Digital risk protection (DRP) refers to practices and technologies that protect digital assets from risk. But isn’t everything we do in security about protecting digital assets from risk? Yes. But DRP covers new modes of threat and attack, focused on monitoring and identifying external threats that may be difficult to spot without cyber threat intelligence (CTI) and related processes.
DRP extends beyond the boundaries of the enterprise to anticipate threats before they reach the internal network. In that way, DRP stands in contrast to date security posture technologies such as threat hunting, threat monitoring, data threat analytics, data monitoring, and user intelligence technologies—all of which support a proactive, internal program designed to protect against data extortion and exfiltration.
This article explores DRP, why it matters, and how it works. It looks at external risks such as data breaches resulting from stolen credentials on the dark web or from spear phishing attacks. DRP is also about discovering and tracking external indicators of compromise (IOCs) that may be impossible to discover without advanced detection algorithms.
DRP solutions handle the challenge of discovering risks by monitoring the entire digital estate as well as numerous external sources of data. They create a map of digital assets comprising the attack surface. Monitoring spans the public “clear web,” the normally impenetrable “deep web,” and the hidden, encrypted “dark web.” As the DRP solution discovers risks, it executes processes to mitigate them. This may be done in concert with existing security systems such as those that handle security orchestration automation and response (SOAR).
Why are digital risk protection services and digital risk protection software necessary? The answer is that the threat environment has grown significantly more serious and sophisticated in recent years. In parallel, digital transformation has created new vulnerabilities. For example, a company that has migrated its core systems to the cloud, while simultaneously shifting to a hybrid work strategy and outsourcing, may find itself exposed to risks it has not encountered before, e.g., attackers using malware to compromise new vendors, who then attack cloud assets by posing as that vendor’s employees.
Alternatively, attackers could buy stolen login credentials on the dark web and then use them to access the target company’s email accounts. They use this access to perpetrate a spear phishing attack. Armed with knowledge of the target company’s employees, the attacker can impersonate the chief financial officer (CFO). The fake CFO, claiming to be “working from home,” can request urgent wire transfers from an unexpecting underling. This is what happened to a Hong Kong finance firm, which was defrauded of $25 million in early 2024 using this technique in conjunction with deepfake technology. CTI, key to success with DRP, takes on the challenge of proactively identifying the threat and countering it. In this case, that might mean discovering the existence of stolen credentials on the dark web. It could also mean engaging in phishing detection and flagging suspicious activity before the attacker succeeds in impersonating the CFO.
DRP’s core components range from monitoring the dark web to understanding the attack surface. Each component depends on several underlying principles, of which automation is arguably the most important. Automated processes are the essence of DRP. Every element of DRP depends on continuous, never-ending cycles of automated monitoring, data ingestion, analytics, and response. People are involved, of course, but DRP can only function effectively with extensive automation.
The first order of business in protecting digital assets is to determine what those assets are and where they are located. That is not always a simple matter in today’s hybrid and multi-cloud world. With software-as-a-service (SaaS) factored in, it’s possible for corporate digital assets, such as data, to be sitting in the cloud without anyone in the IT or security team knowing about it. A DRP solution deals with this by enabling automated asset discovery and asset mapping.
The dark web is the site of many criminal activities. Almost anything you can imagine is for sale in the dark web’s illegal marketplaces. With regard to DRP, the dark web is a place for the buying and selling of corporate access credentials, ransomware “kits,” tainted open-source code, and malware. A DRP solution has the ability to scan the dark web, searching for threats to your digital assets. It looks at millions of data points and conducts multidimensional threat analysis—flagging suspicious discoveries and automatically mitigating them or alerting admins for further action.
Malicious actors are always innovating. Right at this moment, they are hard at work developing new ways to penetrate your cyber defenses. New, advanced forms of spoofing are one example. A DRP solution can monitor the web for indicators that someone is spoofing your domain, e.g., if your website is acme.com, but a hacker has set up a site called acme.co, that could be an indication that someone is about to try to defraud you or steal user data. Another example is the use of generative artificial intelligence (GenAI) to create fake user profiles.
