DATA LOSS

PREVENTION
OVERVIEW
WITH
EXAMPLES AND
SIMULATIONS

BY IZZMIER IZZUDDIN
DATA LOSS PREVENTION (DLP)

Key Components Of DLP:

1. Data Identification and Classification:

o Data Discovery: Identify and locate sensitive data within the
organisation, including structured and unstructured data.
o Data Classification: Categorise data based on its sensitivity and
importance, such as confidential, restricted, or public.
2. Data Monitoring:
o Content Inspection: Analyse data at rest, in motion, and in use to
identify sensitive information.
o User Activity Monitoring: Track user actions to detect suspicious
behaviour, such as large data downloads or uploads.
3. Policy Enforcement:
o Access Controls: Implement rules to control who can access, modify, or
share sensitive data.
o Encryption: Encrypt sensitive data to protect it during transmission and
storage.
4. Incident Response:
o Alerting and Reporting: Generate alerts for potential data breaches and
provide detailed reports for further analysis.
o Automated Actions: Configure automatic responses, such as blocking
data transfers or quarantining files, to prevent data loss.

Common DLP Technologies and Tools:

• Network DLP: Monitors and controls data transfers over the network, including
email, web, and file transfers.
• Endpoint DLP: Protects data on end-user devices like laptops and desktops,
monitoring activities such as copying to USB drives.
• Cloud DLP: Secures data stored in cloud services and applications, ensuring
compliance with data protection policies.
• Email DLP: Prevents the unauthorised sharing of sensitive information through
email communication.

Best Practices for Implementing DLP:

1. Define Clear Policies: Establish comprehensive DLP policies that align with
regulatory requirements and business objectives.
2. Regular Training and Awareness: Educate employees about data protection
practices and the importance of adhering to DLP policies.
3. Continuous Monitoring and Improvement: Regularly review and update DLP
policies and technologies to adapt to evolving threats.
4. Collaboration with Stakeholders: Involve various departments, such as IT,
legal, and compliance, to ensure a holistic approach to data protection.
Benefits of DLP:

• Prevents Data Breaches: Reduces the risk of unauthorised access and leakage
of sensitive information.
• Regulatory Compliance: Helps organisations comply with data protection
regulations, such as GDPR, HIPAA, and CCPA.
• Protects Intellectual Property: Safeguards proprietary information and trade
secrets from being exposed or stolen.
• Maintains Customer Trust: Ensures that customer data is handled securely,
fostering trust and loyalty.
DATA LOSS PREVENTION (DLP) POLICIES

Common Types of DLP Policies:

1. Data Classification Policies:

o Define and categorise data based on sensitivity (e.g., public, internal,
confidential, highly confidential).
o Example: Classify all customer personally identifiable information (PII) as
"Highly Confidential."
2. Content Inspection Policies:
o Inspect data in motion, at rest, and in use for specific patterns or
keywords indicating sensitive information.
o Example: Scan outgoing emails for patterns resembling credit card
numbers (e.g., ####-####-####-####).
3. Access Control Policies:
o Control who can access, modify, or share sensitive data.
o Example: Only authorised HR personnel can access employee Social
Security numbers.
4. Encryption Policies:
o Mandate encryption for sensitive data both in transit and at rest.
o Example: Require encryption for all files containing financial data when
transferred via email.
5. Device Control Policies:
o Restrict the use of removable media and peripheral devices to prevent
unauthorised data transfer.
o Example: Block copying of sensitive data to USB drives.
6. Data Masking Policies:
o Mask sensitive information in datasets used for development or testing.
o Example: Mask credit card numbers in customer databases used by the
development team.
7. Email and Communication Policies:
o Monitor and control the transmission of sensitive information via email,
instant messaging, and other communication channels.
o Example: Block emails containing customer health information from
being sent to external domains.
8. Endpoint Protection Policies:
o Apply DLP controls at the endpoint to prevent data leaks through
applications, printers, and network connections.
o Example: Monitor and block printing of documents containing sensitive
financial data.

