One of the most common definitions for the term DLP (Data Loss Prevention or Data Leakage Prevention) is “systems that identify, monitor, and protect data through deep content inspection, contextual security analysis of transaction (attributes of originator, data object, medium, timing and recipient/destination and so on) and with a centralized management framework.”

Purpose of this article
Organizations are interested to protect their sensitive data, and DLP provides them with the framework to do that. So far no news… However, the DLP world is a bit more complicated than that and the purpose of this article is to highlight few basic domains and areas that are worth thinking about when considering DLP solutions.

Common Data Locations and States

  • Data in motion – Any data that is moving through the network to destinations outside the local / corporate LAN via the Internet
  • Data at rest – Data that resides in files systems, databases and other storage methods
  • Data at the endpoint – Data at the endpoints of the network (e.g. data on USB devices, external drives, MP3 players, laptops, and other highly-mobile devices)

Examples of sensitive data:

  • Confidential and/or proprietary data, for example: processes, methodologies, development code and etc.
  • Customer and employee data
  • Financial data
  • Data that is regulated by regional and national laws such as HIPAA, SOX and GLBA

Common Data Leakage Channels:
Technical side:

  • Email Traffic – SMTP from mail servers
  • Web mail (Gmail, Yahoo, etc)
  • Uploading files to internet destinations (HTTP, HTTPS, FTP)
  • Posting on internet sites (blogs, social media, forums)
  • Instant messaging (gTalk, MSN, Yahoo, Skype)
  • P2P networks
  • Wi-Fi networks
  • Key loggers, Trojan horses
  • Multiple platform (Windows, Linux, MAC, etc)
  • Application permissions (ERP, database, SaaS platforms, SharePoint)


  • Mobile devices
  • Non-encrypted hard drives
  • USB drives (Disk on key, external hard drives)
  • Portable media (CD/DVD, floppy drive, backup tapes)
  • Physical security (hard copy of documents)

Human factor:

  • Lack of employee awareness to security risks
  • Partners, suppliers, temporary employees and visitors
  • Working from home, remote locations, internet cafe

Company’s needs to protect themselves from scenarios as mentioned below:

  • Inadvertent forwarding of email containing product development or business plans to another email recipient
  • An employee extracts data from a secure system and conducts the analysis on a less secure system
  • Sending unreleased pricing information to the wrong email address
  • Customer or competitive information sent by an employee to a third-party for financial gain
  • A disgruntled employee with privileged access to sensitive information acts maliciously and steals information
  • Proprietary information sent to a distributor, who might then forward it on to competitors
  • Backup tapes are stored in a non-secure environment and curious intruder removes the tape to examine the content
  • Incorrect settings of permissions of file and directory structure could allow anyone access the information

DLP solutions prevent confidential data loss by:

  • Monitoring communications going outside of the organization
  • Encrypting email containing confidential content
  • Enabling compliance with global privacy and data security mandates
  • Securing outsourcing and partner communications
  • Protecting intellectual property
  • Preventing malware-related data harvesting
  • Enforcing acceptable use policies
  • Providing a deterrent for malicious users (by creating the possibility of being caught)

How to implement DLP solution:

  1. Perform risk assessment to find out:

    • What type of data exists in the organization?

    • Where is the data located/saved?

    • How valuable is the data to the organization?

    • What type of loss is the organization willing to accept?

    • What are the regulatory and privacy gaps for the organization?
  2. Classify the organization data:

    • Top secret

    • Secret

    • Confidential

    • Restricted

    • Unclassified
  3. Decide what information does the organization would like to search and protect:

    • Pattern, keyword matching and dictionaries

    • Document fingerprinting

    • Database fingerprinting
  4. Prepare data loss prevention plan:

    • How to limit the damage to the organization

    • How to avoid similar incidents from happening in the future

    • How to report to the management, stock holders and media on the current data loss incident
  5. Prepare policies, standards and procedures for handling data loss incidents:

    • Scan HTTPS traffic on the gateway

    • Block data from leaving the organization

    • Encrypt sensitive information inside database

    • Full disk encryption

    • Encrypt data before sending to partners/suppliers

    • Prevent use of portable media

    • Employee awareness training
  6. Deploy the DLP solution:

    • Install a product on the gateway

    • Configure SSL termination – recommended

    • Configure encryption gateway for SMTP traffic – recommended

    • Deploy agents on the end-points – highly recommended
  7. Ongoing monitoring:

    • Review incidents on regular basis (daily/weekly)

    • Fine-tune the product to raise alerts on important incidents and collect all other incidents.

    • Create reports on regular basis to locate top senders/targets

    • Perform data discovery on regular basis (daily/weekly/month) on network shares, servers, end-points, etc.

The article can also be found at: http://security-24-7.com/dlp

  • LonerVamp

    Have you found a DLP solution that will catch if I zip a file before I upload it to a website over SSL? Or put a password on that zip file?

    Or one that will still work properly if I’m a software developer and have admin rights on my local system and disable the endpoint service agent?

    Have you found a DLP solution that would make financial sense to a small/medium business that wants to set it up and forget about it, rather than tend to all the constant data definition updates and investigating false alarms? The company scenarios you give pretty much require at least one full-time employee, at a minimum.

    I sympathize with DLP solutions, but their biggest problem, by far, is managing expectations of non-technical people.

  • http://security-24-7.com Eyal Estrin

    I totally agree with you that there isn’t a simple solution for SMB companies with non-technical people.

    Regarding solution for ZIP files:
    1. SSL is not a problem. I’m familier with Websense DLP, and when deploying the Websense EndPoint agent, if the client tries to upload sensitive materials to external destination, the EndPoint agent catch during the upload/post process and block it. If you haven’t deployed EndPoint agents, but combind the Websense DLP with the Websense Content Gateway solution, the WCG solution perform SSL termination, so SSL isn’t really a black box anymore.
    2. Regarding ZIP files with password – once again, if you deploy the Websense EndPoint agent, and you try to take sensitive files and compress them inside password protected ZIP file, I can only guess that the EndPoint will raise an incident on the Websense console – but it will only happen if you try to do it over removable media such as disk on key – it it happens locally on the computer and after awhile you try to take the password protected ZIP file and post it to a web site, no DLP solution will be able to catch it.

    Regarding the admin rights on the local computers, from what I understand, Websense are currently working on solution in one of their future versions (currently no ETA).