Cyber threats can originate on social media. For example, someone posing as a senior executive on LinkedIn or Facebook might be able to cull useful data from others and use it to perpetrate an attack. The friendly nature of social media lends itself to hackers cultivating relationships with potential targets of spear phishing. Social media can also be a vehicle for the delivery of malware, which might occur through sharing of tainted files. Other signals may be more subtle, but if a DRP solution is in automated search mode, it can discover threats lurking in the vast digital ecosystem of social media.
Digital transformation and the general trend toward digital business has expanded the attack surface. It’s no longer just about protecting networks and infrastructure. Application programming interfaces (APIs), for example, effectively expand the perimeter to anywhere they can be accessed. Attacks on APIs can penetrate deep into enterprise applications and databases via third parties and compromised endpoints. Alternatively, mobile devices now comprise part of the attack surface. Attackers can deploy fake mobile apps that trick users into divulging personal data like account log ins and social security numbers. DRP can mitigate this risk by monitoring the full attack surface and looking for threats like fake apps.
DRP solutions for business vary in terms of functionality, but their overall purpose is the same. Whether they work independently, or as part of an integrated whole with solutions for data protection, SaaS data security, AWS security, Azure protection, and the like, their purpose is to discover threats that exist beyond the reach and visibility of standard security tools like intrusion detection systems (IDS) and endpoint detection and response (EDR).
For example Rubrik can help reduce data risk for Azure Stack HCI and for Azure VMs stored on Rubrik Cloud Vault. The solution offers Sensitive Data Monitoring & Management, which discovers sensitive data and flags it for protection. It can also help determine the scope of a cyberattack through its Anomaly Detection feature, which identifies deletions, modifications, and unexplained data encryption.
In general, DRP solutions for business also have the objective of protecting cloud data. Operationalizing this goal means doing things like fraud protection, malicious app identification, and leaked credentials monitoring–all of which could expose cloud data to malicious actors. The DRP solution may help mitigate supply chain risk, perhaps working in conjunction with other application security (AppSec) tools, such as code scanning solutions.
DRP is a team sport that typically involves multiple groups in the security organization as well as IT. These include application security (AppSec), data security, and network security. Other departments, like legal and compliance, should also be involved in realizing the goals of DRP. Each group has a role to play, so cross-team collaboration is important.
DRP solution can help spot indicators of supply chain risk, such as malware-laden open-source code that’s discoverable “in the wild,” e.g., in open-source community code repositories. The DRP solution can feed what it discovers into code scanning and other AppSec tools to help DevOps teams identify and remediate compromised code before it can trigger a supply chain attack. For this to work, teams working across security and DevOps must cooperate.
One of the greatest challenges in dealing with data breaches is the fact that the breach often goes unnoticed for a long period of time. Months can go by without anyone knowing that an attacker has exfiltrated sensitive data. A DRP solution can solve this problem by searching for leaked data on the dark web.
The various teams tasked with DRP need to come together to devise a comprehensive risk management strategy that includes the use of DRP software. Done right, this process will drive improvements in security posture and reduce the impact of threats.
The evolving, increasingly hidden and external nature of today’s cyber threat landscape makes it imperative that organizations pursue some form of Digital Risk Protection. The need is particularly urgent given the broad push for increased digitization of business. DRP solutions offer a way to mitigate threats like spear phishing, malicious apps, and more. As digital strategies become of paramount importance, DRP emerges as an essentially non-negotiable capability to possess.
Making DRP a reality requires a multi-phased process. It starts with a review of existing security controls and countermeasures and an assessment of how well they mitigate risks from the full spectrum of digital risk. From there, it’s about determining the highest priority areas of the attack surface to defend. It is only at this point that one can make informed decisions about selecting and implementing a DRP solution. After deploying the solution, it is possible to expand its scope of digital risk protection.