Digital Guardian

Digital Guardian

Data Loss Prevention: 

how does the popular class of solutions work?

Data security is a basic security concern for any company, even for small businesses, that aren’t used to setting up big and complex cybersecurity systems. In large enterprise, this issue is a thousand times more acute. There are many tools for data protection. Moreover, any cybersecurity solution protects data to a certain extent: antivirus software prevents computer encryption and information theft, and tools for monitoring employee actions allow detecting insider activity in advance.
But the classic tool for protecting information is the Data Loss Prevention class of solutions, which monitors all data and directly prevents it from leaving the secure perimeter.
I’m Eugene Borodai, a Sales Engineer at BAKOTECH specializing in Digital Guardian and Boldon James solutions. I also have more than five years of experience in implementing Data Loss Prevention and Data Classification solutions for projects in Central and Western Asia, as well as Eastern European companies. Today, I’ll tell you about DLP from own experience and knowledge.  

How does the class of solutions function? 

Data Loss Prevention (DLP) monitors everything that happens to data, starting with tracking its movement. The logic behind the solution is in classifying data, since not all information is confidential and releasing certain types of information into the outside world won’t necessarily have serious consequences. For example, there’s nothing wrong with an employee forwarding a funny cat video from a corporate chat to friends via a personal Telegram account. But in the same way, an employee can forward the latest accounting report or software documentation for a revolutionary service. That’s why data needs classification, first and foremost, so you monitor only what’s critical.
How does it work? There are three approaches to classification: content-based, contextual, and user-based.
● Content-based classification involves scanning the contents of documents for certain markers: numbers, formulas, keywords. For example, if a file includes words, such as “balance sheet” or “quarterly report,” the system will automatically assign it a category of high importance and limit the possibility to move or copy it. The example is quite general, but it reflects the gist of the approach.
● Contextual classification allows defining the value of files without opening them or scanning the contents. The system does this based on the owner and source of the file. This way, files created by certain employees or departments, files downloaded from corporate IT systems, or data for certain periods all fall under the category of confidential information. Here are examples for each case:
- Legal departments take part in drafting contracts and negotiating deals, so a DLP system automatically treats files created from lawyer accounts as confidential. - Corporate account credential storage systems allow importing data to Excel. This may be necessary for IT department tasks, but, of course, files with employee credentials shouldn’t leave the company. This also includes work on external services, like the GitHub version control system, that could store a backup or a previous version of the company website, or service code. - A day’s worth of a bank’s transactional data is a critical aspect of financial reporting, and thus, can also be imported into a file, but you should allow outsiders to access it.
● User data classification — this is when an employee manually assigns a confidentiality tag to a document, with popular ones being Secret, Official, Public, and variations thereof. Users understand a document’s level of confidentiality better than anyone else. That’s why there are specialized tools for manual classification, such as FORTA’s Boldon James, that helps the DLP system to protect information better.
Note that a good and reliable DLP system uses all three methods simultaneously.

What kind of data needs protection and why? 

Traditionally, companies protect the following types of information:
● Personal employee data. This information is key to a host of malicious activities, from fraud to blackmail, so companies commit to protecting the data of all hired employees. ● Financial information that is a corporate secret. This includes data about wages and transactions. Access to such information can make your company a target for extortionists and scammers. ● Intellectual property is the most valuable secret in the competitive market. In the wrong hands, new projects, software, patents and developments can cause a loss of profit, and this isn’t the worst-case scenario. ● Information that’s confidential according to industry standards (Compliance), such as regulatory documents, instructions and policies intended for internal use. ● Any information that employees are personally and legally responsible to keep secret. DLP helps employees avoid getting into trouble and insures your company in case of worker negligence.

How does data theft happen and how can DLP help fight it?

The easiest way to steal data is simply copying and sending it via personal messengers: Telegram, Viber, or WhatsApp. DLP systems can distinguish corporate (Teams, Slack) and personal messengers and block movement of confidential files through personal messengers, while not interfering with the corporate ones.
Using messengers to forward information isn’t always malicious and could well be accidental but recording data to external devices is hardly that. “Flash drives” are becoming less common in offices — mobile phones now play the role of a suitcase that may be filled up with critical data and taken outside of the company’s premises. In this case, companies can block USB connections, but this may interfere with employees’ work. A better way is applying AES256 encryption – you can write data onto external drives, but reading it is only possible on a computer registered in a corporate network. An insider would be aware that a company uses a DLP system and will try to bypass it. Attackers may use different tricks that worked against outdated DLP systems: modifying data to assign the wrong classification (that's why I said that a good DLP solution uses all three types of classification simultaneously), password-protecting archives, copying content, even recording computer screen and making screenshots of important data.
Good DLP solutions know how to deal with this. For example, they can control the clipboard and monitor the active window, while blocking, for example, the ability to take a screenshot or read the password of an archive and providing access to a system administrator or security officer.
Aside from this, a DLP system should be able to:
● Conduct a detailed analysis of data movement and file modification. ● Keep a record of confidential data presence on computers. ● Monitor the launch of external software that isn’t specified by corporate rules or necessary for completing work tasks. ● Log activities for incident investigation in case of a data leak. It’s bad enough if someone steals company data. It’s even worse if the culprit isn’t found. That’s why modern DLP systems can record incidents and log keystrokes.
From all this, we can conclude that some employees and services take part in creating data, others interact with the information, and yet another party helps steal them. The DLP system must be seamlessly integrated into the company’s infrastructure – be able to work in conjunction with corporate services, send logs to SIEM, monitor actions, but at the same time avoid interfering with work, slowing down processes, conflicting with other security systems and violating privacy.

Conclusion 

DLP reliably keeps track of all important files and helps secure them. At the same time, the Data Loss Prevention system should be automated and multilayered but shouldn’t cause trouble for employees. A quality DLP solution provides automated data classification and prevents leaks while logging all of your employees' activities over company data.
All this allows you to prevent leaks, automatically investigate incidents, in case they do happen, and makes DLP an integral part of business and employee security.