Dlp systems review. DLP technology. Brief history of creation

About the problem Today, information technology is an important component of any modern organization. Figuratively speaking, information technology is the heart of the enterprise, which maintains the performance of the business and increases its efficiency and competitiveness in the conditions of modern, fierce competition. Business process automation systems, such as document flow, CRM systems, ERP systems, multidimensional analysis and planning systems allow quickly collect information, systematize and group it, accelerating management decision-making processes and ensuring transparency of business and business processes for management and shareholders. It becomes obvious that a large amount of strategic, confidential and personal data is an important information asset of the enterprise, and the consequences of leakage of this information will affect the efficiency of the organization. The use of today's traditional security measures, such as antiviruses and firewalls, perform the functions of protecting information assets from external threats, but do not in any way ensure the protection of information assets from leakage, distortion or destruction by an internal attacker. Internal threats to information security may remain ignored or, in some cases, unnoticed by management due to a lack of understanding of the criticality of these threats to the business. It is for this reason protection of confidential data so important today. About the solution Protecting confidential information from leakage is an important component of an organization’s information security complex. DLP systems (data leakage protection system) are designed to solve the problem of accidental and intentional leaks of confidential data.

Comprehensive data leak protection system (DLP system) are a software or hardware-software complex that prevents the leakage of confidential data.

It is carried out by the DLP system using the following main functions:

• Traffic filtering across all data transmission channels;
• Deep traffic analysis at the content and context level.

• Web (HTTP/HTTPS protocols);
• Internet - instant messengers (ICQ, QIP, Skype, MSN, etc.);
• Corporate and personal mail (POP, SMTP, IMAP, etc.);
• Wireless systems (WiFi, Bluetooth, 3G, etc.);
• FTP connections.

• Servers;
• Workstations;
• Laptops;
• Data storage systems (DSS).

• Secret information;
• Confidential information;
• Information for official use;
• Public information.

• Linguistic information analysis;
• Statistical analysis of information;
• Regular expressions (patterns);
• Digital fingerprint method, etc.

• Protection of information assets and important strategic information of the company;
• Structured and systematized data in the organization;
• Transparency of business and business processes for management and security services;
• Control of processes of transfer of confidential data in the company;
• Reducing the risks associated with loss, theft and destruction of important information;
• Protection against malware entering the organization from within;
• Saving and archiving of all actions related to the movement of data within the information system;

• Monitoring the presence of personnel at the workplace;
• Saving Internet traffic;
• Optimization of the corporate network;
• Control of applications used by the user;
• Increasing staff efficiency.

(Data Loss Prevention)

Systems for monitoring user actions, a system for protecting confidential data from internal threats.

DLP systems are used to detect and prevent the transfer of confidential data at various stages. (during movement, use and storage). The DLP system allows:

Control the work of users, preventing uncontrolled waste of working time for personal purposes.

Automatically, unnoticed by the user, record all actions, including emails sent and received, chats and instant messaging, social networks, websites visited, data typed on the keyboard, files transferred, printed and saved, etc. .

Monitor the use of computer games in the workplace and take into account the amount of working time spent on computer games.

Monitor network activity of users, take into account the volume of network traffic

Control the copying of documents to various media (removable media, hard drives, network folders, etc.)

Control user's network printing

Record user requests to search engines, etc.

Data-in-motion - data in motion - email messages, transfer of web traffic, files, etc.

Data-in-rest - stored data - information on workstations, file servers, USB devices, etc.

Data-in-use - data in use - information being processed at the moment.

The architecture of DLP solutions may vary among different developers, but in general there are 3 main trends:

Interceptors and controllers for different information transmission channels. Interceptors analyze passing information flows emanating from the company’s perimeter, detect confidential data, classify information and transmit it to the management server for processing a possible incident. Data-at-rest discovery controllers run discovery processes on network resources for sensitive information. Controllers for operations on workstations distribute security policies to end devices (computers), analyze the results of employee activities with confidential information, and transmit possible incident data to the management server.

