Demystifying DDR: Your Questions Answered
With so many –DR acronyms being thrown around, it’s easy to lose another one in the mix. However, data detection and response (DDR) is one that deserves attention, and it is not just because it is “the future of data protection.”
Table of Contents
Rather, it fundamentally “thinks” about preventing data loss differently. A rundown of commonly asked questions and their answers will show why.
Q1: What is Data Detection and Response?
According to the IEEE Computer Society, Data Detection and Response is an “innovative approach to cybersecurity that…involves continuous monitoring and analysis of data activities within an organization’s network, endpoints, and cloud environments.”
While all data protection tools on the market today promise some form of this – continuous oversight of data on and off the network – DDR delivers this in a way that plugs the gaps others leave behind. It follows data as it travels through the network and autonomously blocks actions that would result in data loss.
As the IEEE boldly asserts, DDR signifies no less than “a paradigm shift in cybersecurity, prioritizing data safeguarding and swift threat response.”
Q2: Where does DDR fit in with all the other –DRs?
DDR acts as the hub that integrates an organization’s already present theat technologies. As noted in Forbes, “DDR brings together elements of insider risk management (IRM), cloud access security brokers (CASB), secure access service edge (SASE) and traditional data loss prevention (DLP).”
Q3: What is the connection Between DDR and Data Lineage?
A key capability that sets DDR apart is classifying data by not only content but data lineage.
At rest, certain bits of information may seem innocuous enough, leading traditional DLP solutions to give them a “pass.” However, although a PowerPoint presentation may not show any sensitive information on scans, the fact that it is stored in the access-controlled M&A file on Sharepoint might provide the context needed to classify it as confidential.
DDR sees both elements – context, and lineage – and uses both vectors to classify and identify sensitive data to a more accurate degree than other tools on the market.
Q4: What was wrong with the old way of protecting data?
DDR vendor Cyberhaven describes Data Detection and Response as “a new generation of data security technology that’s designed to address the long-standing challenges with protecting data.” Some of those long-standing challenges are:
- These days, data is difficult to classify by content alone. Additional identifying factors are needed to corroborate whether a piece of data is truly sensitive and at risk of exfiltration.
- Data moves fluidly between applications, devices, and the cloud. Traditional data protection tools find it hard to keep up, especially as data moves between those destinations.
- False positives shoot autonomous prevention in the foot | Because traditional DLP solutions turn out so many false positives, security teams can’t turn on autonomous prevention features with full faith. Consequently, they end up doing much of the work themselves.
Q5: What shortcomings of DLP does DDR need to fill?
Prior to the advent of Data Detection and Response, DLP was (and in many ways still is) the biggest player on the data protection block. However, DDR came about in response to data security challenges DLP could not address. Here are some, based partly on the report “Getting DLP Right: 4 elements of a successful DLP program” by Gartner analyst Andrew Bales.
- Too many DLP programs are “set it and forget it” without building in elements for continuous improvement. This can lead to businesses identifying sensitive data based on first assessments instead of continuously updating their classification tools with context to make sure no sensitive data gets overlooked or lost.
- DLP has a narrow view of data. DLP tools tend to focus on only some of the areas where sensitive data can be found, leaving gaps in between. By comparison, DDR can look at all data, all the time, no matter where it goes.
- DLP platforms look for patterns to a fault. Traditional DLP tools are trained to look for changes in patterns to find threats. However, there are so many exceptions in which sensitive data can be used outside of its originally predefined parameters that these tools often end up being turned off for generating too many false positives. DDR can detect what is sensitive even across landscapes without normal patterns, such as machine learning (ML) models, source code, and research data.
Q6: What is the main difference between DDR and other data protection tools?
DDR attaches security controls and protections to the data itself, not the environments in which it travels. And it utilizes sophisticated technologies like endpoint sensors, behavioral analytics, and machine learning to do so.
Additionally, unique selling points include:
- Looking at data in motion | When data is moving, it is at the most risk of ending up in the wrong place. It is the art of catching data exfiltration in the act that sets DDR apart, and not just when malware is beaconing out to a C2 server. This can be copy-and-pasting it to a Slack message, emailing it to a private address, or saving it in a public repository.
- Focusing on data across all assets | Old Data Loss Prevention solutions secure the box in which the data is stored and often only cover certain boxes. The way business moves today, organizations can’t afford to just watch AWS, OneDrive, or HubSpot. DDR watches data wherever it travels – to endpoints, through the cloud, via email, on-premises, and everywhere.
- Real-time response | Traditional DLP tools signal teams when an attack is in progress. While better than nothing, you want to catch the threat before it has a fighting chance of getting away with its data exfiltration designs. DDR takes matters into its own hands and blocks the copy-and-paste, prevents the email from being sent beyond the network with sensitive data, and other front-line scenarios that stop data loss at the source.
Conclusion
It’s a new world for data protection, built for the way that data moves organically through an enterprise, a network, and the world. In complicated IT environments, it is becoming unrealistic to secure all the moving parts in which data can be found.
Instead, Data Detection and Response uses those data movements (lineage) to correctly identify sensitive data and the accuracy of its corroborating evidence to be one of the most astute, accurate, and autonomous data loss prevention tools on the market today.
An ardent believer in personal data privacy and the technology behind it, Katrina Thompson is a freelance writer leaning into encryption, data privacy legislation and the intersection of information technology and human rights. She has written for Bora, Venafi, Tripwire and many other sites.
