DDR: Comprehensive enterprise data security made easy

Data is precious to any organization, serving as the foundation of day-to-day operations.

And it’s also highly coveted by outsiders.

Data is the target of most cyberattacks and is one of the easiest ways to profit from hacking. And hackers don’t discriminate; no organization is immune, as evidenced by numerous recent high-profile breaches and insider threats – from the Supreme Court to Facebook to TikTok.

This has led many to question the effectiveness of existing cybersecurity tools, particularly with the proliferation of cloud computing and multicloud environments, and the complexity and decreased transparency that ensue. But a new model is emerging, and some say it is set to reinvent the cybersecurity space: data detection and response (DDR).

This new data-centric approach, according to companies specializing in it, provides instant visibility into data stores and real-time protection and response capabilities.

“DDR is a new form of enterprise data protection, a radically different approach to protecting enterprise data,” said Howard Ting, CEO of DDR platform company Cyberhaven. “It offers more comprehensive coverage of data, is much more accurate in classification and risk identification and is much simpler to deploy and manage.”

Breaches at an all-time high

According to research from the Ponemon Institute, the cost of a data breach is at an all-time high – averaging $4.2 million in 2021. This reflects a 10% year-over-year increase from 2020 ($3.86 million), due in large part to the near-overnight shift to remote work and digital transformation amidst the pandemic. Costs are also amplified by system complexity and compliance failures, according to the Institute.

The “most common initial attack vector” was compromised credentials. These accounted for 20% of breaches. The second most common was phishing (17%); the third, cloud misconfiguration (15%). The highest average breach costs were due to business email compromise and malicious insider threat, the Institute reports.

Organizations that were able to successfully mitigate breaches were those with strong security AI tools and those that observed a zero-trust approach. What’s more, organizations further along in their cloud modernization contained breaches on average 77 days faster, according to Ponemon.

As risks and threats increase, the cybersecurity and cloud security markets continue to expand. Fortune Business Insights, for instance, forecasts that the overall cybersecurity market will grow to more than $376 billion by 2029, representing a compound annual growth rate (CAGR) of 13.4%. The global cloud security market, meanwhile, is anticipated to grow to $36.43 billion by 2028, as reported by Fior Markets – up from $8.33 billion in 2020 and representing a CAGR of 20.25%.

DDR, specifically, is a young enough category that statistics are not yet available, but its leading companies include Cyberhaven and Dig.

Data: The only thing that matters

Cyberhaven was founded in 2014 and calls itself the inventor of the industry’s first DDR platform. It raised $33 million in an oversubscribed series B funding round in December.

As Ting explained, Cyberhaven endpoint sensors monitor various events on a user’s machine, recording and tracking every time a user acts on data. For instance, if they upload or download something or attach an email. User actions trigger and capture events, correlate and “stitch them together” with graph analytics for analysis and risk identification.

“At the end of the day, it’s the data that matters – it’s the only thing that really matters,” said Ting. Existing tools “are not doing a very good job securing that asset, as you can tell from all the breaches that you read about all the time.”

Dig, which emerged from stealth and announced its raise of $11 million in seed funding in May, also identifies itself as the industry’s first DDR solution.

The company discovers all data assets stored in platform-as-a-service (PaaS), infrastructure-as-a-service (IaaS) and database-as-a-service (DBaaS) environments. It classifies structured and unstructured data and provides real-time protection and response, while helping organizations understand how data is being used, according to CEO and cofounder Dan Benjamin.

The company says that it moves “beyond posture solutions” by helping organizations discover, monitor, detect, protect and govern cloud data. As noted by Benjamin, Dig’s engine “responds instantly” to cloud data threats, triggering alerts on suspicious or anomalous activity, helping thwart attacks, exfiltrations and employee data misuse.

It also tracks whether data sources support compliance, ensures that data assets have assigned owners and that access is regularly reviewed, and generates data security and compliance reports to “keep key stakeholders informed and auditors happy.”

Where DLP and DDR diverge

In the report “Getting DLP right: 4 elements of a successful DLP program,” Gartner analyst Andrew Bales acknowledges that DLP (data loss prevention) strategies that are developed independently of business initiatives fail to correctly identify sensitive data, thus exposing organizations to excessive risk of data loss and noncompliance.

Immature DLP programs are “systemically inundated” with recurrent violations and repeat offenders, and many are implemented as a “set and forget” technology without continuous development, he writes. Security and risk management leaders can miss key points in DLP vendor consideration due in part to misidentification of their business’ data-handling use cases and outstanding architectural gaps.

“Many organizations struggle to develop an effective data loss prevention program, viewing success as unattainable,” Bales writes.

A successful DLP program comes about when leaders focus on business objectives, identify data risk factors, decrease DLP violations and take heed of stakeholder frustration, he says.

But DDR providers say it’s still not enough.

“DLP is an ugly four-letter word,” Ting said. “Because it’s caused so much pain.”

Historically, according to Ting, DLP tools have looked just in specific areas. But DDR looks “at all data, all the time, wherever it goes,” he said. “We act on all the data that users interact with.”

The main advantage of DDR is that it’s much more comprehensive and accurate, he said. The solution “can protect any type of file, any type of data, regardless of the file type, regardless of whether it has a well-formed pattern to it,” Ting said.

Traditional DLP tools, by contrast, are narrowly defined to well-formed patterns. But there are a lot of “crown jewels” that enterprises have to protect today that have no patterns, he said. For example, source code, machine learning (ML) models and clinical research data.

Platforms solely basing classification on patterns and specific content result in “high noise,” false positives and user frustration. As a result, organizations will turn off enforcement tools or block them altogether.

“The Achilles heel today is accuracy,” Ting said. In nearly all cases, Cyberhaven’s platform replaces DLP tools. Customers are understanding that DDR is a “transformative approach” and “much richer and accurate” when it comes to classification and securing data.

Data-centricity

As Benjamin pointed out, the number and variety of data assets per organization is exploding. And in the cloud, data is fragmented across multiple clouds and services – a typical enterprise stores its data on more than 20 types of services and thousands of instances. This hampers visibility, context and control over their cloud data, Benjamin said, while also limiting an organization’s enforcement capabilities.

Lack of security and control over these assets leads to shadow data assets, ransomware, data misuse, data exfiltration and compliance breaches, he said.

And ultimately, existing data security tools weren’t built to protect data in the cloud, he contended.

“I’ve spoken to more than a hundred CISOs and hear the same complaints over and over,” said Benjamin. “Companies don’t know what data they hold in the cloud, where it is, or most importantly how to protect it. They have tools to protect endpoints, networks, APIs, but nothing to actively secure their data in public clouds.”

Ting agreed, noting that existing categories have not solved the problem of enterprise data protection, “not even their slice of the problem.” In the case of insider threat, they are also intrusive upon a user’s personal data.

“Our approach is to really focus on the data, as opposed to the user,” he said. With insider threat and insider risk becoming ever more prevalent and significant, this provides a “much more narrowly scoped investigation” and “much more fidelity” into whether a user will become an insider threat.

Overall, Ting contended, people have “kind of given up” on the cybersecurity category.

“There’s a lot of pent-up demand in the market, a lot of pain,” he said.

But he predicted a “resurrection,” saying that data-centric security models will result in a major shift in the cybersecurity industry over the next decade.

As he put it: “DDR is a category that’s ready to explode.”