Denis Kalitviansky

Data Leak Prevention explained

Blog Post created by Denis Kalitviansky Employee on May 4, 2016

Today we will talk about DLP or Data Leak Prevention. There are many products on market, but in this article we will focus on the "technology" of DLP, why it's needed inside your company, and what are the best practices for implementation.

Firstly, let me remind you quote "Information rules the world". Yep, that's true. If you have information, you are on the horse. That's why it is important to "protect" your data inside your company. This where the DLP systems comes handy.

It is important to understand, that DLP systems are not system designed to prevent hackers from stealing your information. There are many ways to get information without "sending" it out thru common channels : smtp, messaging, social. You can just take a picture of the needed data while you are physically there (industrial espionage or "insiders"), or you can do a screenshots, and then send it out (but some DLP's are override the prtScr button, so this is tough one also). Also, changing the pattern of the file will make DLP policy to not recognize it. 

DLP is created to avoid "human errors leakage", e.g. DLP will not allow employee to accidentally send some sensitive information outside the company (personal medical information, credit cards, documentation, patents, customer agreements or any "sensitive" data that SecDep will consider as sensitive. Employees can send data outside the network without knowing that they are causing damage to company, therefore DLP can help and stop such actions.

There are many interesting DLP implementations and scenarios, and every one need to be checked accordingly. In some ways you can protect your data from stealing before it actually begins, and here's a little example:

Let's assume that you have policy that communicating with user end-point, and suddenly agents begins to indicate that in the last two weeks Bob (sample employee), are downloading information to external mass-storage(USB). What is interesting, that data that Bob grabs is not related to their position, Bob just downloads everything, chaotically. All the time before that, Bob didn't took anything, no backups, nothing. In meantime, you can see that other policy detected that Bob sends his CV to your market competitors. Boom! Before your data gets stolen to Bob's new job, you can automatically reduce Bob's access to Data, that in your opinion will cause damage in other company.


DLP come with multiple channel support :

(Data-in‑Use) — data stored on the user end-point.

(Data-in‑Motion) - data that moves over the network (traffic).

(Data-at‑Rest) — data that is saved on your servers, and protected by DLP.



To make DLP work and "search" for protected data, you can either:

1. "register" specific document in system (hash, size, keywords), and other attributes, and then DLP will intercept such file and block it.

2. "look" for keywords and other attributes (mixed or standalone), in the files\data\traffic, and stop them, but it will create much "false-positive" situations. For example, you want to block every Word file with word "patent" in it. So if some one will create a document with such word, and this document has nothing related to actual patents in your company -- it will get blocked.

3. There are predefined "best practices" templates approved by some regulations, you only need to choose your location, industry, and then system will block every information that related to Israel credit cards format (for example).

DLP integration process is very important, but creating policy's that will not get your employees mad because of every file they copy\send is getting blocked - is an art :).


This article is my own opinion, and does not necessarily represent my past or current employer's positions, strategies or opinions. The materials in this article are provided "as is"and the author will not be liable for any direct, indirect or incidental damages arising out or relating to any use or distribution of them.