Data Loss Prevention (DLP)

(OBJ 4.4)

Data Loss Prevention (DLP)

• Aims to monitor data in use, in transit, or at rest to detect and prevent data theft
• It is very easy to plug in an external hard drive to your laptop, download all data that you can and then walk out the building with it
  • Large and easy to detect.
  • Thumb-drives fixed that
  • Now the network has outperformed these technologies
• DLP systems are available as software or hardware solutions
• "Protect the assets of your company"

Types of DLP Systems

• Endpoint DLP System

  • Piece of software installed as software on workstations or laptops
  • Monitors data in use on individual computers
  • Can prevent or alert on file transfers based on predefined rules and policies
  • Pretty much like an IPS or IDS would but focused on data.
    • Can be set to detection mode or prevention mode

• Network DLP System

  • Software or hardware placed at the network perimeter
  • Checks all of the data going into or out of your network, specially focusing on things going out of the network (things that shouldn't be leaving the building)
  • Focuses on monitoring data entering and leaving the network
  • Detects unauthorized data leaving the network

• Storage DLP System

  • A software installed on a server in the data center
  • Inspects data at rest, especially encrypted or watermarked data
  • Monitors data access patterns and flags policy violations
    • Makes sure nobody is accessing the data at times where no one should be

• Cloud-Based DLP System

  • Offered as a software-as-a-service (SaaS) solution
  • Protects data stored in cloud services
  • Example: Google Drive Data Loss Prevention

Configuring a DLP

• Using Google Workspace to configure a DLP for Google Drive, Google Docs, Gmail, etc.
• Very similar process in Office 365
• Configure DLP to be able to protect our chat and our Google Drive from having data loss happening

DLP for Google Chat and Google Drive

1. Go to your admin panel which is located at admin.google.com
   • This feature does not work on free Google accounts.
2. Under "Security", on the left menu bar, hit the down arrow, and click on "Access and data control", then we are going to go down to "Data protection", once you click it, the data protection screen will load.
   • From here you can get info about your drive and blocked chats
   • Email addresses are the most common thing being flagged here as DLP
   • Look at recommended data protection rules and detectors, you can implemented in you wanted to, that is already set up, you just need to accept it or edit it.
   • Click on the "Create"button to put that rule into effect.
3. Scroll down and see the "Managed Rules (0)" option, click it and this will allow us to set up our data protection rules.
4. Click on "Add Rule" to create a new rule.
   • Give it a name, example: Block SSNs
   • Add a Description: Configure DLP to prevent SSNs from being shared in chat or Google Drive files
   • Define scope, by default is to everyone, but you can set it up for only certain groups of people
5. Click on "Continue" and establish what is this going to apply to, which applications?
   • Google Chat or Google Drive, or both
   • Google Chat uses OCR (Optical Character Recognition)
6. Hit "Continue" and add conditions to define the data to actually look for
   • All content or just certain content
   • You can create a reg expression or match a word from a list or data type
   • There are predefined data types
   • You can select SSN for the U.S. for example
   • Set a Likelihood Threshold (where do we want actions to start happening?)
     • Very low: a ton of false positives
   • Set the minimum number of unique matches and the minimum match count, 1 is set as default values
7. Click "Continue" and define what Action to take
   • Action for Google Chat
     • Warn users, block messages, audit (log)
     • Select all things it will apply to, spaces, 1:1 chats, etc.
     • Customize message
   • Action for Google Drive
     • Block external sharing, warn on external sharing, disable download print and copy for commenters and viewers
   • Alerting
     • The event will be reported in the security dashboard
     • Low, Medium, High
     • Send to alert center
8. Hit "Continue" and review
   • See all configured details
   • Go down and set it to be "Active"
   • Now this rule is in effect!

DLP for Gmail

1. Go on the left side under the admin dashboard, click on "Apps", go to "Google Workspace" and then click on "Gmail", once there scroll down and click on "Compliance", under here you will find our DLP features
   • See that there is one called Content Compliance and that is what they call DLP inside of Gmail.
2. Hit "Configure" under "Content Compliance"
   • Set a name
   • Email messages to affect
     • Outbound
   • Add expressions that describe content
     • Simple content match, advanced, predefined content etc.
     • Confidence threshold: High/Medium
   • If the above expressions match, do the following
     • Modify message, reject message, quarantine message
     • Notify the sender that the recipient will not get that message

Look at Google Sensitive Data Protection Demo and change some values so you can see how the Likelihood changes with more or less clues about what a value is.