Agent programs installed on end devices: notice confidential data being processed and monitor compliance with rules such as saving information to removable media, sending, printing, copying via clipboard.

Central management server - compares information received from interceptors and controllers and provides an interface for processing incidents and generating reports.

DLP solutions offer a wide range of combined information discovery methods:

Digital prints of documents and their parts

Digital fingerprints of databases and other structured information that is important to protect from distribution

Statistical methods (increasing the sensitivity of the system when violations are repeated).

When operating DLP systems, several procedures are typically performed cyclically:

Training the system in the principles of information classification.

Entering response rules in relation to the category of detected information and groups of employees whose actions should be monitored. Trusted users are highlighted.

Execution of a control operation by the DLP system (the system analyzes and normalizes information, performs a comparison with the principles of data detection and classification, and when confidential information is detected, the system compares it with existing policies assigned to the detected category of information and, if necessary, creates an incident)

Processing incidents (for example, inform, pause or block sending).

Features of creating and operating a VPN from a security perspective

Options for building a VPN:

Based on network operating systems

Router-based

Based on ITU

Based on specialized software and hardware

Based on specialized software

For VPN to work correctly and securely, you need to understand the basics of interaction between VPN and firewalls:

VPNs are capable of creating end-to-end communication tunnels passing through the network perimeter, and therefore are extremely problematic in terms of access control from the firewall, which finds it difficult to analyze encrypted traffic.

Thanks to its encryption capabilities, VPNs can be used to bypass IDS systems that are unable to detect intrusions from encrypted communication channels.

Depending on the network architecture, the all-important network address translation (NAT) feature may not be compatible with some VPN implementations, etc.

Essentially, when making decisions about implementing VPN components into a network architecture, an administrator can either choose the VPN as a stand-alone external device or choose to integrate the VPN into the firewall to provide both functions in a single system.

ITU + Separate VPN. VPN hosting options:

1. Inside the DMZ, between the firewall and the border router

   Inside the protected network on ITU network adapters

   Inside the shielded network, behind the firewall

   In parallel with the ITU, at the entry point into the protected network.

Firewall + VPN, hosted as a single unit - such an integrated solution is more convenient for technical support than the previous option, does not cause problems associated with NAT (network address translation) and provides more reliable access to data, for which the firewall is responsible. The disadvantage of an integrated solution is the high initial cost of purchasing such a tool, as well as the limited options for optimizing the corresponding VPN and Firewall components (that is, the most satisfying ITU implementations may not be suitable for building VPN components on their basis. VPN can have a significant impact on Network performance and latency may occur during the following phases:

1. When establishing a secure connection between VPN devices (authentication, key exchange, etc.)

   Delays associated with encrypting and decrypting protected data, as well as transformations necessary to control their integrity

   Delays associated with adding a new header to transmitted packets

Email Security

Main mail protocols: (E)SMTP, POP, IMAP.

SMTP - simple mail transfer protocol, TCP port 25, no authentication. Extended SMTP - client authentication has been added.

POP - post Office Protocol 3 - receiving mail from the server. Cleartext authentication. APOP - with authentication capability.

IMAP - internet message access protocol - is an unencrypted mail protocol that combines the properties of POP3 and IMAP. Allows you to work directly with your mailbox, without the need to download letters to your computer.

Due to the lack of any normal means of encrypting information, we decided to use SSL to encrypt the data of these protocols. From here the following varieties emerged:

POP3 SSL - port 995, SMTP SSL (SMTPS) port 465, IMAP SSL (IMAPS) - port 993, all TCP.

An attacker working with an email system may pursue the following goals:

Attacking a user's computer by sending email viruses, sending fake emails (faking the sender's address in SMTP is a trivial task), reading other people's emails.

An attack on a mail server using email with the aim of penetrating its operating system or denial of service

Using a mail server as a relay when sending unsolicited messages (spam)

Password interception:

1. Interception of passwords in POP and IMAP sessions, as a result of which an attacker can receive and delete mail without the user’s knowledge

   Interception of passwords in SMTP sessions - as a result of which an attacker can be illegally authorized to send mail through this server

To solve security problems with the POP, IMAP and SMTP protocols, the SSL protocol is most often used, which allows you to encrypt the entire communication session. Disadvantage: SSL is a resource-intensive protocol that can significantly slow down communication.

Spam and the fight against it

Types of fraudulent spam:

Lottery - an enthusiastic notification of winnings in lotteries in which the recipient of the message did not participate. All you need to do is visit the appropriate website and enter your account number and card PIN code, which are allegedly required to pay for delivery services.

Auctions - this type of deception consists in the absence of goods that the swindlers are selling. After paying, the client receives nothing.

Phishing is a letter containing a link to some resource where they want you to provide data, etc. Luring gullible or inattentive users of personal and confidential data. Fraudsters send out a lot of letters, usually disguised as official letters from various institutions, containing links leading to decoy sites that visually copy the sites of banks, stores and other organizations.

Postal fraud is the recruitment of personnel for a company supposedly in need of a representative in any country who can take care of sending goods or transferring money to a foreign company. As a rule, money laundering schemes are hidden here.

Nigerian letters - ask to deposit a small amount before receiving money.

Letters of happiness

Spam can be mass or targeted.

Bulk spam lacks specific targets and uses fraudulent social engineering techniques against large numbers of people.

Targeted spam is a technique aimed at a specific person or organization, in which the attacker acts on behalf of the director, administrator or other employee of the organization in which the victim works or the attacker represents a company with which the target organization has established a trusted relationship.

The collection of addresses is carried out by selecting proper names, beautiful words from dictionaries, frequent word-number combinations, the method of analogy, scanning all available sources of information (chat rooms, forums, etc.), stealing databases, etc.

The received addresses are verified (checked that they are valid) by sending a test message, placing in the text of the message a unique link to a picture with a download counter or an “unsubscribe from spam messages” link.

Subsequently, spam is sent either directly from rented servers, or from incorrectly configured legitimate email services, or through the hidden installation of malicious software on the user’s computer.

The attacker complicates the work of anti-spam filters by introducing random texts, noise or invisible texts, using graphic letters or changing graphic letters, fragmented images, including the use of animation, and prephrasing texts.

Anti-spam methods

There are 2 main methods of spam filtering:

Filtering by formal characteristics of an email message

Filter by content

Formal method

1. Fragmentation by lists: black, white and gray. Gray lists are a method of temporarily blocking messages with unknown combinations of email address and sending server IP address. When the first attempt ends in a temporary failure (as a rule, spammer programs do not resend the letter). The disadvantage of this method is the possible long time interval between sending and receiving a legal message.

   Checking whether the message was sent from a real or false (fake) mail server from the domain specified in the message.

   “Callback” - upon receiving an incoming connection, the receiving server pauses the session and simulates a working session with the sending server. If the attempt fails, the suspended connection is terminated without further processing.

   Filtering by formal characteristics of the letter: sender and recipient addresses, size, presence and number of attachments, sender’s IP address, etc.

Linguistic methods - working with the content of the letter

1. Recognition by the content of the letter - the presence of signs of spam content in the letter is checked: a certain set and distribution of specific phrases throughout the letter.

   Recognition by letter samples (signature-based filtering method, including graphic signatures)

   Bayesian filtering is strictly word filtering. When checking an incoming letter, the probability that it is spam is calculated based on text processing, which includes calculating the average “weight” of all words in a given letter. A letter is classified as spam or not spam based on whether its weight exceeds a certain threshold specified by the user. After a decision is made on a letter, the “weights” for the words included in it are updated in the database.

Authentication in computer systems

Authentication processes can be divided into the following categories:

But based on knowledge of something (PIN, password)

Based on possession of something (smart card, USB key)

Not based on inherent characteristics (biometric characteristics)

Authentication types:

Simple authentication using passwords

Strong authentication using multi-factor checks and cryptographic methods

Biometric authentication

The main attacks on authentication protocols are:

"Masquerade" - when a user tries to impersonate another user

Retransmission - when an intercepted password is sent on behalf of another user

Forced delay

To prevent such attacks, the following techniques are used:

Mechanisms such as challenge-response, timestamps, random numbers, digital signatures, etc.

