The content of this post is solely the responsibility of the author. LevelBlue does not adopt or endorse any of the views, positions, or information provided by the author in this article.
Almost every company has a system for organizing file storage, which employees use regularly. Streamlining data storage in a corporate environment is not just about improving business processes; it is also about ensuring security. It is challenging to protect data if you do not know where it is stored, what it contains, its value, who owns it, who has access to it, and what its most significant threats are. This is where Data-Centric Audit and Protection (DCAP) systems come into play.
The Role of DCAP in Data Security
Data-Centric Audit and Protection (DCAP) is a security approach that focuses on protecting data as its primary objective. Often, the goal of DCAP is to safeguard data that is at rest and not actively processed. This method uses content-based access control, prioritizing the content itself rather than the file system objects.
Frequent news about data breaches often stems from violations of sensitive data storage laws. This is a very common occurrence. Data is constantly in motion and being reorganized, which is a typical part of business operations. For example, a company might add new drives, copy data, forget to delete or export it, and so on. DCAP helps identify such cases, control the storage of sensitive data, and manage it effectively within the organization. Moreover, every organization now must conduct a thorough audit of its handling of personal data, which is impossible without a DCAP. By implementing DCAP, organizations can showcase their strong security posture, which can help them when applying for cyber insurance or meeting compliance requirements.
The Five Stages of Data-Centric Audit and Protection
It makes sense to divide the work of a DCAP system into several interconnected stages, during which the system identifies violations of corporate policies and helps to eliminate them.
1. Data Collection
DCAP system can monitor data on file servers, local hosts, and shared folders. It integrates with information from Active Directory and other sources. While DCAP can gather information over the network and parse logs from other systems, its primary method of data collection is through agents installed on workstations, servers, and network storage. The completeness and quality of this original data are crucial for effective auditing and secure storage of information.
2. Data Classification and Sorting
After scanning the sources, DCAP classifies the information to identify data that may be valuable to the company. It uses over a dozen content analysis technologies, such as dictionaries, morphology, digital fingerprints, the Bayesian method, and others, to accurately classify the information.
3. Analysis
Classification is just the foundation for collecting information security events and identifying threats. During the information collection stage, DCAP records access rights for each object in its database. This allows it to identify common risks, such as documents with shared access or unusual sets of permissions. DCAP can determine the real owners of files, highlight frequent users of specific data, and identify areas with redundant access.
Dynamic analysis offers even more capabilities: it monitors changes, movements, and openings of documents containing critical data, as well as modifications to access rights for documents or folders and the creation or alteration of permissions. These events, along with many others, are not only recorded by the system but also evaluated for information security risks.
4. Response
DCAP offers several response options. At a basic level, it can send notifications through various channels. Additionally, the DCAP system can execute scripts and transmit data to external systems.
In addition to the standard response functions, DCAP systems can offer expanded capabilities, such as shadow copying of data. This means that the security officer not only receives a record of the incident but also a complete copy of the data related to the event. This allows for a quick assessment of the incident's severity and enables immediate action if necessary.
DCAP can block a user's account if there is reason to believe it has been compromised. A similar approach is applied to identified threats. DCAP owners do not need external tools, as DCAP includes its own incident response module, where information about the incident can be sent for analysis. Incident response can be automated based on pre-defined rules or triggered by anomaly detection. Here, DCAP could potentially integrate AI capabilities to enable even faster and more sophisticated incident response capabilities.
5. Reporting
A good DCAP system includes a well-developed reporting feature, complete with a convenient dashboard featuring tables and graphic widgets. Users typically have access to several dozen preset reports covering all necessary aspects of the collected database. Each template can be customized to meet individual needs. If further customization is required, users can create their own reports from scratch using the report designer.
Technical Aspects of DCAP Implementation
Experience shows that even large IT companies often avoid writing their own software for specific tasks. Instead, they typically turn to highly specialized organizations for ready-made solutions. They receive an out-of-the-box tool that includes custom scripts tailored to their specific needs. The pilot project helps better evaluate these needs and plan the exact implementation configuration.
Modern DCAP systems support both hardware and software storage, primarily focusing on local storage. The choice of the physical form of storage is not as important; what matters is that all data is comprehensively covered and protected.
DCAP systems collect metadata, including standard metadata contained within files and specific metadata for formats like DOC, XLS, and JPG. DCAP owners often request vendor support for file marks, such as watermarks, which DCAP systems must be able to detect.
A sound DCAP system stores metadata in the most efficient and compressed way, and it supports the option to upload data. The archive of events for a year occupies a fixed amount of space. It is important to note that the files themselves are not stored; only metadata, links, and tags are kept. The disk space consumed by a DCAP database can be easily scaled.
DCAP can also track access rights to other systems and sites, as well as audit data usage, such as who opened which files, from where, and in what context the user interacts with the data. This creates a comprehensive view of user actions displayed in an easy-to-use interface. Additionally, DCAP is an effective countermeasure against ransomware, as it reduces the attack surface by strictly limiting data access.
DCAP integrates with various systems, depending on the customer's needs. Basic information is collected from the infrastructure, such as files, accounts, and events. The rest depends on the specific tasks and cases. This data can be sent to a SIEM or access control system or retrieved from them. Integration with DLP and other systems is also supported by most vendors.
Experts highlight the importance of this integration as well as the acquisition of external data to enrich the information already collected by DCAP. The more data sources DCAP supports, the more complete and clear the picture becomes.
DCAP is very flexible, capable of sending and receiving data from various systems and processing it based on specific cases. At the same time, the system consistently works accurately without disrupting business processes.
Trends and Future Directions in DCAP Development
Today, many customers purchase DCAP but only use about half of its capabilities because they lack the resources to quickly prepare the entire infrastructure, resulting in a gradual implementation process. Increased automation and higher customer maturity are anticipated, as DCAP systems are a crucial part of a company's cyber defense.
The market is evolving towards automation, aiming for a "one button" solution that, when pressed, ensures everything is correctly configured. Over time, DCAP will likely incorporate all DLP features and transition entirely to cloud services. Eventually, DCAP functions may be integrated into the operating system, much like firewalls and antivirus software have been.
Conclusion
DCAP systems implement "zero trust" policies, rights minimization, and auditing of access and information flows. They enable professional, competent classification of any type of data. By collecting data from various sources, DCAP identifies and highlights problems and anomalies that are not visible in other systems. This ensures order in the company's infrastructure and a transparent organization of employees' interaction with valuable data. DCAP reveals the actual state of the infrastructure and the ideal order. If all recommendations are followed and risks are mitigated, the attack surface is significantly reduced.