Security Manager's Journal: Another step toward eliminating data loss

Implementing technology to monitor user and network activity can be an eye-opener.

Trouble Ticket

At issue: Network DLP has been worthwhile, but it has shortcomings.

Action plan: Add endpoint DLP. It also has limitations, but the two work well together.

Our security incident and event management tool made us suddenly aware of the magnitude of infestation on our network. When we deployed incident-detection and incident-prevention systems on our firewall, we were amazed at the number of hacking attempts against our Internet-facing resources.

We had a similar revelation when we implemented network-based data loss prevention (DLP). Within a few days of lighting it up, we had discovered a wide variety of data leaking from the company and had even uncovered illegal activity (an employee conspiring with someone from outside of the company to commit a crime). So network DLP is another win, but it has its problems.

First, we can monitor network traffic only at locations where we've installed a network monitor. Our company has more than 60 offices worldwide, and until we re-architect the network, each office has its own Internet connection, which means that we would need to deploy 60 sensors and configure 60 switches. That's a logistical nightmare. Second, without complicated proxy configurations at each remote office, we can't monitor encrypted network traffic. And finally, we can't monitor the Internet traffic of employees who go off the network (by working remotely, say) unless they are connected via VPN.

To address all of this and more, we decided to run a pilot of endpoint DLP.

Endpoint DLP has some shortcomings. For example, unlike network DLP, it won't let you conduct complicated data index matching. With data index matching, you can identify to the DLP system the text of documents deemed to be sensitive. Then, if a user copies just a few lines from an identified document and pastes them into another document or email, the DLP system would detect that activity and block it or send an alert. That level of detection is not quite available with endpoint DLP.

Nonetheless, endpoint DLP does offer several advantages. For one, it gets around the problem of encrypted traffic, since it monitors activities before encryption takes place. It also stays on the job when a user is off the network. And it can spot when data is moved to external media, such as a USB flash drive.

Our pilot deployment of endpoint DLP involved about 200 IT personnel around the world. After some initial tuning, the results were almost immediate. Within hours, we observed a senior-level IT engineer copying a huge number of sensitive Active Directory configuration files and employee directories to an external USB drive. In all, he copied about 3GB of data, including 2GB of archived email.


That seemed suspicious enough, but the real payoff came from the way network DLP and endpoint DLP complement each other. The same IT engineer had been flagged by our network DLP, which sent an alert about him based on the "I'm leaving" rule, which instructs the system to look for any communications suggesting that someone is planning to leave the company. We wouldn't have paid attention to that notification if the endpoint DLP hadn't also alerted us to the fact that he was copying data. We talked to the engineer, he gave us the USB drive, and HR reminded him of the confidentiality agreement he had signed.

Naturally, we highlighted the case of the departing IT engineer in building our business case for a global deployment of endpoint DLP early next year.

If we get the green light, we'll do a lot of tuning to reduce the number of false positives and to make sure we don't monitor personal activity involving things such as finances and healthcare. But it looks like we're going to have our eyes opened again, this time by endpoint DLP.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about DLP

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mathias Thurman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts