Data Loss Prevention vs. Database Compromise and Exfiltration

Data Loss Prevention vs. Database Compromise and Exfiltration

Data Loss Prevention solutions are an integral part of your security infrastructure, helping to prevent both inadvertent and advertent disclosure of sensitive data.?What happens when you want to secure the entire database from being exfiltrated, not just individual records or files??The core function of DLP is not designed for this type of exfiltration attempt.

DLP Data Loss Prevention is depicted top left, where a credit card number format, Social Security number, or medical records are discovered, such as typed text or as a file attachment to an email.?DLP looks for data in correspondence or a web app submission as a second set of electronic eyes.?On detection, DLP prevents transmission of sensitive data, alerting the user and the IT Security Team that sensitive data within individual records is leaking.

Individual records are also secured via applications within a multitier environment.?It might be two or more tiers deep, Web-tier to Middleware-tier to Database-tier would be called a three-tier architecture. Typically, the first tier is a user computer connecting to a front-end or web-tier system.?The web tier provides user authentication allowing access to only a limited number of data records, usually just their data such as their bank account. The web tier secondarily connects to the back-end database – but only for one user's account. The back-end database holds millions of other account-holder records not accessible to the logged-in user. Multitier architecture seeks to protect the entire database behind the front-end web tier.

In contrast, HOPZERO identifies and protects an entire back-end "Crown-Jewel" server database, but for the whole server, preventing data exfiltration by limiting DataTravel (how far an individual packet can travel) to a small "Sphere of Trust" perimeter, keeping vital data inside the data center or organization.

The HOPZERO Data Compromise Prevention System accomplishes this by managing "packet lifetime value" inside every data packet header sent from any server using TCP/IP. The technical term is "time-to-live" TTL, more commonly known as HOP value. HOP value controls and limits how many routers data may traverse.?The HOP starts with a significant value by default allowing worldwide DataTravel.?Each router decrements the HOP value.?The packet can often travel globally before decrementing to zero, thus ensuring that it can reach its intended destination.?If the packet gets lost in the network, HOP eventually decrements to ZERO, causing routers to expunge the packet from further travel. Because the default value of every computer is large, all data by default can go worldwide.?Database and other servers holding vital bulk data never have a reason to travel beyond the data center, much less the company perimeter.?Those servers have a very high data exfiltration potential and are the main targets of hackers. ?HOPZERO learns how far data needs to travel to keep it safe inside the data center, out of reach of external criminals. HOPZERO learns a smaller distance that lets the data go where needed inside a network – but stops it from going outside. When the HOP value is "0" zero, the packet stops, limiting how far it can travel. That setting keeps vital crown-jewel data inside even when criminals try to take it out – even when firewalls are not there or not correctly set.

HOPZERO sets the crown-jewel server DataTravel distance that is enforced by any router.?Essentially HOPZERO adds a "blocking firewall" at any router in a network path.?By setting the limit at the vital server endpoint, at say three routers out, HOPZERO's system will stop DataTravel at any router three hops away, regardless of the presence of a firewall. With HOPZERO, routers act as a block discarding the packets when HOP decrements to ZERO, creating the name: HOPZERO. ?

While DLP and Multi-tier Architecture are excellent security solutions, they only seek to protect individual data records from advertent or accidental compromise. HOPZERO protects the full back-end bulk account database from a hacker directly connecting and getting the entire database.?This is the absolute worst type of data compromise as all data can be exfiltrated through direct connect access to the back-end database. Although criminals might like a few single records, they most desire full bulk database access to millions of records.?

With HOPZERO, a criminal cannot take a server's data outside the data center or company because the packets stop after traveling the suggested distance HOPZERO sets to protect the data.?

Combining both DLP and HOPZERO DataTravel limits completes the most powerful data protection solution. Firewalls provide primary limits, while DLP and HOPZERO provide a secondary method of keeping all data safe inside an organization.

HOPZERO's visibility maps show where vital data travels from every computer inside your internal network or to the Internet worldwide. Seeing where your data is traveling opens eyes to the risk and how to mitigate the risk with DLP and or HOPZERO.

Start your HOPZERO DataTravel adventure, and let us show you where your most vital data can travel.

Proofpoint DLP Solutions:

1. Focus on Individual Data Records: Proofpoint DLP is designed to identify and protect sensitive information within individual data records. This includes formats like credit card numbers, Social Security numbers, or medical records, either as typed text or in file attachments.
2. Operational Scope: DLP operates primarily at the point of data transmission, such as emails or web application submissions. It serves as a second set of eyes, detecting sensitive data in outgoing communications and preventing its unauthorized transmission.
3. Alert and Response: Upon detecting sensitive data, DLP solutions alert both the user and the IT security team, blocking the transmission and thereby preventing data leakage.
4. Integration with Multi-tier Architectures: DLP solutions also function within multi-tier environments, securing individual records at different layers, from the user-end all the way to the database back-end.

HOPZERO:

1. Server-level Data Protection: HOPZERO's focus is broader, targeting the protection of entire databases or "Crown-Jewel" servers. It prevents data exfiltration by managing the DataTravel distance of each data packet, effectively keeping vital data within a defined "Sphere of Trust".
2. Packet Lifetime Management: HOPZERO uses the TTL or HOP value within packet headers to control and limit the number of routers data may traverse. By setting a limited travel distance for data packets, it ensures that vital data cannot be exfiltrated beyond the organization's data center.
3. Network-wide Enforcement: HOPZERO's methodology effectively adds a layer of security at the router level, creating a de facto "blocking firewall". This means that even if a server is directly accessed, the data cannot travel beyond a certain physical distance, safeguarding against full database compromises.
4. Complementary to Firewalls and DLP: While HOPZERO provides a unique approach to data security, it is most effective when used in conjunction with traditional firewalls and DLP solutions. This multi-layered security strategy ensures both individual data record safety and whole-database protection.

In summary, while Proofpoint’s DLP solutions excel in protecting individual data records from unauthorized transmission, HOPZERO focuses on a broader scale, securing entire databases from exfiltration by limiting data packet travel within a network. This contrast highlights the importance of a layered security approach, where different tools and methodologies are employed in tandem to provide comprehensive protection against various types of data breaches and security threats.