Security Manager's Journal: The ins and outs of extending DLP

I love DLP! That's not a statement that would sell a chief financial officer on data leak prevention, but I can show real ROI from our deployment as well.

Trouble Ticket

At issue: The company's DLP deployment is currently restricted to three big offices.

Action plan: Study the options for getting cost-effective coverage to the 50 smaller offices located around the world.

Our recent discovery of problems with our email security settings is only the latest example of our DLP investment paying off. Since we deployed network DLP last year, we've identified both inadvertent and deliberate disclosures of sensitive data. DLP alerts have led to employee terminations and legal action. Some of the incidents involve downright criminal activity.

Now I want to extend DLP's reach. Our current deployment is limited to our three main offices: one in the U.S., one in Europe and one in Asia. But 40% of our workforce is located in roughly 50 smaller offices around the world. Ideally, we would have architected the network so that all Internet traffic would be routed to regional hub sites via backhauling of the MPLS traffic. That would allow us to monitor network traffic for all of our remote offices with just three or four sensors. Instead, each remote office uses its own Internet service provider.

That being the case, we have two options for monitoring outbound Internet traffic for the enterprise. The first is to install DLP network sensors at each office (or alternatively, to provision virtual servers at all of our remote offices). The problem with this approach is that it provides no visibility into what users do once they take their laptops off the network.

Endpoint DLP, the second option, addresses that particular problem, and for the past few months we've been running a proof of concept to test its effectiveness.

The concept is appealing. We can install a lightweight agent on every PC via group policy or our regular software distribution and -- voila -- complete coverage for the enterprise. In reality, though, we've found that endpoint DLP falls short of network DLP.

Under the Hood

To help you understand the problem, let me explain a bit about how DLP works. DLP relies on both content matching and index matching. Content matching detects things like keywords, Social Security numbers, credit card numbers and other easily identifiable terms. It's quite simple, and even many firewall, email gateway and other proxy vendors offer similar functionality. Index matching goes much deeper and, in my opinion, provides the real value you get from enterprise DLP technology.

And this is how index matching works: When a document that has been identified as needing protection is checked in to the DLP infrastructure, complex computations are conducted on it. Afterward, if even a snippet of the document is leaked, the DLP infrastructure will recognize the snippet as part of a previously identified document. If just a few lines of source code are entered into an email message and sent out of network, the DLP index matching technology will identify it as protected even if the original document that was registered in the system contained 10,000 lines of source code.

All of this works seamlessly with network DLP, but when you try to do the same thing with endpoint DLP, you come up against performance and scalability issues. That's because the agents installed on each PC have to communicate with a central server to determine whether the data is part of a checked-in document.

This will all be resolved in future releases, the endpoint DLP vendor assures us. That doesn't help us now, though, so we'll either have to deploy network sensors at all of our remote offices or accept the decreased functionality that we'll get with endpoint DLP.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about DLP

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mathias Thurman

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place