Products and Services PRODUCTS & SERVICES

Sophos DLP enhancements improve detection for OEM partners

Sophos’ innovative approach to using negative scoring to significantly reduce the risk of incorrectly identifying sensitive information.

One challenge organizations encounter when implementing data loss prevention (DLP) is ensuring the accuracy of the solution. The Sophos DLP engine is available as an SDK through the OEM Sales team and offers an easy-to-integrate, cross-platform data security solution to those who want to implement DLP capabilities within their products and bring them to market quickly.

SophosLabs provides a comprehensive library of sensitive data definitions, giving you launch-day detection for all common types of personally identifiable information (PII) as well as financial and healthcare data. While many DLP solutions rely on pattern matching as their foundation, Sophos DLP has over 400 search patterns and uses negative scoring to reduce errors significantly.

Pattern matching challenges and solutions

Let’s examine how pattern matching works for credit card information.

When storing credit card numbers, they are simply represented as 16-digit numbers. However, documents may also contain unrelated 16-digit values: part numbers, serial numbers, or other elements that could be mistakenly identified as credit card numbers.

To address this issue, Sophos DLP includes check digits to validate that a 16-digit number is indeed a valid credit card number. However, even after using the check-digit formula, there’s still a 10% chance that a random pattern match causes a false positive.

Sophos uses failed validations as statistical context, which significantly reduces false positives without the need to modify the library of pattern matches. To achieve this, the DLP logic has been modified to reduce the score for each pattern match that fails validation.

With Sophos’ latest content analysis engine, we are using 100% of the information available from check-digit validation to significantly increase accuracy.

DLP search methods compared

DLP pattern-matching methods. Click to enlarge.

Now let’s take a look at three different pattern match scoring approaches applied to a document with random numbers.

The first method, pattern-match only, is the simplest and fastest, but it has no false-positive suppression and is therefore, highly unreliable.

It works by looking for a specific pattern of values, such as the pattern of a typical credit card number: <4 digits><space><4 digits><space><4 digits><space><4 digits>

Many other DLP products reduce false positives by requiring that a specific phrase (such as “Credit Card”) be present nearby. However, in real world situations, such convenient phrases are often absent, resulting in many missed detections (also known as false negatives).

The second method, check-digit validation, typically avoids 90% of individual pattern match results, making it more resistant to false positives. However, it will still give false positives on 10% of random pattern matches. If exposed to enough similar string-match results, a false positive may be inevitable.

Our approach, Sophos DLP with negative scoring, not only considers pattern match results that have valid check-digits but also the 90% of random pattern matches that have invalid check-digits.

These previously ignored results are now used as evidence that they are random matches. This approach turns check-digit validation’s weakness into a strength, as the more similar data there is in a document, the more likely any false positive detection will be avoided.

DLP’s bright future

In recent years, there’s been a shift away from traditional corporate networks towards cloud-hosted solutions that use zero-trust approaches.

As a result, DLP has become a key component of modern networking and security solutions, including Secure Access Service Edge (SASE), Security Service Edge (SSE), and Cloud Access Security Brokers (CASB).

A study shows that companies that are successful in establishing digital trust are more likely to experience annual growth rates of at least 10% in both their top and bottom lines. DLP technologies are, therefore, a crucial aspect of the convergence of cloud networking and cloud security.

Sophos offers proven and advanced DLP capabilities for integration into OEM partner security products, SaaS applications, and security infrastructure. OEM partners can benefit from Sophos’ unique approach to Data Loss Prevention (DLP), which eliminates the guesswork involved in implementing DLP in their security solutions.

In addition to supporting a comprehensive collection of control lists, Sophos also allows customization for specific data security governance relating to PCI DSS, HIPAA, and other regulatory requirements that support OEM partners’ compliance efforts.

If you want to leverage Sophos’ latest advances in Data Loss Prevention (DLP) to enhance your security solutions or infrastructure, contact our OEM team for more guidance.