Linking the authentication result to subsequent user actions within the system.

Periodically performing authentication procedures within an already established communication session.

Simple authentication

1. Authentication based on reusable passwords

   Authentication based on one-time passwords - OTP (one time password) - one-time passwords are valid only for one login and can be generated using an OTP token. For this, the user’s secret key is used, located both inside the OTP token and on the authentication server.

Strict authentication involves the proving party proving its authenticity to the relying party by demonstrating knowledge of a certain secret. Happens:

1. Unilateral

   Double-sided

   Tripartite

Can be carried out based on smart cards or USB keys or cryptography.

Strong authentication can be implemented using a two- or three-factor verification process.

In the case of two-factor authentication, the user must prove that he knows the password or PIN code and has a certain personal identifier (smart card or USB key).

Three-factor authentication requires the user to provide another type of identification, such as biometrics.

Strong authentication using cryptographic protocols can rely on symmetric and asymmetric encryption, as well as hash functions. The proving party proves knowledge of the secret, but the secret itself is not revealed. One-time parameters are used (random numbers, timestamps and sequence numbers) to avoid repeated transmission, ensure uniqueness, unambiguity and time guarantees of transmitted messages.

Biometric user authentication

The most commonly used biometric features are:

Fingerprints

Vein pattern

Hand geometry

Iris

Facial geometry

Combinations of the above

Access control using a single sign-on scheme with Single Sign-On (SSO) authorization

SSO allows a user of a corporate network to undergo only one authentication when they log into the network, presenting only one password or other required authenticator once, and then, without additional authentication, gain access to all authorized network resources that are needed to perform the job. Digital authentication tools such as tokens, PKI digital certificates, smart cards and biometric devices are actively used. Examples: Kerberos, PKI, SSL.

Response to information security incidents

Among the tasks facing any information security management system, two of the most significant can be identified:

Incident Prevention

If they occur, timely and correct response

The first task in most cases is based on the purchase of various information security tools.

The second task depends on the degree of preparedness of the company for such events:

The presence of a trained IS incident response team with already pre-assigned roles and responsibilities.

Availability of well-thought-out and interconnected documentation on the procedure for managing information security incidents, in particular, the response and investigation of identified incidents.

Availability of prepared resources for the needs of the response team (communication tools, ..., safe)

Availability of an up-to-date knowledge base on information security incidents that have occurred

High level of user awareness in the field of information security

Qualification and coordination of the response team

The information security incident management process consists of the following stages:

Preparation – preventing incidents, preparing response teams, developing policies and procedures, etc.

Detection – security notification, user notification, security log analysis.

Analysis – confirming that an incident has occurred, collecting available information about the incident, identifying affected assets and classifying the incident by safety and priority.

Response - stopping the incident and collecting evidence, taking measures to stop the incident and preserving evidence-based information, collecting evidence-based information, interacting with internal departments, partners and affected parties, as well as attracting external expert organizations.

Investigation – investigation of the circumstances of information security incidents, involvement of external expert organizations and interaction with all affected parties, as well as with law enforcement agencies and judicial authorities.

Recovery – taking measures to close the vulnerabilities that led to the incident, eliminating the consequences of the incident, restoring the functionality of the affected services and systems. Registration of insurance notice.

Efficiency analysis and modernization - analysis of the incident, analysis of the effectiveness and modernization of the process of investigating information security incidents and related documents, private instructions. Generating a report on the investigation and the need to modernize the security system for management, collecting information about the incident, adding it to the knowledge base and storing data about the incident.

An effective information security incident management system has the following goals:

Ensuring the legal significance of the collected evidentiary information on information security incidents

Ensuring the timeliness and correctness of actions to respond to and investigate information security incidents

Ensuring the ability to identify the circumstances and causes of information security incidents in order to further modernize the information security system

Providing investigation and legal support for internal and external information security incidents

Ensuring the possibility of prosecuting attackers and bringing them to justice as provided for by law

Ensuring the possibility of compensation for damage from an information security incident in accordance with the law

The information security incident management system generally interacts and integrates with the following systems and processes:

Information Security Management

Management of risks

Ensuring Business Continuity

Integration is expressed in the consistency of documentation and formalization of the order of interaction between processes (input, output information and transition conditions).

