Implementing a Data Detection and Response Strategy: Tips for Success

April 9, 2024 No Comments

by Josh Breaker-Rolfe

Data is enormously valuable. It can swing elections, supercharge innovations, and even win wars. But, for those same reasons, data presents enormous risks. Cybercriminals constantly seek to steal organizational data to sell on the black market, fuel phishing campaigns, or even destroy a company’s reputation. 

As such, cybersecurity spending has skyrocketed in recent years, with organizations expected to spend nearly $90 billion in 2024. However, a lot of that money will be wasted as buyers choose the wrong solution and implement it incorrectly. 

Data Detection and Response (DDR) is the gold-standard of data security solutions. But choosing the wrong one can result in significant financial losses. In this blog, we’ll explore what DDR is and how to choose the right solution so you can successfully implement your DDR strategy.

Understanding Data Detection and Response

DDR solutions identify and respond to data-related security threats and incidents within an organization’s enterprise environment. By combining elements of other data security solutions – including Data Loss Prevention (DLP), User and Entity Behavior Analytics (UEBA), and Endpoint Detection and Response (EDR) – DDR automatically detects potential data breaches and responds to them immediately. They work by carrying out four primary functions:

– Discovery – DDR solutions log and classify organizational data to determine its sensitivity and record user activity to establish a baseline of normal behavior. 

– Anomaly Detection – Based on the data and behaviors logged previously, the DDR solution detects any anomalies and flags them to security teams. 

– Response and Remediation—The best DDR solutions automatically respond to an incident, such as preventing a user from exfiltrating sensitive data. 

– Investigation – After responding to an incident, DDR provides security teams additional context to inform security policies and determine user intent. 

Implementing Data Detection and Response

Successfully implementing DDR relies primarily on selecting the right solution. While they may have many similarities, all DDR solutions are unique. Here’s what you should look for in an effective DDR tool:

Accurate data classification

The most important indicator of a good DDR tool is whether it classifies data by content alone or by content and lineage. Classifying by content alone cannot determine what type of data the subject is; DDR solutions that do so cannot distinguish between, for example, a highly sensitive spreadsheet full of customer information or a relatively benign one full of publicly available contact information. 

Classifying data by lineage provides valuable context. DDR solutions analyze the events surrounding data to determine its sensitivity. For example, suppose a senior finance employee created a spreadsheet full of numbers and shared it with only a few other senior employees. In that case, the likelihood is that this is sensitive information. When a solution can determine what’s sensitive and what’s not, it can prevent users from downloading it to a personal device. 

By classifying data this way, DDR solutions are much less likely to spew false positives, making automatic response possible. Automatic response is essential because many security breaches happen in seconds; the likelihood that a security team could respond quickly enough once alerted to prevent exfiltration is exceedingly tiny. If the DDR solution classifies by data alone, resulting in false positives, this will prevent employees from carrying out even the most mundane tasks and significantly impact productivity. 

Detailed investigations

The best DDR solutions provide security teams with a comprehensive workflow after an incident. This workflow maps out a piece of data’s history, from creation to exfiltration so that security teams can understand intent. For example, if an employee has changed the name of a file to hide the fact that they are exfiltrating sensitive data, the workflow will make this clear to security teams.

Some solutions go even further, such as recording a user’s screen moments before an incident and copying the data for forensic review. Organizations should look for solutions to integrate into a Security Information and Event Management (SIEM) tool for further review. 

A focus on data in motion

Organizations should look for a DDR solution that focuses on data in motion, not just at rest. Rarely used data presents little risk to an organization, but constantly used data does. Moreover, considering the computational and financial cost of scanning data, a DDR solution that only scans data once it is in motion will save organizations significant resources. 

Comprehensive data logging

The reality of modern workplaces is that data rarely stays in one place. It flows from user to user, device to device and application to application. To ensure comprehensive protection, it’s essential to look for a DDR solution that logs data in your internal environment and your external enterprise.

Josh is a Content writer at Bora. He graduated with a degree in Journalism in 2021 and has a background in cybersecurity PR. He’s written on a wide range of topics, from AI to Zero Trust, and is particularly interested in the impacts of cybersecurity on the wider economy.