Data Security Posture Management (DSPM): Best Practices Guide for CISOs

Protecting your company's data is increasingly difficult, as more and more data is created across your organization.

You're doing everything you can to prevent breaches, or if you're less fortunate, you've had a data breach and need to work out how it happened.

On top of that, you've got laws and regulations to comply with. Both broader laws like GDPR, as well as regulations specific to your area (CCPA) or industry (HIPAA).

This is why it's so important to have the right tools in place to make this as easy as possible for you.

And a good DSPM can solve a lot of these problems!

What is DSPM?

DSPM (Data Security Posture Management) as a concept isn't new, but the acronym is. Here is Gartner's definition:

"Data security posture management (DSPM) provides visibility as to where sensitive data is, who has access to that data, how it has been used and what the security posture of the data store or application is. This requires a data flow analysis to determine the data sensitivity. DSPM forms the basis of a data risk assessment (DRA) to evaluate the implementation of data security governance (DSG) policies."

Often referred to as data risk assessment or data risk analysis, the goal is to get a clear picture of how secure your data is.

Is your data posture weak or strong? Why is it weak or strong? What can be improved?

But for many DSPM tools, visibility is where they stop.

A good DSPM tool not only identifies issues, but also identifies where sensitive data is exposed, automatically remediates that exposure, and actively protects you from breaches

In this blog, we'll cover:

• Why it's important to use a DSPM tool
• Common mistakes people make when choosing a DSPM
• How the Varonis data-first approach to DSPM secures your data

By the end of this article, you'll understand what DSPM tools do, and what features to look for when choosing your solution.

Want a free data risk assessment and demo of our DSPM capabilities? Book your Varonis test drive now.

Breaches and compliance

Before we delve into the pitfalls when choosing a DSPM tool, it's important to understand why it's so important. This can be broken up into three sections:

Breach avoidance

As a CISO, it's your responsibility to not only protect against breaches, but also report back to management exactly how you're protecting the company.

This applies just the same if you're a SOC analyst or in a GRC role within your company. You need to reassure the stakeholders that you've got everything under control.

But this is an uphill battle. Your users are creating more data all the time, so your data security posture is getting worse, not better.

It's hard to feel confident that you know where all your sensitive data lives, and who can access it. And it's even harder to persuade others of this.

If an employee decides to go rogue, and grab sensitive data out of Microsoft 365, how would you know? Or if an attacker compromises a user or system, would you have an audit trail to identify what data was affected?

You want to be aware that these things are happening as they are happening, so you can stop them before it becomes a problem

Post Breach

And sometimes, it's just too late!

So when a breach happens, you need to be able to answer a few key questions:

• How did it happen?
• What was stolen?
• How can we prevent it from happening again?

And the last thing you want to hear when you're in the middle of an incident is "I don't know" to any of those questions.

You can bring in the best investigators in the world, but without a DSPM tool like Varonis, these questions will be very hard to answer. And that can mean your job!

Compliance

Another vital reason for using a DSPM tool is to both ensure compliance, and prove it.

From GDPR to the SEC, every company has data laws and regulations they have to adhere to. You're not just answerable to management here, either. Auditors will come in and expect to see you're making progress, and prove you know where all your customer data is.

For example, healthcare organizations have to carry out frequent HIPAA audits, making sure their sensitive data is only accessible to the right people.

Failure to do so can have catastrophic ramifications, with HIPAA penalties reaching as high as $16 million.

Whatever regulation it is, you need to prove your data is protected, which is impossible without a DSPM.

Picking the right DSPM

Considering the significant impact these three things could have on your company, it's clear that it's not just important to use a DSPM tool, but it's also vital to choose the right DSPM tool

There are three dimensions of data your DSPM tool needs to address:

1. Sensitivity
2. Permissions
3. Activity

But if any of these are missing, it's hard to make much progress, and it becomes impossible to automate.

As more DSPM tools pop up, though, there are a number of key areas to look at, which will help you make the right decision.

Coverage

One of the first things you need to consider is what platforms the DSPM tool covers?

For example, if you use Box to store most of your company data, you'll want to choose a tool that covers Box.

But it's not quite that simple. You also need to look at how deep that coverage goes.

Many DSPM tools go a mile wide with coverage, but only an inch deep. They might support Box, but if they don't offer much Box-specific functionality, it won't help you very much.

Our philosophy at Varonis is to focus on the platforms where most of our customers have most of their sensitive data (Google Drive, Microsoft 365, Salesforce, etc.) and provide deep coverage for those specific tools.

Our cloud-hosted architecture also allows us to add new integrations faster all the time, so we're able to provide more and more coverage, with the features you need.

Accuracy

This might sound obvious, but if the findings aren't accurate, a DSPM tool can do more harm than good.

For example, if a DSPM tool audited Google Drive and reported that a certain file held patient records, but on further inspection it didn't, you'd lose trust. And without this trust, you have to spot-check the results, which defeats the point.

Accuracy is also a big factor when you're dealing with alerts.

If alerts are triggering incorrectly, you'll soon have alert fatigue. Like the boy who cried wolf.

The first time it incorrectly pings you about Jamie in Sales downloading client data, you take a look. The second time it pings incorrectly? Sure, you might look again

But the third time? Meh, what wolf?

Scale

There's a huge difference between auditing a terabyte of storage at a startup, and Bank of America's six petabytes of data.

This is why scale is such an important factor, and can cause a lot of problems if the DSPM tool isn't built for it.

