4 hours 25 minutes
Hi. Welcome to module to lessen 6.2. In this lesson, we're gonna talk about data loss prevention, otherwise known as DLP,
and GOP simply uses the data classifications in the markings that we talked about in the previous lesson. T create a data protection policy to put a policy in place that can block user and system access to certain types of data, depending on its classification.
As I said, data can be configured to block or monitor. We can actually block a user systems access to data, or we could simply allow that access to data. But we can monitor it in the background. And this is useful for if we create policy, for example, that says
you should only interact with data a certain way, and it's just a soft policy that we get people to sign and sign off on.
We can create a monitoring component in the background to make sure that people are actually following policy. Instead of creating a hard block policy,
GOP systems can be in line or agent based on. We'll talk about a little bit of each of those in a minute,
and this is a big one. DLP systems require lots and lots of tuning. As you can imagine, imagine the amount of data in the environment, the amount of, say, a word processing documents were documents in an entire organization and how many times people in systems interact with those word documents every day.
If not done properly, that's going to create a lot of noise. You're gonna have a lot of alarms if you don't create those monitoring and blocking mechanisms thoughtfully. So my advice is to start with the most sensitive data, take your highest level restricted data and puts in policy in place.
I would put a monitoring policy in place first to monitor
the interaction, to understand what normal looks like, what a normal baseline looks like. Identify any anomalies and ask questions about it. If people maybe you're interacting with that in a way they shouldn't at first. And then once you understand what normal puts looks like, then put a blocking mechanism in place against that very restricted data first. And once you get that down,
move down the chain and go down the hierarchy
piece by piece,
GOP function alley. The DLP system can actually it consent its policy to local agents on the workstations. And then that policy policy can be executed as the workstation tries to perform certain tasks. Or,
um, you concerned that policy? That policy can interact with email systems with proxies.
The deal P system can actually go out there and actively scan file servers and database servers. Maybe you don't know where you're restricted. Data is. You have no idea where it where it lives because people save data all over the place. You're DLP system wants that classification is in place, can go out and look for certain keywords within documents. Or, if you have the classifications place
in place already,
it can go look for those markings. If not, you can just tell to go scan the environment for anything that looks like a Social Security number or a credit card number, or some keyword that you might have as sensitive information within your environment. But you're DLP system can go find that data for you so you can create policy around it.
That deal P agent that gets pushed down to the local endpoint. A couple of examples of what an agent on the endpoint can do is, let's say we've got a user who tries to copy a Social Security number to a USB drive. That's something that the deal P policy can block. They can identify that is so security number based on the pattern
and block it when it tries to get written to a USB drive
or monitor and just let you know that it happened. That same Social Security number gets create, sent in an email as a users, typing the email and creating the email. It won't get blocked when the user tries to send that email. It won't be allowed to leave the local system so that local agent can be in charge of stuff that happens locally on that system
as it as a
as it pertains to data classification.
Example. Oven in line usage of DLP is with the Web proxy. This is probably the most common one.
So let's say we've got a user here who's trying to do to make a request out to the Internet. They've got some data. Maybe it's the Social Security number they have that that data on. They're trying to submit it to some Web site out there. They're trying toe let sensitive data leave the environment by doing an http put by submitting and entering that data
into a form on some website and hitting,
hitting the send button or hitting the submit button that would be an http put request that put request gets to the proxy a proxy, consent it to the deal piece system and deal beacon, check its policy and say no. That user is not allowed to send Social Security numbers out of the organization.
Make send a decision back to the proxy, and that proxy can actually block that flow.
But what happens
if the user sends an encrypted put session? What if that users trying to expel trait data on send data outside the organization but the recession is encrypted? Well, in that case, the proxies going to still do the same thing is going to send the data down to the DLP system deal. He's going to say, I don't know. I can't read it. It's encrypted.
It's gonna let the proxy No, I have no idea. The proxies gonna say, OK, well, I don't have anything blocking it. I'm gonna let it go through.
So it's critical that if you put a deal, P system in line in your Web proxy environment that you do some sort of SSL decryption with it.
The way this works is that same session hits the proxy. This time it's gonna be decrypted. There's an SSL decryption mechanism on the proxy decrypt secession. Looks at the data inside sends that to the GOP system. That GOP can read that in the clear
it could make a decision. Let's say this time the decision is to allow it. Maybe it's not a Social Security number this time, but maybe it's a,
um, sensitive personal information. And this is an HR person who needs to put this into the medical system. You know, out on the Web, just an example. But let's say this time the policy allows it deal peas, then gonna it's gonna send it back to the proxy. There's gonna be a re encryption process because if you
if the data got sent encrypted, it needs to go out the proxy encrypted and it'll go out. And
in its normal encrypted fashion
Now, one thing to note about this is this does cost problems with some websites. Some websites base the certificates that you have tow install to do. The SSL encryption and decryption mechanism sometimes cause issues with destination websites because it looks like a man in the middle attack.
It looks like someone tampered with the data
in flight, which technically we did. So there's some things you're gonna find if you put DLP in line and a proxy and you do SSL decryption, you'll find that some some websites, some destinations you're gonna have to put a bypass rule in place because that destination just will not accept that traffic because it thinks it's been tampered with.
Okay, that wraps up our session on DLP. Next up, we're gonna talk about I am.
ISACA CISM - Certified Information Security Manager
The ISACA Certified Information Security Manager (CISM) practice test from CyberVista helps students to prepare ...
The CompTIA Security+ SY0-501 certification course helps you develop your competency in topics such as ...
46 CEU/CPE Hours Available
Certificate of Completion Offered