, so it cannot be expected to accurately detect, prevent, deter and respond to insider threats.

Key Takeaways

The essential takeaway is that while technology like DLP is important to data protection, data theft ultimately stems from human factors such as intent, behaviour, and awareness.

Organisations must prioritise addressing these human elements through training, culture-building, and ethical considerations to effectively combat data theft and insider threats.

There is no such thing as 100% data protection, for the mere fact that a human being can memorise specific information and just walk out.

Example: Anna Montes memorized classified data

There are few spies who have burrowed more deeply into the US government than Ana Montes. She was a senior analyst with the Pentagon, and her specialty was Cuba.

But here’s the twist: Montes was spying for Cuba. She memorised US state secrets and got them to the regime of former President Fidel Castro.