Example DLP Policies:

1. Prevent Unauthorised Transmission of PII:

o Policy Name: PII Transmission Prevention
o Description: Prevents unauthorised transmission of personally
identifiable information via email.
 o Scope: All employees
o Rules:
§ Inspect outgoing emails for PII patterns (e.g., SSNs, addresses).
§ Block emails containing PII if sent to external domains.
§ Notify the sender and the security team of the blocked attempt.
2. Restrict Use of Removable Media:
o Policy Name: Removable Media Restriction
o Description: Restricts the use of USB drives and other removable media
for transferring sensitive data.
o Scope: All employees
o Rules:
§ Block copying of files classified as "Highly Confidential" to USB
drives.
§ Log all attempts to copy data to removable media.
§ Alert the security team of any blocked attempts.
3. Encryption for Sensitive Data:
o Policy Name: Sensitive Data Encryption
o Description: Ensures sensitive data is encrypted during transmission and
storage.
o Scope: All systems and applications handling sensitive data
o Rules:
§ Encrypt emails containing financial data.
§ Require encryption for data stored in cloud services.
§ Regularly audit encryption practices to ensure compliance.

Best Practices for Creating DLP Policies:

1. Understand Your Data:

o Identify and classify sensitive data within your organisation.
o Determine where sensitive data resides and how it flows within and
outside the organisation.
2. Involve Stakeholders:
o Collaborate with various departments, such as IT, legal, compliance, and
business units, to understand their needs and ensure policies are
comprehensive.
3. Define Clear Objectives:
o Establish clear goals for each policy, such as preventing data breaches,
ensuring regulatory compliance, or protecting intellectual property.
4. Balance Security and Usability:
o Create policies that protect sensitive data without overly restricting
legitimate business activities.
o Ensure policies are practical and enforceable.
5. Regularly Review and Update Policies:
o Periodically review and update DLP policies to address emerging threats,
changes in business processes, and new regulatory requirements.
6. Educate and Train Employees:
 o Provide regular training and awareness programs to ensure employees
understand DLP policies and their role in protecting sensitive data.
7. Monitor and Audit Compliance:
o Continuously monitor the effectiveness of DLP policies and conduct
regular audits to ensure compliance.
ROLE OF A DLP ANALYST

Key Responsibilities:

1. Policy Configuration and Management:

o Develop and configure DLP policies to detect and prevent data leakage.
o Regularly review and update policies to align with organisational needs
and regulatory requirements.
2. Monitoring and Analysis:
o Monitor data transfer activities across networks, endpoints, and cloud
environments.
o Analyse alerts generated by the DLP system to identify false positives and
true incidents.
3. Incident Response:
o Investigate and respond to potential data breaches.
o Work with the security team to contain and mitigate data leakage
incidents.
o Document incidents and response actions for further analysis and
reporting.
4. Reporting and Documentation:
o Generate regular reports on DLP incidents, trends, and policy
effectiveness.
o Maintain detailed records of incidents and actions taken for audit and
compliance purposes.
5. Collaboration and Training:
o Collaborate with IT, legal, compliance, and business units to ensure
comprehensive data protection.
o Provide training and awareness programs to employees on data
protection practices and DLP policies.
EXAMPLES AND SIMULATIONS

Scenario 1: A financial institution, IFFAH Bank, wants to protect its customers'

sensitive information such as Social Security Numbers (SSNs), credit card details, and
confidential financial records from being accidentally or maliciously leaked via email.

Steps to Implement DLP:

1. Data Identification and Classification:

o IFFAH Bank uses a DLP solution to scan its database and identify all
documents and files containing SSNs, credit card details, and other
sensitive information.
o The DLP system classifies this data as "Highly Confidential."
2. Policy Enforcement:
o IFFAH Bank configures DLP policies to prevent the transmission of
"Highly Confidential" data via email.
o Policies include keyword matching for patterns like SSNs (e.g., ###-##-
####) and credit card numbers (e.g., ####-####-####-####).
3. Data Monitoring:
o The DLP solution monitors outgoing emails and attachments in real-time
for any matches to the identified sensitive data patterns.
o User activity is logged for any actions involving sensitive data, such as
accessing or modifying files.
4. Incident Response:
o If the DLP system detects an email containing sensitive information, it
automatically blocks the email and generates an alert.
o The system also quarantines the email for further review by the security
team.

Outgoing Email Detected:

From: izzmier@iffahbank.com
To: rooney@externalmail.com
Subject: Monthly Report

Hi Rooney,

Attached is the monthly financial report.

Best regards,
Izzmier

Attachment: monthly_report.pdf

Content of monthly_report.pdf:

Customer Name: Rashford

SSN: 123-45-6789
Credit Card Number: 1234-5678-9876-5432
Account Balance: RM 15,000

[Additional confidential financial information]

DLP Alert:

Alert ID: DLP-IFFAH-20240729-001

Severity: High
Timestamp: 29-07-2024 10:15 AM
User: izzmier@iffahbank.com
Action: Email Blocked
Reason: Detected transmission of SSN and credit card details
Attachment: monthly_report.pdf

Analysis of the Incident:

1. Incident Detection:
o The DLP system successfully detected the presence of sensitive data
(SSN and credit card details) in the email attachment.
o The email was blocked to prevent the unauthorised disclosure of
sensitive information.
2. User Notification:
o Izzmier received a notification explaining why the email was blocked and
was advised to remove sensitive data or use secure channels for
transmission.
3. Security Team Review:
o The security team reviewed the quarantined email and verified that it
contained sensitive information.
o They contacted Izzmier to provide guidance on securely sharing the
report, such as using encrypted file transfer methods.
4. Policy Improvement:
o Based on this incident, the security team updated the DLP policies to
include more detailed checks for sensitive information in other document
formats and communication channels.
o Additional training sessions were scheduled to educate employees about
securely handling sensitive information.

Benefits and Outcomes:

• Prevented Data Breach: The DLP system effectively prevented a potential data
breach by blocking the email containing sensitive information.
• Compliance Maintenance: IFFAH Bank ensured compliance with data
protection regulations by preventing unauthorised data transmission.
• Increased Awareness: Employees were made aware of the importance of
handling sensitive information securely, reducing the risk of future incidents.
Scenario 2:

A healthcare provider, Sancho Medical Centre, aims to protect patient records,

particularly Protected Health Information (PHI) such as medical histories, treatment
plans, and insurance information, from being exposed through unauthorised USB
transfers.

Steps to Implement DLP:

1. Data Identification and Classification:

o Sancho Medical Centre uses a DLP solution to scan its systems and
identify all documents and files containing PHI.
o The DLP system classifies this data as "Highly Confidential."
2. Policy Enforcement:
o Sancho Medical Centre configures DLP policies to block the transfer of
"Highly Confidential" data to USB devices.
o Policies include file type restrictions, keyword matching for PHI patterns,
and device control settings.
3. Data Monitoring:
o The DLP solution monitors all endpoints (workstations, laptops) in real-
time for any attempts to transfer classified data to USB devices.
o User activities involving sensitive data are logged for auditing purposes.
4. Incident Response:
o If the DLP system detects an attempt to transfer sensitive data to a USB
device, it automatically blocks the transfer and generates an alert.
o The system also logs the incident for further investigation by the security
team.

Attempted USB Transfer Detected:

User: dr.shaw@sanchomedical.com
Workstation: WS-102
Timestamp: 02-08-2024 2:30 PM
File: patient_records.xlsx
Destination: USB Device (SanDisk Ultra)

Content of patient_records.xlsx:

Patient ID Name DOB Treatment Plan Insurance Info

12345 Carrick 01/01/1980 ACL Surgery Yanited Insurance
67891 Pogba 01/01/1985 MCL Surgery Man Insurance

[Additional confidential patient records]

DLP Alert:

Alert ID: DLP-SANCHO-20240802-003

Severity: High
Timestamp: 02-08-2024 2:30 PM
User: dr.shaw@sanchomedical.com
Action: USB Transfer Blocked
Reason: Detected attempt to transfer PHI to unauthorised USB device
File: patient_records.xlsx

Analysis of the Incident:

1. Incident Detection:
o The DLP system successfully detected the presence of PHI in the
file patient_records.xlsx and blocked the transfer to the USB device.
o The transfer was intercepted to prevent unauthorised access to sensitive
patient information.
2. User Notification:
o Dr. Shaw received a notification explaining why the transfer was blocked
and was advised on secure methods to share or back up the file.
3. Security Team Review:
o The security team reviewed the incident and confirmed the presence of
PHI in the blocked file transfer.
o They contacted Dr. Shaw to understand the reason behind the transfer
attempt and provided guidance on secure data handling practices.
4. Policy Improvement:
o Based on this incident, the security team updated the DLP policies to
enhance monitoring of other removable media types.
o Additional training sessions were scheduled to reinforce the importance
of secure handling of PHI among healthcare staff.

Benefits and Outcomes:

• Prevented Data Breach: The DLP system effectively prevented a potential data
breach by blocking the unauthorised transfer of sensitive patient information.
• Compliance Maintenance: Sancho Medical Centre ensured compliance with
healthcare regulations, such as HIPAA, by preventing unauthorised data
transfers.
• Increased Awareness: Healthcare staff were made aware of the importance of
securely handling PHI, reducing the risk of future incidents.
Scenario 3: A large retail company, OnanaCo, experiences an attempted data breach
where an employee tries to send a list of customer credit card information via email to
an external address. The company's Data Loss Prevention (DLP) solution detects and
responds to the incident.

Incident Response Steps:

1. Incident Detection and Notification:

o The DLP system detects an attempt to send an email containing sensitive
customer data.
o The system blocks the email and generates an alert.
2. Initial Analysis:
o The security team reviews the DLP logs to gather details about the
incident.
o The team identifies the employee involved, the data involved, and the
intended recipient.
3. Containment:
o The employee's access to sensitive systems is temporarily suspended to
prevent further attempts.
o The blocked email is quarantined for further investigation.
4. Eradication:
o The security team scans the employee's workstation for other
unauthorised data or potential malware.
o Any discovered unauthorised data is removed.
5. Recovery:
o The employee's workstation is re-imaged to ensure it is clean.
o Access to systems is restored under closer monitoring.
6. Post-Incident Review:
o The incident is analysed to understand how it occurred and how to
prevent similar incidents in the future.
o Policies and DLP rules are reviewed and updated as necessary.
7. Reporting:
o Detailed incident reports are created for internal review and compliance
purposes.
o Customers affected by the potential breach are notified as required by
law.

DLP Alert Log:

Alert ID: DLP-OnanaCo-20240802-045

Severity: High
Timestamp: 02-08-2024 11:30 AM
User: roykeane@onanaco.com
Workstation: WS-204
Action: Email Blocked
Reason: Detected transmission of credit card details
Attachment: customer_data.xlsx
Recipient: externalrecipient@hojlund.com

Content of customer_data.xlsx:

Customer ID Name Credit Card Number Expiry Date

12345 Nani 4111-1111-1111-1111 12/25
67891 Evra 5500-0000-0000-0004 08/24

[Additional sensitive customer data]

Security Team Analysis Log:

Incident ID: IR-OnanaCo-20240802-003

Timestamp: 02-08-2024 12:00 PM
Analyst: Fabio Da Silva

Summary:
- An attempted data breach was detected and blocked by the DLP system.
- User Roy Keane attempted to send an email with an attachment containing customer
credit card details to an external recipient.

Actions Taken:
- User access to sensitive systems suspended.
- Quarantined the email for further investigation.
- Scanned user's workstation; no additional unauthorised data or malware found.
- Re-imaged the workstation to ensure it is clean.
- Restored user access with enhanced monitoring.

Recommendations:
- Review and update DLP policies to include stricter email monitoring.
- Conduct additional training for employees on data protection policies.
- Implement stricter access controls for sensitive customer data.

Customer Notification:

Dear Customer,

We are writing to inform you of a recent security incident at OnanaCo. On 2 August

2024, our security systems detected and blocked an attempted unauthorised
transmission of customer credit card information. We have no evidence that any data
was successfully exfiltrated, and we are taking additional steps to enhance our security
measures.

We recommend that you monitor your financial accounts for any unusual activity. If you
notice any suspicious transactions, please contact your financial institution
immediately.
We apologise for any inconvenience this may cause and are committed to protecting
your personal information.

Sincerely,
OnanaCo Security Team

Benefits and Outcomes:

• Prevention of Data Breach: The DLP system effectively prevented the

unauthorised transmission of sensitive customer information.
• Compliance Maintenance: OnanaCo ensured compliance with data protection
regulations by promptly addressing the incident and notifying affected
customers.
• Improved Security Posture: The incident provided an opportunity to review and
strengthen data protection policies and employee training.
• Increased Awareness: Employees were reminded of the importance of
adhering to data protection policies, reducing the risk of future incidents.
Scenario 4:

A DLP Analyst at a financial institution, IzzmierBank, receives an alert indicating a

potential unauthorised transfer of customer data to an external email address. The
analyst needs to investigate the incident, confirm if it's a true positive, and take
appropriate action.

Simulation:

DLP Alert Log:

Alert ID: DLP-IzzmierBank-20240802-078

Severity: High
Timestamp: 02-08-2024 9:45 AM
User: bruno@izzmierbank.com
Workstation: WS-310
Action: Email Blocked
Reason: Detected transmission of customer credit card details
Attachment: customer_list.xlsx
Recipient: external_contact@casemiro.com

Content of customer_list.xlsx:

Customer ID Name Credit Card Number Expiry Date

12345 Nani 4111-1111-1111-1111 12/25
67891 Evra 5500-0000-0000-0004 08/24

[Additional sensitive customer data]

DLP Analyst Actions:

1. Review the Alert:

o The analyst reviews the DLP alert log and notes the high severity of the
alert, indicating an attempt to send customer credit card details via
email.
2. Initial Investigation:
o The analyst examines the blocked email and its attachment
(customer_list.xlsx) to confirm the presence of sensitive data.
o Confirms that the detected data (credit card numbers) is indeed sensitive
and should not be transmitted externally.
3. User Activity Analysis:
o The analyst reviews the recent activities of the user, Bruno Fernandes, to
determine if there are any patterns of suspicious behaviour.
o Checks if Bruno has attempted similar actions in the past or accessed
sensitive data without authorisation.
4. User Interview:
 o The analyst contacts Bruno Fernandes to understand the context of the
attempted email.
o Bruno explains that he was trying to send the list to a third-party partner
for a legitimate business purpose but was unaware of the policy against
such transmissions.
5. Containment:
o The analyst ensures that the blocked email remains quarantined and no
sensitive data was transmitted.
o Temporarily suspends Bruno's access to sensitive customer data until
further notice.
6. Mitigation and Remediation:
o The analyst collaborates with the security team to implement additional
controls, such as stricter access permissions and enhanced monitoring
for Bruno's account.
o Educates Bruno on the correct procedures for securely sharing sensitive
information, such as using encrypted file transfer methods.
7. Documentation and Reporting:
o The analyst documents the incident, including details of the alert,
investigation findings, actions taken, and user responses.
o Generates a report summarising the incident for review by the security
team and for compliance purposes.

Incident Report:

Incident ID: IR-IzzmierBank-20240802-045

Timestamp: 02-08-2024 11:00 AM
Analyst: Dalot

Summary:
- An attempted data breach was detected and blocked by the DLP system.
- User Bruno Fernandes attempted to send an email with an attachment containing
customer credit card details to an external recipient.

Actions Taken:
- Confirmed the presence of sensitive data in the blocked email.
- Conducted an initial investigation and user activity analysis.
- Interviewed the user to understand the context of the incident.
- Contained the incident by ensuring no data was transmitted and suspending user
access to sensitive data.
- Collaborated with the security team to implement additional controls and provided
user education on secure data handling practices.

Recommendations:
- Review and update DLP policies to include additional checks for similar scenarios.
- Conduct regular training sessions for employees on data protection policies and
secure data transfer methods.
- Implement stricter access controls for sensitive customer data.
EXAMPLE OF A DLP PRODUCT: SYMANTEC DATA LOSS PREVENTION

.Key Features

1. Data Discovery and Classification:

o Scans data at rest in databases, file servers, endpoints, and cloud
storage.
o Classifies data based on predefined and custom policies, such as PII,
PCI, HIPAA, and intellectual property.
2. Data Monitoring and Protection:
o Monitors data in motion across email, web, and network channels.
o Protects data at endpoints by monitoring and controlling activities like
copy, print, and USB transfer.
3. Policy Management:
o Provides an intuitive policy management interface for creating, deploying,
and managing DLP policies.
o Offers predefined templates for common regulatory requirements and
industry best practices.
4. Incident Detection and Response:
o Generates real-time alerts for policy violations and potential data
breaches.
o Provides detailed incident reports and workflows for investigating and
responding to incidents.
5. Endpoint Protection:
o Controls data movement on endpoints, including laptops, desktops, and
mobile devices.
o Prevents data leakage through device control, application control, and
endpoint encryption.
6. Cloud and Email Security:
o Integrates with cloud services like Office 365, Google Workspace, and
Box to monitor and protect cloud data.
o Secures email communications by inspecting and controlling outbound
emails for sensitive content.
7. Reporting and Analytics:
o Offers comprehensive reporting and analytics capabilities to track data
usage, policy violations, and incident trends.
o Provides dashboards and reports for compliance auditing and
management review.

Example Used Of Product

Scenario: A financial services company, EvansSecure, uses Symantec DLP to protect

sensitive customer financial data from unauthorised access and transmission.

Simulation:

1. Policy Configuration:
 o The DLP administrator configures a policy to protect customer financial
data, specifically targeting credit card numbers and bank account
details.
o The policy includes rules to block unauthorised email transmission,
copying to USB devices, and uploading to cloud storage.
2. Data Discovery:
o The Symantec DLP system scans the company's file servers and
endpoints to discover and classify sensitive financial data.
o Files containing credit card numbers and bank account details are tagged
as "Highly Confidential."
3. Monitoring and Detection:
o The DLP system continuously monitors email traffic, network activity, and
endpoint actions.
o An employee, Victor Lindelöf, attempts to email a spreadsheet containing
customer credit card details to his personal email address.
4. Incident Detection:
o The DLP system detects the unauthorised email transmission and blocks
the email.
o An alert is generated, and the incident is logged for further investigation.

Symantec DLP Alert Log:

Alert ID: DLP-EvansSecure-20240802-102

Severity: High
Timestamp: 02-08-2024 10:15 AM
User: victor@evanssecure.com
Workstation: WS-120
Action: Email Blocked
Reason: Detected transmission of credit card details
Attachment: customer_financial_data.xlsx
Recipient: victor@gmak.com

Content of customer_financial_data.xlsx:

Customer ID Name Credit Card Number Expiry Date

12345 Nani 4111-1111-1111-1111 12/25
67891 Evra 5500-0000-0000-0004 08/24

[Additional sensitive customer data]

5. Incident Response:
o The security team reviews the alert and confirms the presence of
sensitive financial data in the blocked email.
o The team contacts Victor Lindelöf to understand the context and informs
him of the company's data protection policies.
o Victor explains he was unaware of the policy and needed to work on the
file from home.
 6. Mitigation and Remediation:
o The security team educates Victor on secure data handling practices,
such as using VPN and secure file transfer methods.
o The DLP policies are reviewed and updated to include additional user
training and awareness sessions.
o Access to sensitive data is re-evaluated, and additional controls are
implemented to prevent similar incidents.

Incident Report:

Incident ID: IR-EvansSecure-20240802-045

Timestamp: 02-08-2024 11:00 AM
Analyst: Van Der Sar

Summary:
- An attempted unauthorised email transmission of customer financial data was
detected and blocked by Symantec DLP.
- User Victor Lindelöf attempted to send an email with an attachment containing credit
card details to his personal email address.

Actions Taken:
- Confirmed the presence of sensitive data in the blocked email.
- Conducted an initial investigation and interviewed the user.
- Educated the user on secure data handling practices.
- Updated DLP policies and implemented additional controls.

Recommendations:
- Conduct regular training sessions for employees on data protection policies and
secure data transfer methods.
- Implement stricter access controls for sensitive financial data.
- Continuously review and update DLP policies to address emerging threats.

By using Symantec DLP, EvansSecure successfully protected its sensitive financial

data from unauthorised transmission, ensuring compliance with regulatory
requirements and safeguarding customer information.