DLP and DSPM: Navigate policy challenges and quiet alert noise

Technology flux and swapping out DLP tools

Our research found that 41% of respondents planned to swap out an enterprise DLP tool. Such migrations occur for various reasons, including deploying improved DLP technology to achieve better outcomes and consolidating DLP tools to simplify management and reduce costs.

The practitioners were in the midst of that change, moving from Symantec DLP Vontu to Microsoft Purview DLP. Ideally, migration is a matter of de-installing one agent and installing another, but life isn't that simple. This transition took around six months because they had to recreate and tune policies to use Purview. Organizations considering such a migration need to budget adequate time and staffing.

Data security evolution: Using DSPM and DLP

Data security posture management (DSPM) and DLP are two sides of the same data security coin. DSPM provides visibility into data and assesses the risk to sensitive data. It typically focuses on structured data and enables teams to understand the data state and access patterns and risk signals by locating and categorizing sensitive data. It answers questions such as: Is personally identifiable information in data store X subject to privacy regulations? Who has access to that data? Who has not used that access in the past three months?

A wave of DSPM deployments is hitting in the next year, according to research into data resilience, with 40% of respondents saying they plan to deploy -- and this is on top of the existing 35% that have a DSPM tool in use.

In contrast to DSPM's focus on structured data and achieving an optimal security posture, DLP focuses on unstructured data and makes sure it does not slip out the door. DLP is frequently part of an insider risk management program. DLP works across endpoints, networks, email and cloud services to alert on or block risky data behaviors.

Data labeling with DSPM to improve DLP

One of the challenges that comes to light in DLP programs is data labeling. Data labeling is the process of assigning categories or tags -- confidential, public, general and so forth -- to information based on its sensitivity, value or regulatory requirements. Labels enable DLP systems to identify the sensitivity of data, understand data movement and apply automated and accurate enforcement. Comprehensive and accurate labeling enables DLP systems to reduce false positives and better protect data as it flows through the enterprise.

Unstructured data is scattered throughout the enterprise, and most of it is not labelled. When it came to the practitioners' sensitive data, an average of 56% of data was discovered, and 40% of the discovered data was classified. Microsoft Information Protection is the label framework within Microsoft Purview, and DSPM can provide those sensitivity labels to help classify data and enforce policies.

Copilots are bringing this problem forward. Users can now use large language models, or LLMs, and copilots to search huge volumes of data that were previously unknown and "secure through obscurity." HR might be creating a layoff list in their department, but employees using their favorite copilot might stumble across that list by searching for their names. The key is appropriately labelling documents so that they can be secured and excluded from search.

The practitioners I spoke with mentioned that labeling active documents did not pose a problem, but "untouched" or "dormant" documents were problematic. Labeling such documents was a prime area for DSPM to complement DLP by appropriately labeling documents containing sensitive data.

DSPM provides data discovery across hybrid and multi-cloud environments, and this complements Microsoft Purview, which predominantly focuses on Microsoft environments.

The alert noise problem: Finding the noise cancellation button

While policies pose one pain point for DLP teams, the other major issue is alert noise and the time required to triage and investigate alerts. In the ESG research, 82% find that the time and resources required to respond to DLP alerts either pose a significant burden affecting other priorities or require priority trade-offs. False positive alerts accounted for an average of 38% of all alerts. Such noise reduces staff effectiveness and productivity and diminishes trust and vigilance for security teams.

So what is the tie-in between DSPM and DLP?

DSPM is a major area of interest for enterprises as they try to better understand their data flows, and while it is a discrete category for many vendors, some of those DSPM players are expanding the value they provide. Combining DSPM and DLP orchestration enables enterprises to better solve the alert noise problem. By orchestrating investigations across different tools, the DSPM+DLP solutions -- for example, Cyera and Concentric AI -- can allow enterprises to streamline investigations and avoid swiveling between consoles.

The action plan

What are some steps you can take to improve your data security program and chip away at the DLP alert noise problem? Consider the following.

• Reevaluate your DLP security portfolio. Make sure your tools continue to deliver against your needs, but also look for emerging response strategies to new data loss vectors. For example, GenAI applications are a prime avenue for data loss, and nascent vendors are providing innovative tools to mitigate the risk. Traditional vendors might not have the technology stack or expertise to adequately solve this data loss vector.
• Look for ways to streamline investigations. Existing vendors are delivering new ways to streamline investigations -- for example, Microsoft Purview AI-powered Alert Triage Agents, Forcepoint automated triage and unified investigations, and Proofpoint automated alert triage -- and emerging data security platform players are orchestrating investigations across the multi-vendor DLP security stack to speed alert resolution.
• Budget time and people for change. The status quo is evolving as enterprises shift DLP investments. Migrating DLP technologies requires adequate time and people. And your new DLP stack should result in decreased alert noise and reduced investigation times, freeing up staff from alert triage drudgery. Data security platforms combining DSPM and DLP functionality offer the prospect of reducing alert noise and streamlining investigations with better context.

DLP investments enable you to mitigate the security risk that comes from insider risk and external threat actors and comply with the regulations affecting your enterprise. The above steps will help you optimize to get the biggest bang for your DLP and DSPM buck.

These are exciting times in the data security space, particularly around DLP and DSPM technologies. If you are a new technology player with an innovative approach, I would like to hear about it. You can reach me through LinkedIn.

Todd Thiemann is a principal analyst covering identity access management and data security for Enterprise Strategy Group, now part of Omdia. He has more than 20 years of experience in cybersecurity marketing and strategy.

Enterprise Strategy Group is part of Omdia. Its analysts have business relationships with technology vendors.