data detection response DDR threat intelligence

Data Detection and Response: Enhancing Threat Intelligence and Incident Response

As data naturally lives and breathes, gets copied, shared, expanded, collaborated on, and distributed, the many lives of a single piece of information can be extraordinarily hard to keep track of, much less protect.

The industry has responded with a myriad of solutions, but that’s now part of the problem, too. As Data Detection and Response (DDR) vendor Cyberhaven states, “The problem is partly that data security capabilities are spread across multiple products: Data Loss Prevention (DLP), Insider Risk Management (IRM), Cloud Access Security Broker (CASB), Data Security Posture Management (DSPM) and they all see only part of the picture.”

This inability to grasp a full-scale view of the data loss problem has created a vacuum in the industry, and DDR has stepped in to fill it. To discover how Data Detection and Response (DDR) positively enhances threat intelligence and incident response, we first need to understand where other technologies fall short and where the industry stands today.

Why Protecting Data is a Real Challenge in 2024

In a flurry of data protection products – you have Insider Risk Management (IRM), Cloud Access Security Broker (CASB), Data Security Posture Management (DSPM, and of course, Data Loss Prevention (DLP) – one would think that we’d never see a single piece of data get lost again.

However, those myriads of tools might be working against each other or might each be failing to address the acute problems of protecting data today. Those problems are:

  1. Difficulty classifying data | When your level of protection depends on your data classification, that classification has to be spot-on. Unfortunately, many machines segregate information based on context alone or the type of information in the file. That makes sense to a point, but it doesn’t account for outlying instances. Take, for example, a file containing a list of manufacturers in the area, what they produce, and the contact information of an executive who works there. At first scan, this may look like public domain; something grabbed off Google for a project or a perfunctory bit of research. However, it very well could be a protected document belonging to your company’s recent (and pending) acquisition. More information is needed to tell.
  2. Solutions are blind to data type | One good thing about behavioral-driven threat protection tools is that they don’t need to know a malicious signature to spot a crime; beyond-the-baseline behavior is usually enough. But when a behavioral analysis tool flags an unusually large upload and teams spend valuable person-hours hunting down what ends up being an employee’s personal photo album, the cracks start to show. After all, “When it comes to traditional Data Loss Prevention (DLP) solutions, the ‘false positive’ is frequently the downfall,” notes cybersecurity company Clearswift. Cutting down on false positives means knowing enough data to avoid those mistakes in the first place. One of the first steps in this context is to accurately assess the type of data involved. An unusually large upload of .exe files is something to worry about; a large upload of .pngs, perhaps not so much. But even that could benefit from adding context, as we’ll discuss later.
  3. Data doesn’t stay put | It’s hard to hit a moving target. And yet, that’s what data these days is. We don’t just generate it and then keep it in cold storage for years – at least not most of it. We use it to make businesses run. And that’s when data is at most risk: when it’s being used, sent, compressed, transferred, viewed, altered, or pasted. It is always worthwhile to protect Data at Rest, but since there is no guarantee that those safe places can keep out every attack, it is better to protect the data itself, while it is in motion.
  4. Prevention features lack bite and accuracy | Lastly, a huge limitation of data protection products today is the fact that they seem to warn effectively but fall short of actual prevention – and not for lack of trying. It is the age-old struggle to balance security with usability and efficiency. On the one hand, false positives are generated on a hair-trigger in many well-intentioned technologies, blocking legitimate file actions and impeding the flow of business. In an effort to catch any signs of data loss, data usage is even suspect, and trust goes down. Consequently, prevention features are just as often found in the off position, for this very reason, making it as if the product had no prevention feature at all. Because DLP tools are built on policies, it is up to a human to tirelessly craft a catch-all rule that can somehow account for everything. Such an expectation is unrealistic.

Against the backdrop of these current data loss prevention challenges, Data Detection and Response offers a solution.

How DDR Enhances Incident Response

To autonomously block instances of data loss – and not your boss’ attempt to send a vendor a file – a few more things need to be known. Data Detection and Response tools make it their business to know these things. They are:

  1. Where the data came from (data lineage) | If the file originated from a protected Dropbox location, the company’s CRM, or a privileged-access server, for instance, chances are that the file is worth protecting. Data lineage also refers to the journey the file took, not just its original source. So, perhaps this file was taken from an internal database, copied to a personal GitHub repository, and is now being copied and pasted into Slack. Tips like this could provide a lot of context around the intent for the file and justify immediate action in blocking the next step.
  2. Where the data is going | If the information is leaving the network for an unauthorized location, that information is as important as the content of the document or file itself. Those tell-tale context clues inform DDR of the transfer’s nature and whether it is suspect and should be blocked. Additionally, when data is on the move – not safe in a folder or database – is when it is at the most risk. As stated in Forbes, “The problem [with data protection today] is that most organizations have little visibility and control over data after it’s initially downloaded or moved from the place where it was created or originally stored. The problem gets even more complicated when trying to control derivatives of a file.”

With this vital context to back it, DDR can confidently pull the trigger and prevent the next move – autonomously. It cuts down on false positives by having a multi-vector approach that eliminates errors with additional information. Knowing not only where the document is stored and what’s in it but also the journey it’s taken and where it’s off to can make all the difference.

These additional threat intelligence insights allow Data Detection and Response to discern with unmatched accuracy data that’s on the move for business and data that’s leaving the network for malicious intent.

Scroll to Top