If you're running classification or permission scans on huge amounts of data, it needs to reliably cover everything. But if the scan can't finish for whatever reason, you end up with only half the picture, and half the protection

Remediation

The point of finding these issues in the first place is to resolve them, so you want a DSPM tool that actually helps you do this.

Built-in remediation means issues can be resolved at the push of a button, or sometimes even without any action at all. Unfortunately, not all DSPM tools give you these remediation tools.

This quickly results in great visibility over your increasing list of issues, while your data security posture gets worse and worse

A data-first approach with Varonis

Our philosophy at Varonis is to not surface findings you can't fix. We don't just dump out a list of issues, filling you with findings fatigue, we remediate the issues automatically.

Even if you haven't logged in, Varonis will still find and solve data security issues.

Real-time visibility

It's important to see the status of your data, as it is at the moment you're looking.

This not only keeps you up-to-date, but also means you can be proactive in addressing or fixing concerns.

We do deliver this with a number of features and functions.

Continuous data discovery

Varonis is constantly scanning your data, stored on both on-premise and cloud storage.

You can then view the results of these scans on a real-time dashboard, showing discovery insights, as well as the concentration of sensitive data.

This gives you a clear view of all the key information at a glance, so it's easy to digest the insights and prioritize solutions.

Automated data classification

A key part of staying compliant is being able to see exactly what sensitive data is stored where.

Our automatic classification has a built-in library of rules, and more than 400 patterns, so we can classify your data accurately.

This includes all common regulations and standards like GDPR, SOX, PCI, and HIPAA.

One-click analysis

Using our real-time file analysis, it just takes one click to see what sensitive data is in a certain file.

To make it easier to view, the sensitive data is highlighted, and color-coded to match the different categories of sensitive data (PII, GDPR, etc)

Sensitivity labels

Instead of manually labeling data yourself, you just need to create policies, and we'll label it for you.

If a policy changes, files that no longer match the policy will be automatically relabeled.

Varonis also compares existing labels with our classification results, so you can identify misclassified data.

DSPM dashboards

By combining your classification results, permissions, and user access activity, we give you a comprehensive view of your data.

You'll see where your data is most at risk, and create your own DSPM dashboards customized to highlight critical issues. You can also add and customize widgets, so you can monitor compliance and alerts at a glance.

Reduce the blast radius

As well as getting a good view of your data, it's also important to look at who can access what data.

When we talk about reducing the blast radius, the focus is on correlating people with permission and activity. That way, you can proactively make informed decisions that limit who can access sensitive data.

Advanced visibility

Varonis gives you a unified console that gives you a view of your data access across your different platforms. This means you and your team don't need to switch between dozens of admin portals to keep on top of things.

You'll be able to see and understand the risks in your infrastructure, and mitigate them quickly.

Least privilege automation

As we mentioned before, a DSPM isn't particularly useful unless it helps you resolve the issues. This is where our autonomous remediation comes in.

Least privilege automation automatically analyzes data access across your business, and intelligently decides who needs access to what data.

This continuously reduces your blast radius without any human input, with no risk to the business.

Customizable remediation policies

You can either use the ready-made policies Varonis gives you, or personalize them for your organization.

Sensitivity, location, link type, and staleness are just a few factors you can use to build your rules. And once you're done, Varonis automatically enforces your new rules, keeping your data as secure as possible.

Threat detection & Response

Varonis isn't just an app – we proactively support you and your business in reducing risk and securing your data.

Our focus is on helping you discover and resolve issues as quickly as possible, whether that's using software or working together to get things done.

Incident response team

Our team proactively monitors your alerts, so we can help you as soon as something comes up. We watch your data, and let you know if we see anything that needs attention.

We also work with you to investigate potential issues, and help you understand what's going on with your data.

Continuous monitoring of files, folders, emails, and more!

It can be overwhelming when you're trying to keep on top of everything. Varonis makes this easier by aggregating, normalizing, and enriching your events.

This makes it much easier to see what's happening with your data access events, access control changes, authentication events and network events.

Audit trail of events

Our searchable data activity log makes it easy to investigate incidents, whether it's your team or ours.

You can search files, folders, emails, and objects, and see everything that's been created, updated, uploaded, or deleted.

The events are enriched with helpful contexts like device name, geolocation, etc. to make it even simpler, and help you make better decisions.

User behavior analytics

Our behavioral-based threat models are refined using large datasets, which means they are accurate, and improve over time as we analyze more data.

This allows us to detect abnormal behavior and stop breaches from happening.

Simplify compliance

All the above features help you remain compliant, while keeping your sensitive data safe. But we also give you some extra tools to make it even easier to view and manage your company's compliance.

You get company-wide visibility, so you can audit your data accurately and effectively for compliance.

On-demand compliance reports show how you're doing for a certain regulation, and can be given straight to auditors and compliance teams.

You also get live risk data, and a real-time view of regulated data exposure and activity, so you're never waiting on reports or alerts.

In closing

Even though the concept isn't new, modern DSPM tools can do so much to protect your company from risk.

Picking the right one can prevent breaches, help you investigate past breaches, and ensure you're meeting increasingly stringent regulations. But picking the wrong one can leave you just as stuck as you already are.

By focusing on coverage, accuracy, and scale, you can get a good idea of which DSPM tools are a good fit for your company.

We'd suggest Varonis, although we are slightly biased.

But we are confident that our DSPM features are the best in the market, and deliver true value across four areas:

• Real-time visibility
• Reduce the blast radius
• Threat detection & Response
• Simplify compliance

Want to know how strong your data security posture is? Get a free data risk assessment when you book a Varonis test drive.