Data/Cyber/Cloud Security, Privacy, Website Security, Data Encryption, Malware/Viruses, Open Source Intelligence, Cyber Defence, Data Breaches, Travel Reviews & Photos
Being that my website is called Data Security Expert and my current job is with a data security vendor… an article on the topic is definitely needed.

Anti-malware, EDR, XDR, MDR, firewalls and more are constant product words we hear; however, they do not generally focus on data protection. To many data protection is GDPR and getting a solicitor to draft a privacy policy no one ever reads and no it does not “physically” protect data. Guess what, if you are hacked or if you have insider threats, a piece of paper (policy) does not do anything to protect data.

How can data can be exfiltrated?
  • CD/DVD: less likely now since most endpoints do not have an optical drive. External USB writers maybe a concern still though
  • SD card: some laptops & desktops have a slot or USB adapters can be used
  • USB drives or external hard drives: super common and easy to smuggle in
  • Email: mostly Outlook app though webmail as below is another method
  • Websites: all sorts. Chat apps, file sharing sites, webmail, personal websites etc.
  • Smartphones: most people do not know that smartphones via USB are classed as MTP (Media Transfer Protocol)
  • Bluetooth: to phones, tablets, laptops and more
  • Local apps: great, you have blocked OneDrive web but what about the app installed?
  • And more sneaky ways
Who should you be worried about?
  • Accidental internal threat: people who do not know emailing data to their personal accounts is risky or do not know storing data on an unprotected USB stick has its risks
  • Internal threat: staff which have been planted in a company to steal data or have become disgruntled as time goes on
  • External hacker: someone who has infiltrated the network from the outside and wants to exfiltrate data
What are the types of DLP?
  • Endpoint: an installed agent on your phone, tablet, laptop, desktop or server which monitors and/or blocks. Often these are at the kernel level for increased visibility and blocking capabilities. Can also offer classification of data by user or policies
  • Network: watches emails, web traffic, shares and mores. Can also go out and scan network shares
  • Cloud: present in OneDrive, SharePoint, Exchange as an addon
Why do organisations use DLP?
  • Compliance: ticking the box of HIPAA, PCI-DSS, GDPR, CCPA etc. Perhaps just enabled for the sake of it to please an outside audit firm
  • IP: imagine working on the next vaccine and spending billions then another pharma firm pinches the recipe
  • Beef up your general defences. Firewalls, anti-malware, IPS are great but they are aimed more at stopping external attacks
Sample use cases
  • Block pastes into ChatGPT
  • Block emails which contain classified documents going outside of the domain
  • Block mount of USB
  • Force file encryption to USBs
  • Block MTP outright
  • Block files being uploaded to webmail
  • Block classified data being uploaded to local Slack, Discord or Teams apps
  • Block domains of WhatsApp Web and Telegram Web since it is hard to intercept traffic due to encryption used
  • Block based on content, i.e. credit card, SSN, national insurance no., email address, zip/post code etc.
  • ATP like functionality: with possible kernel level run, DLP products can act somewhat like anti malware by blocking known ransomware attacks or detecting unknown malware