One of the most important responsibilities of security professionals is to avoid data breaches. At the same time, the IBM report reveals that it takes an average of 277 days to detect and contain a data breach. For approximately nine months, hackers have the ability to steal sensitive info without any consequences. DCAP solutions help to significantly complicate this task for them.
With the increase in the complexity of IT infrastructures and the various ways of storing data, safeguarding against data leaks has become more resource-intensive. Huge arrays of unstructured data utilized and modified by many users as well as the ever-growing complexity of attacks, lead to the fact that the usual means of protecting the perimeter of a corporate network no longer meet current information security requirements.
Since data is the target of the vast majority of attacks, organizations should concentrate on safeguarding critical data. Analysts from Gartner introduced a specific concept known as Data-Centric Audit and Protection (DCAP). It refers to advanced systems that focus on the data, the mechanisms for controlling access to it, and possible ways of transmission.
Information tends to spread at a rate proportional to the number of users. Out of sheer ignorance, someone can put a secret document in a folder with public access or request unnecessary privileges for working with files. Many advanced security systems cannot prevent a scenario in which a user takes a screenshot from a confidential document and then sends it via Telegram to an unauthorized recipient. All these and many other potential threats are supposed to be eliminated by DCAP solutions.
Gartner introduced the term DCAP, but it actually evolved from the concept of DAG systems, which originated in 2004. DCAP incorporates the Data Access Governance (DAG) approach, aimed at controlling and managing access to unstructured data, along with additional tools for classifying the data and analyzing user actions.
Data access control raises many questions not only among users but sometimes also among security professionals.
- What is Data-Centric Audit and Protection? How do these information security systems differ from Data Access Governance solutions?
- Who is the protentional customer of such solutions?
- Do DLP systems compete with DCAP, or do these products complement each other?
- What are the pitfalls when implementing unstructured data access control solutions?
Understanding the capabilities of DCAP
Initially, DCAP is a group of security solutions; however, it also serves as an approach to information security. DCAP can be seen as an intelligent security instrument that provides off-the-shelf data protection technologies, implementing a new approach to solving an important and necessary task.
DCAP systems can:
- Analyze access rights and identify excessive levels of user access
- Classify documents and separate those with sensitive information
- Evaluate employee behavior to identify any anomalies
- Offer tools for visualizing current risks
- Offer a ready-made risk reduction methodology
DCAP systems operate inside the security perimeter. They analyze user accounts, files and their contents, access rights, data movements, and also identify violations. DCAP systems are designed to automatically identify and solve problems related to the storage and use of data.
DCAP can also perform remote information collection—collect logs, use data from SIEM and other information security tools. At the same time, DCAP solutions have modules for processing the collected data—tools for indexing, cataloging and analyzing information (for example, access rights structures), and a linguistic core. DCAP collects a stream of metadata about users and groups, statistical information, activity data enriched with information from directory services.
Many vendors use the power of artificial intelligence to identify and sort data. In addition, a distinctive feature of DCAP is the presence of an audit unit designed to answer the question of who and when used specific information.
There are several factors that distinguish DCAP from other security tools that seem to perform similar tasks. For example, data classifiers built into the operating system do not have enough context to allow them to prioritize checking for recently modified files or data that has appeared in public folders. In addition, the built-in tools do not offer insight into who is the business owner of the resource and how restricting access to it will affect the organization's work.
DCAPs help solve problems faced by Data Loss Prevention (DLP) systems. DLPs are often focused on checking data that crosses the perimeter. However, a lot of nasty things can happen inside the perimeter.
Even "voguish" and very expensive Security Information and Event Management (SIEM) systems have their own limitations and disadvantages. In particular, they do not have information about the actual data access rights or the presence of confidential information in documents, and they also do not know the data's business owner. All this leads to insufficient protection of file storage and, as a result, to security incidents.
DCAP systems that have software agents on all protected hosts have several advantages. DCAP solutions put less strain on the system than the activity audit process built in the OS. At the same time, conflicts between agents and other software in the system are extremely rare and, as a rule, are caused by incorrect settings of other information security tools.
Another task of DCAP is the optimization of storage systems. By removing unused data, the company not only reduces the potential attack surface but also offloads server storage. Finally, DCAP can also help you quickly recover data from backups in case of ransomware.
Modern DCAP systems protect any sources of information: file and mail servers, workstations, corporate portals, shared resources, etc. DCAP also covers your network: proxy servers, VPN and DNS, cloud solutions like Microsoft 365 and G Suite, as well as various third-party applications.
What attacks can DCAP systems prevent?
From the point of view of the MITRE ATT&CK matrix, DCAP solutions can be used at almost all stages, from gaining access to exfiltration. DCAP systems are especially effective in preventing violations at the stage of establishing persistence, privilege escalation, and data collection.
