Data Loss Prevention – CompTIA Security+ SY0-501 – 2.1

A DLP can be the difference between a data breach and business as usual. In this video, you’ll learn about data loss prevention technologies and how DLP could have prevented significant real-world data exfiltrations.

<< Previous Video: SIEM Next: Network Access Control >>

In the normal course of doing business, an organization might send many kinds of data across the network. These might include social security numbers or credit card numbers, medical information and much more. If someone is sending this data in the clear or sending it to someone they should not be sending it to, that would be a significant security concern. And that’s why we have data loss prevention, or DLP.

DLP is designed to stop the data before it gets in the hands of the bad guys. This is sometimes called data leakage when this information gets out. There’s obviously many different sources of this information in your organization. And this data is being sent to many different destinations. So often, a DLP solution is one that occurs at many places along the data path.

One of these places might be on your computer itself. You have data that you’re using in the memory of this computer. And there’s endpoint data loss prevention tools that can watch for that data and prevent anyone from gaining access to it.

There’s also insecure data that might be sent over your network. We call this data in motion. And there are DLP appliances that will sit on the network connection and constantly look for social security numbers, credit card numbers, and anything else that shouldn’t be in the clear on your network.

And lastly, there’s data that’s stored in databases or files. This is data at rest. And we have DLP systems that will sit on the database servers and the file servers and make sure that data doesn’t get into the wrong hands.

DLP in a workstation may not just stop the transfer of data on a workstation, it could also prevent certain tasks from occurring on that workstation. A good example of this is in November of 2008 in the United States Department of Defense. They received on USB storage a worm. And that worm very quickly propagated to the entirety of the Department of Defense.

As a result, the DoD banned removable flash media and storage devices. And you can imagine what a disruption that was, but it was necessary to prevent anything like this from occurring again. All of their devices had to be updated. All of their workstations and servers and laptops and mobile devices. And a DLP agent was in charge of making sure that nobody could use any USB storage devices.

The Department of Defense lifted this ban in February of 2010. But they instituted very strict guidelines for the use of USB storage devices in the future.

One of the places that many organizations are concerned about data getting out is their internet connection. And that’s why many organizations will use cloud-based data loss prevention. This is between their users and the internet side. Every bit and every bite of traffic goes through this cloud-based DLP solution. There’s no software or hardware that has to be managed locally. Everything is done in the cloud.

An organization can create custom strings looking for proprietary data or well-known types of data from getting out. You can manage access to particular URLs to filter this in the cloud. And, of course, this cloud-based DLP could stop viruses, block malware, and prevent any malicious software from getting onto your workstations.

Another critical risk factor is your email system. There’s a lot of inbound traffic coming in through email. And it is a very easy method of getting data out of your organization. That’s why a lot of organizations will track and monitor and filter for every email that’s coming inbound and every email that’s going outbound. This can be done with an appliance that’s local, or many organizations are opting for cloud-based email filtering.

Inbound email DLP may be looking for particular keywords to block. It may be trying to identify emails that are forgeries. Or it may be quarantining email messages that contain certain types of data.

Outbound email DLP can be much more specific. You can look for outbound wire transfers, W-2 information, social security numbers, employee data, and much more.

An example of where some email DLP would have made a big difference happened in November of 2016. An employee at Boeing emailed a spouse a spreadsheet to use as a template. Unfortunately, this particular spreadsheet had inside it hidden columns, information about 36,000 of the employees at Boeing. It had social security numbers, date of birth, and other personal information.

In this particular case, Boeing did not have DLP software looking for outbound emails. And ironically, Boeing does sell its own version of DLP software. But it only includes the software for classified operations.