Vendor. "File auditing and finding out who and when used specific files are the main functions of DCAP."
Customer: "Stop, we already have DLP with almost the same functions. Let's install a DLP agent on the server—and that's it, the task is solved."
Such dialogue often occurs when vendors demonstrate the capabilities of DCAP (Data-Centric Audit and Protection) systems to users of DLP (Digital Loss Protection) systems. Since DCAP technology is new to some customers, it is believed file audit is a document movement control. The mistake here is that file audit is understood as document control, without reference to its usage.
Let's look at the typical tasks solved by DCAP systems and how they differ from those solved by DLP systems.
DCAP and DLP: Understanding the Purpose
DCAP is a class of information protection system that is rapidly gaining popularity. It is designed primarily to protect file storage.
In turn, DLP, due to the more significant number of types of control, allows you to solve problems related to the activities of specific employees, as well as to detect data leaks at the level of network flows.
According to various studies, up to 80% of data in most companies is kept in the file "garbage dumps" and/or in an unstructured form. This fact creates many problems related to the identification and protection of sensitive data. The DCAP system structures the contents of file storage, determines access rights, and highlights data that should not be publicly available. But to control the creation and movement of such files within the company or outside the perimeter, DLP is needed.
Where are DLP and DCAP systems used?
DLP is used mainly on workstations. It also allows you to scan network shares.
DCAP systems, in turn, are designed to audit storage systems: Windows and Linux file storages, NetApp, MS Sharepoint, Dell EMC, Synology, NextCloud, etc.
Installing a DLP agent on such storage is either technologically impossible or may entail a severe drop in performance since the DLP system agent will perform, in addition to auditing, a lot of redundant functions for protecting the file storage.
What does DCAP control?
Duplicate files with sensitive information
The task of terminating personal data processing is a widespread case. It is necessary to find all copies of all files containing the personal data of a particular person. The existence of duplicates unknown to your company can be a serious problem and result in huge fines when reviewed by regulators. A search and classification module present in DCAP systems can be one of the solutions to the problem. It allows us to identify all files containing personal data of different types, as well as to quickly find all files with data on a particular person, including duplicates, their storage locations, and access rights. This functionality is not offered by most DLP systems when applied to file storage.
Irrational use of storage
Expansion of storage capacity is not cheap. Therefore, the problem of optimizing the use of available storage and other disc management issues arises. For this purpose, DCAP systems can:
- Determine which types of data are taking up the most space and which types are growing the fastest.
- Determine the data's ownership; that is, determine which departments use it.
- Identify rarely used data, junk files, and duplicates.
- Recommend what data can be securely deleted.
Data access rights audit
Audit of access rights is the most demanded task among DCAP users. It should be noted that the DLP system is limited to displaying the current state of access rights (for each specific file). The possibilities of DCAP are much wider. These include:
- Identification of risks associated with incorrectly configured access rights: disabled inheritance, broken ACLs, direct permissions.
- Two-way display of access rights. A full display of all access rights for each specific file or directory and a display of all files and folders available to a particular user or user group.
- Recommendations for reducing access rights with the possibility of preliminary simulation of changes. DCAP can show which groups will be affected by changes, and which employees who use the files will no longer be able to gain access.
File audit and incident investigation
This feature is often used in integration with DLP to get the complete picture. The main difference is that the DLP system is intended for granular detection of each incident and information leak. At the same time, the DCAP system uses file audit data not only to identify a single incident—for example, who deleted or changed a particular file—but also analyzes all operations within the storage or even several repositories. It allows one to:
- Analyze all data requests and identify the real owners of the resource.
- Display the activity of all employees: who uses specific files, and how they are used. Tables and graphical reports can be formed.
- Detect abnormal behavior based on file access statistics. For example, an abnormally high number of write operations from one account may indicate the activity of malware that encrypts files.
- Determine the causes of increased load on the file server based on the analysis of access requests. It shows which accounts generate the most significant load, which files are used most frequently, etc.
In addition to detecting incidents and identifying anomalies, DCAP also provides for active response, including both sending notifications through various channels (SIEM, mail, messenger) and working with access rights: denying account access, denying access to a specific folder/file, setting the read-only mode, running a custom script, etc.
How to use DLP?
The most demanded DLP features include the following:
Employee time tracking
This trend arose after 2020 due to the massive transition to remote work mode. Employee time tracking is popular due to the good visibility of its results and ease of use. A modern DLP system allows you to keep employee work involvement statistics based on numerous factors, like monitoring running applications, time spent viewing different browser tabs, etc. These functions are not implemented by the DCAP system. DCAP can only reflect the fact that the browser is running.
Content analysis and data leak detection
DCAP conducts content analysis of stored information only. The most important task of any DLP is the analysis of the content of the transmitted information. Such concepts as a transmission channel, sender, recipient, and perimeter are simply inapplicable to DCAP.
The standard set of channels controlled by the DLP system includes Web traffic (Webmail, social networks), instant messengers, external media, and corporate mail. It also can help monitor mobile devices (although for complete mobile security, the installation of VPN, antivirus, and firewalls also are recommended.
Formally, DCAP is able to identify data issues stored on external media, but only during its next scan and only if the media is available at the time of scanning. DLP, on the other hand, works in real time and can detect a data leak immediately at the stage of copying information to the media. It can also prevent a leak by blocking the file transfer. The categorization of the transferred file occurs immediately at the time of the transfer attempt and not according to the schedule during the scan, as with DCAP.
Behavioral analytics is also present in DLP systems, but unlike DCAP, DLP analyzes a larger number of different types of events. It includes not only file operations, but also user communications, applications launched, and special events such as website visits with specific keywords in the window title.
DCAP works only with file usage data, which helps a lot in detecting anomalous activity inside the storage. Still, it does not always help to detect strange and risky behavior of employees.
What to choose?
Despite some functional similarities, DLP and DCAP are independent systems that solve completely different tasks. Each of them helps to identify fundamentally different types of incidents occurring in different contexts.
DLP is better suited to identify a specific intruder or malicious insider and is applied to endpoints. DCAP is better suited for identifying incidents within unstructured data stores that are not related to data transmission but to storage and user access rights.
The best option would be to integrate DLP and DCAP in order to better control the entire lifecycle of enterprise data.
Alex Vakulov is a cybersecurity researcher with over 20 years of experience in malware analysis and strong malware removal skills.