Depending on the adopted security policies, there are many events to which DCAP can react. Among the most common are the following:
Attempt to access infrastructure from non-standard locations via VPN
New users are added to the domain administrators' group
Confidential information is published in the public domain or in another inappropriate place
Non-standard user activity (a violation of the behavioral profile), for example, sudden mass access to previously unused information
Attempts to access files from illegitimate accounts and processes
An attack most often requires an account that has certain privileges. DCAP can detect account access violations, find publicly available objects, and set the least privilege mode. In this case, a cybercriminal will have much less opportunity to develop an attack.
The practice of using DCAP systems
There is no single, universally accepted architecture for DCAP products. Depending on the ideology of the system and the tasks to be solved, agent logic can be applied, which involves the installation of system scanners on all controlled devices. Most often, a balanced approach based on several concepts is used.
Most customers use DCAP to manage access, search and classify unstructured data. Customers also use DCAP to detect various anomalies. The methodology for working with a DCAP system often consists of several steps that can be performed simultaneously.
At the first stage, it allows you to identify current risks by analyzing violations of policies for working with protected data. This helps to identify problem areas that need attention and prioritize them correctly.
At the next stage, DCAP allows you to capture the current state of the infrastructure by setting up metrics, reports, and real-time notifications of any new violations. This helps to reduce the potential attack surface in the infrastructure and gradually move to the principle of least privilege. Data owners begin to receive reports on any activity on the resources they control. Now they can generate requests to the information security or IT departments to change access rights according to the current business realities. Cases of incorrect inheritance of access rights are identified, users are checked for excessive privileges, etc.
The last step is automation. You can configure a notification service that informs about potential attacks or malicious insider activities. It helps to detect unwanted events in time and automatically respond by running the appropriate scripts. Users begin to request access to resources through the self-service portal, and the system automatically executes the request after passing through the approval chain. This eliminates any issues related to the human factor. Detected confidential data in public directories is automatically moved to quarantine with a notification to the information security staff.
Like other security systems, DCAP systems have their own implementation features. In particular. Of note is the ratio of the "technological" and "methodological" parts of the implementation. In addition to pure technical elements of the deployment process, significant resources are needed to establish various rules, policies, and work scenarios.
The speed of building data handling procedures directly depends on the organization's current information storage and accessibility situation. The more objects you need to process and organize, the more time and resources you have to spend to set up the system, especially if there are a large number of problematic accounts and files.
Cost-effectiveness of DCAP
Both IT and security teams utilize DCAP solutions; thus, the financial reasoning for acquiring such a system may vary. From a technical standpoint, DCAP can help to free up disk space, making it a valuable asset for companies dealing with rising server costs.
The cost-benefit analysis for the security department may be more complex as it can be challenging to quantify the financial impact of potential risks. However, reputational risks associated with data breaches are often used as a justification here.
Vendors recommend running a pilot project with a limited number of accounts and then using the results to evaluate the system's value.
DCAP appeals to a broad range of potential customers. In fact, these are all organizations that consider data security to be a significant issue. The sales volume of DCAP solutions has increased over the past year. Most likely, the change was driven by a combination of factors. Experts attribute this growth to the increasing technical expertise of customers, advancement in the capabilities of DCAP solutions, and the growing number of cyber-attacks targeting data.
The high cost of DCAP solutions is often a deterrent for customers considering its implementation. Additionally, the integration with other security systems, compatibility with necessary data sources, and the complexity of setup and configuration can also hinder DCAP adoption. Some customers may also find the value proposition of DCAP questionable, particularly in comparison to more widely marketed DLP systems that operate in the adjacent segment of the information security market.
When choosing any solutions, the creators' proficiency and reputation are paramount.
Here are specific tech criteria to consider when assessing a DCAP system:
Ability to qualitatively collect a wide range of events through agents
Ability to collect data without agents
A large number of supported storage types
Automation of processes related to data access
The ability to search through both indexed and non-indexed data
Automatic data lifecycle management
Built-in recommendation system
Sandbox for modeling access rights
Possibility of rights matrix migration between different types of domains
Efficient data analysis module
Biometric authentication when accessing certain types of data
DCAP systems are quickly moving towards automation. As this technology matures, there will be less manual work to be done, and it will be much easier to bring the infrastructure in accord with industry best practices.
The potential for harsher penalties for data breaches may also drive demand for DCAP systems. The shift towards remote work and the widespread adoption of cloud technologies also influence the development of DCAP, with customers seeking more specialized functionality.
Furthermore, the distinction between different access control solutions is becoming increasingly blurred, with DCAP potentially incorporating features commonly found in DLP and Identity Management (IdM) tools.
Information security experts are dealing with increasingly complex challenges. The number of threats increases, and the methods used by attackers become more advanced. In light of this, it is essential to focus not only on preventing intrusions but also on protecting sensitive information, which is the ultimate target of bad factors. DCAP technology allows you to automate these efforts and transforms a company's network into a secure environment that thwarts an attacker's progress at every stage.