DDR: Comprehensive business data security made easy

Data is precious to any organization and forms the basis of day-to-day operations.

And it is also highly coveted by outsiders.

Data is the target of most cyber attacks and is one of the easiest ways to take advantage of hacking. And hackers don’t discriminate; no organization is immune, as evidenced by numerous recent high-profile breaches and threats from within – from the High Council to Facebook to TikTok.

This has led many to question the effectiveness of existing cybersecurity tools, especially with the proliferation of cloud computing and multicloud environments, and the complexity and reduced transparency that result. But a new model is emerging and some say it will reinvent the cybersecurity space: data detection and response (DDR).

This new data-centric approach provides instant visibility into data stores and real-time protection and response capabilities, according to companies that specialize in it.

“DDR is a new form of corporate data protection, a radically different approach to protecting corporate data,” said Howard Ting, CEO of DDR platform company Cyberhaven† “It provides more comprehensive data coverage, is much more accurate in classification and risk identification, and is much easier to implement and manage.”

Violations at an all-time high

According to research by the Pony Institutethe cost of a data leak is at an all-time high — averaging $4.2 million in 2021. This reflects a 10% year-over-year increase from 2020 ($3.86 million), largely due to the near-night shift to work remote and digital transformation amid the pandemic. According to the Institute, costs are also increased by the complexity of the system and deficiencies in compliance.

The “most common initial attack vector” was compromised credentials. These accounted for 20% of the infringements. The second most common was: phishing (17%); the third, cloud misconfiguration (15%). The highest average breach costs were attributable to corporate email compromise and malicious insider threats, the Institute reports.

Organizations that were able to successfully mitigate breaches were those with strong AI security tools and those that observed a zero-trust approach. In addition, organizations that were further along in their cloud modernization were able to catch breaches on average 77 days faster, Ponemon said.

As risks and threats escalate, the cybersecurity and cloud security markets continue to grow. Fortune Business Insights, for example, forecasts that the total cybersecurity market will grow to more than $376 billion by 2029, representing a compound annual growth rate (CAGR) of 13.4%. Meanwhile, the global cloud security market is expected to grow to $36.43 billion by 2028, as reported by Fior Markets – an increase of $8.33 billion in 2020 and a CAGR of 20.25%.

DDR, in particular, is a category so young that no statistics are available yet, but the leading companies include Cyberhaven and To dig†

Data: all that matters

Founded in 2014, Cyberhaven credits itself as the inventor of the industry’s first DDR platform. It raised $33 million in an oversubscribed series B financing round in Dec.

As Ting explained, Cyberhaven endpoint sensors monitor various events on a user’s computer, recording and tracking each time a user responds to data. For example, if they upload or download something or attach an email. User actions trigger and capture events, correlate and “merge” with graph analytics for analysis and risk identification.

“In the end, it’s the data that matters — it’s all that really matters,” Ting says. Existing tools “don’t do a very good job of securing that asset, as you can see from all the breaches you read about all the time.”

dig, that emerged from stealth and announced the $11 million increase in seed funding in May, also identifying itself as the industry’s first DDR solution.

The company discovers all data assets stored in platform-as-a-service (PaaS), infrastructure-as-a-service (IaaS), and database-as-a-service (DBaaS) environments. It classifies structured and unstructured data and provides real-time protection and response while helping organizations understand how data is being used, according to CEO and co-founder Dan Benjamin.

The company says it goes beyond attitude solutions by helping organizations discover, monitor, detect, protect and manage cloud data. As Benjamin noted, Dig’s engine responds “instantly” to threats to cloud data, triggering alerts on suspicious or anomalous activity, preventing attacks, interrogations, and misuse of employee data.

It also tracks whether data sources support compliance, ensures that data assets have assigned owners and that access is regularly reviewed, and generates data security and compliance reports to “keep key stakeholders informed and auditors happy.”

Where DLP and DDR diverge

In the report “Getting DLP Right: 4 Elements of a Successful DLP Program,” Gartner analyst Andrew Bales acknowledges that DLP (data loss prevention) strategies developed independently of business initiatives fail to correctly identify sensitive data, leaving organizations exposed. to undue risks of data loss and non-compliance.

Immature DLP programs are “systematically inundated” with recurring violations and repeat offenders, and many are implemented as a “set and forget” technology with no continued development, he writes. Security and risk management leaders may miss important points in DLP vendor considerations, in part because of misidentification of their company’s data processing use cases and outstanding architectural gaps.

“Many organizations struggle to develop an effective program to prevent data loss, seeing success as unattainable,” Bales writes.

A successful DLP program comes about when leaders focus on business goals, identify data risk factors, reduce DLP violations and account for stakeholder frustration, he says.

But DDR providers say it’s still not enough.

“DLP is an ugly four-letter word,” Ting said. “Because it caused so much pain.”

Historically, according to Ting, DLP tools have only looked in specific areas. But DDR “always looks at all the data, wherever it goes,” he said. “We act on all the data that users interact with.”

The main advantage of DDR is that it is much more comprehensive and accurate, he said. The solution “can protect any type of file, any type of data, regardless of file type, regardless of whether it has a well-formed pattern,” Ting said.

Traditional DLP tools, on the other hand, are narrowly defined into well-formed patterns. But there are many “crown jewels” that companies need to protect today without cartridges, he said. For example, source code, machine learning (ML) models, and clinical research data.

Platforms that base the rating solely on patterns and specific content result in “a lot of noise”, false positives and user frustration. As a result, organizations will disable or block enforcement tools altogether.

“Today’s Achilles heel is accuracy,” Ting said. In almost all cases, Cyberhaven’s platform replaces DLP tools. Customers understand that DDR is a “transformative approach” and “much richer and more accurate” when it comes to data classification and security.

Data Orientation

As Benjamin noted, the number and variety of data assets per organization is exploding. And in the cloud, data is fragmented across multiple clouds and services — a typical enterprise stores its data across more than 20 types of services and thousands of instances. This hinders visibility, context and control over their cloud data, Benjamin said, while also limiting an organization’s enforcement capabilities.

Lack of security and control over these assets leads to shadow data, ransomware, data misuse, data exfiltration and compliance breaches, he said.

And ultimately, existing data security tools weren’t built to protect data in the cloud, he argued.

“I’ve talked to over a hundred CISOs and hear the same complaints over and over,” Benjamin says. “Companies don’t know what data they have in the cloud, where it resides, and most importantly, how to protect it. They have tools to protect endpoints, networks, APIs, but nothing to actively protect their data in public clouds.”

Ting agreed, noting that existing categories haven’t solved the corporate data protection problem, “not even their part of the problem.” In the case of an insider threat, they are also a breach of a user’s personal data.

“Our approach is to really focus on the data, as opposed to the user,” he said. As the insider threat and the insider risk become more prevalent and significant, this provides a “much closer scrutiny” and “much more confidence” in determining whether a user will become an insider threat.

In general, Ting argued, people have “kind of given up” on the cybersecurity category.

“There’s a lot of restrained demand in the market, a lot of pain,” he said.

But he predicted a “resurrection,” saying that data-centric security models will lead to a major shift in the cybersecurity industry over the next decade.

As he put it, “GDR is a category about to explode.”