The process of managing information security incidents is quite complex and voluminous. It requires the accumulation, processing and storage of a huge amount of information, as well as the execution of many parallel tasks, so there are many tools on the market that allow you to automate certain tasks, for example, the so-called SIEM systems (security information and event management).

Chief Information Officer (CIO) – director of information technology

Chief Information Security Officer (CISO) – head of the information security department, director of information security

The main task of SIEM systems is not just to collect events from different sources, but to automate the process of detecting incidents with documentation in their own log or external system, as well as timely informing about the event. The SIEM system has the following tasks:

Consolidation and storage of event logs from various sources - network devices, applications, OS logs, security tools

Presentation of tools for event analysis and incident analysis

Correlation and processing according to the rules of events that occurred

Automatic notification and incident management

SIEM systems are capable of identifying:

Network attacks in internal and external perimeters

Virus epidemics or individual virus infections, unremoved viruses, backdoors and Trojans

Attempts of unauthorized access to confidential information

Errors and malfunctions in the operation of the IS

Vulnerabilities

Errors in configuration, security measures and information systems.

Main sources of SIEM

Access control and authentication data

Server and workstation event logs

Network active equipment

1. Antivirus protection

   Vulnerability scanners

   Systems for accounting for risks, threat criticality and incident prioritization

   Other systems for protecting and controlling information security policies:

   1. DLP systems

      Access control devices, etc.

Inventory systems

Traffic accounting systems

The most famous SIEM systems:

QRadar SIEM (IBM)

KOMRAD (CJSC NPO ESHELON)

DLP ( Digital Light Processing) is a technology used in projectors. It was created by Larry Hornbeck of Texas Instruments in 1987.

In DLP projectors, the image is created by microscopically small mirrors that are arranged in a matrix on a semiconductor chip called a Digital Micromirror Device (DMD). Each of these mirrors represents one pixel in the projected image.

The total number of mirrors indicates the resolution of the resulting image. The most common DMD sizes are 800x600, 1024x768, 1280x720, and 1920x1080 (for HDTV, High Definition TeleVision). In digital cinema projectors, the standard DMD resolutions are considered to be 2K and 4K, which correspond to 2000 and 4000 pixels along the long side of the frame, respectively.

These mirrors can be quickly positioned to reflect light onto either a lens or a heatsink (also called a light dump). Rapidly rotating the mirrors (essentially switching between on and off) allows the DMD to vary the intensity of light that passes through the lens, creating shades of gray in addition to white (mirror in the on position) and black (mirror in the off position). ).

Color in DLP projectors

There are two main methods for creating a color image. One method involves the use of single-chip projectors, the other - three-chip ones.

Single chip projectors

View of the contents of a single-chip DLP projector. The yellow arrow shows the path of the light beam from the lamp to the matrix, through the filter disk, mirror and lens. The beam is then reflected either into the lens (yellow arrow) or onto the radiator (blue arrow).

In projectors with a single DMD chip, colors are produced by placing a rotating color disk between the lamp and the DMD, much like the Columia Broadcasting System's "sequential color television system" used in the 1950s. The color disk is usually divided into 4 sectors: three sectors for the primary colors (red, green and blue), and the fourth sector is transparent to increase brightness.

Due to the fact that the transparent sector reduces color saturation, in some models it may be absent altogether; in others, additional colors may be used instead of the empty sector.

The DMD chip is synchronized with the spinning disk so that the green component of the image is displayed on the DMD when the green sector of the disk is in the path of the lamp. Same for red and blue colors.

The red, green and blue components of the image are displayed alternately, but at a very high frequency. Thus, it seems to the viewer that a multi-colored picture is being projected onto the screen. In early models, the disk rotated once every frame. Later, projectors were created in which the disk makes two or three revolutions per frame, and in some projectors the disk is divided into a larger number of sectors and the palette on it is repeated twice. This means that the components of the image are displayed on the screen, replacing each other up to six times in one frame.

