The prevailing "best practice" to prevent data breaches is limited to (a) scanning content that goes out, or (b) throwing more rules to stop attacks that cause breaches. These approaches have shortcomings, including not being able to prevent breaches over encrypted or steganographic channels, and not being able to defend against a new or zero-day attack that infiltrates an organization and subsequently causes a breach. What might be a future-proof solution is to remain agnostic to the attacks that lead to breaches but instead focus on comprehensively tracking sensitive data. We have developed a system, Pedigree, that tracks data using content-independent, tamper-proof tags. Pedigree uses these tags to track the provenance of sensitive data as it moves between applications, hosts, or even gets encrypted. Thus, independent of the attack or the type of encryption used to leak data, tags can identify the provenance of data flowing out of the enterprise and drop it if it contains sensitive information. In my talk, I would like to present an overview of our assumptions and solution, and stimulate discussion on this new way to prevent breaches from enterprises and Web Applications. More information and some simple demos are available at our startup's page nouvou.com.

Anirudh Ramachandran is a networks and systems security researcher at Georgia Tech and the founder and CTO of Nouvou Inc., a nascent data security startup. He has 6 years of experience developing solutions in areas such as data breach prevention, high speed traffic monitoring, network-level spam filtering, and botnet identification.