Security Manager's Journal: Did DLP tool prevent an assault?

A data loss prevention tool flags keywords that lead to the discovery of a possible conspiracy to commit a crime.

The plain view doctrine allows law enforcement officials to seize, without a search warrant, evidence or contraband perceptible during a lawful observation. As an example, if a police officer who is exercising a warrant to search a house for illegal weapons sees drugs on the kitchen counter, in plain sight, then the officer can confiscate the illegal drugs and charges could be filed, even though the search was for weapons.

Trouble Ticket

DLP monitor instigates an investigation that uncovers what seems to be an employee's plan to attack his wife's lover.Action plan: Bring the evidence to HR and Legal and go from there.

I mention this doctrine because it intersects to a certain extent with a company policy that states that employees have no expectation of privacy when using company computers and networks. We are basically saying that we will judge anything on them as being in plain view.

This policy is what allows my analysts to monitor network activity for security breaches and other illegal activity. Naturally, we are mostly interested in detecting attempts to leak any sensitive company information. To that end, we have indexed a fairly small set of key documents for our data loss prevention (DLP) tool to look for. But we also look for certain number sequences and keywords suggesting credit card numbers, Social Security numbers or other personally identifiable information, and we look for keywords that might indicate illegal activity such as downloading child pornography. That's because we don't want to be surprised someday with a search warrant that could disrupt our business and result in some bad press for us. It's better to be on top of such things and alert law enforcement anytime we come across anything suspicious.

And sometimes we do find something. The other day, one of my analysts sent me data he was investigating that suggested someone in the company might be involved with child pornography. Our DLP monitor had flagged some traffic containing keywords that we had included in the rules we use to turn up anything that might be related to such activity. Soon enough, we found out that this wasn't a child pornography case, but something else that we needed to bring to the attention of law enforcement.

The analyst had uncovered an instant-messaging chat between one of our employees and someone from outside the company. The chat rather baldly outlined a conspiracy between the two men to assault a third man that our employee suspected was having an affair with his wife. In that conversation, our employee discussed a plan to use his wife's cellphone to text the man and persuade him to visit a park for what he thought would be a meeting with the employee's wife. At the appointed time and place, the two conspirators would attack him.

Incriminating Details

The discussion was incredibly detailed and incriminating: They talked about the type of weapon that would be best for the attack, their alibis and even the best way to wash blood off clothing and hands.

I printed out a transcript, along with information about the employee, and met with our legal department and human resources. HR's impulse was to give the employee the benefit of doubt, but our general counsel, concerned that we could be charged with negligence if an assault occurred, disagreed and said we needed to contact law enforcement immediately. I then told the employee's manager to confiscate his laptop until the matter is resolved.

I checked in the other day to find out what is happening and learned that the police investigation is ongoing and that HR has put the employee on administrative leave. There is still a chance that the entire thing was a hoax, but the incident nonetheless provides further justification for our investment in DLP.

All in all, though, I'd be happier with other sorts of justification for such a valuable initiative.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at

Join in the discussions about security!

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about DLPTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mathias Thurman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts