DLP is for “Honest” Employees, Not Inside Threats

Data Loss Prevention (DLP) tools are very effective for addressing the challenges they are intended to address: data governance & regulatory compliance; specifically to help prevent data leakage and inadvertent disclosure of sensitive information.

DLP should not be considered a primary security solution or “data firewall”, but it does play an important role in any defense in depth security program. If an Advanced Persistent Threat (APT), or a highly-motivated disgruntled employee, is determined to deliberately subvert company policy, DLP can provide detection for initial non-veiled attempts. Beyond that, it has specific limitations as a pure security control.

Bypassing DLP Protection

Here is a real-world example of bypassing DLP protections using a technique called steganography. The image below contains highly sensitive personal, Protected Health Information (PHI), and financial info (sample data only, NOT real), but is undetectable to virtually all DLP systems. The sensitive data is stored inside the image’s binary data and can easily be inserted into an email, as part of the email signature or attachment, or as a watermark within a document.

Follow these steps to view the sensitive data. 

1. Right-click and save the image file containing sensitive data above to your desktop
2. Open a browser and go to this website:  Steganography Online
3. Click the Decode tab
4. Click Choose File, browse to the file you saved in step #1
5. Click the Decode button
6. Review the secret/sensitive data

Takeaways

• DON’T rely on or set the expectation that DLP alone will prevent digital theft of sensitive data and/or documents.
• DO use automated DLP tools as part of your corporate governance and security programs to prevent data leakage and increase visibility of sensitive data sharing
  • DLP is included in Microsoft Office 365 Enterprise plans (E3 or higher) – if you’re already paying for it, use it!
  • 3rd party DLP tools available include Proofpoint, Symantec, SecureTrust, McAfee, Check Point, Digital Guardian, and more.
• DO train employees on how to:
  • Identify and properly store, transfer, archive and destroy sensitive information.
  • Be aware of causes for unintentional data exposures

But you don’t have to take my word for it…

• CIS Control 13: Data Protection
• What you need to know about Stegware
• Attack Using Steganography Bypasses DLP Systems
• And Then? Where is the Risk with Steganography?