Some recent high-end models have replaced the rotating color disk with a block of very bright LEDs in three primary colors. Due to the fact that LEDs can be turned on and off very quickly, this technique allows you to further increase the refresh rate of the colors of the picture, and completely get rid of noise and mechanically moving parts. Refusal of the halogen lamp also facilitates the thermal operation of the matrix.

"Rainbow Effect"

Rainbow DLP effect

The rainbow effect is unique to single-chip DLP projectors.

As already mentioned, only one color is displayed per image at a given time. As the eye moves across the projected image, these different colors become visible, resulting in the perception of a "rainbow" by the eye.

Manufacturers of single-chip DLP projectors have found a way out of this situation by overclocking the rotating segmented multi-color disk, or by increasing the number of color segments, thus reducing this artifact.

Light from LEDs made it possible to further reduce this effect due to the high frequency of switching between colors.

In addition, LEDs can emit any color of any intensity, which has increased the gamma and contrast of the image.

Three-chip projectors

This type of DLP projector uses a prism to split the beam emitted by the lamp, and each of the primary colors is then directed to its own DMD chip. These rays are then combined and the image is projected onto a screen.

Triple-chip projectors are capable of producing more shade and color gradations than single-chip projectors because each color is available for a longer period of time and can be modulated with each video frame. In addition, the image is not subject to flickering and the “rainbow effect” at all.

Dolby Digital Cinema 3D

Infitec has developed spectral filters for the rotating disc and glasses, allowing the projection of frames for different eyes in different subsets of the spectrum. As a result, each eye sees its own, almost full-color image on a regular white screen, in contrast to systems with polarization of the projected image (such as IMAX), which require a special “silver” screen to maintain polarization upon reflection.

see also

Alexey Borodin DLP technology. Portal ixbt.com (05-12-2000). Archived from the original on May 14, 2012.

Wikimedia Foundation. 2010.

See what "DLP" is in other dictionaries:

DLP- Saltar a navegación, búsqueda Digital Light Processing (en español Procesado digital de la luz) es una tecnología usada en proyectores y televisores de proyección. El DLP fue desarrollado originalmente por Texas Instruments, y sigue siendo el... ... Wikipedia Español

DLP- is a three letter abbreviation with multiple meanings, as described below: Technology Data Loss Prevention is a field of computer security Digital Light Processing, a technology used in projectors and video projectors Discrete logarithm problem,… … Wikipedia

We offer a range of markers to help you get the most out of any DLP system.

DLP-systems: what is it?

Let us remind you that DLP systems (Data Loss/Leak Prevention) allow you to control all channels of a company’s network communication (mail, Internet, instant messaging systems, flash drives, printers, etc.). Protection against information leakage is achieved by installing agents on all employee computers, which collect information and transmit it to the server. Sometimes information is collected through a gateway using SPAN technologies. The information is analyzed, after which the system or security officer makes decisions on the incident.

So, your company has implemented a DLP system. What steps need to be taken for the system to work effectively?

1. Correctly configure security rules

Let’s imagine that in a system serving 100 computers, a rule has been created “Fix all correspondence with the word “agreement.”” Such a rule will provoke a huge number of incidents, in which a real leak may get lost.

In addition, not every company can afford to have a full staff of employees monitoring incidents.

Tools for creating effective rules and tracking the results of their work will help increase the usefulness of rules. Every DLP system has functionality that allows you to do this.

In general, the methodology involves analyzing the accumulated database of incidents and creating various combinations of rules that ideally lead to the appearance of 5-6 truly urgent incidents per day.

2. Update safety rules at regular intervals

A sharp decrease or increase in the number of incidents is an indicator that adjustments to the rules are required. The reasons may be that the rule has lost its relevance (users have stopped accessing certain files) or employees have learned the rule and no longer perform actions prohibited by the system (DLP - learning system). However, practice shows that if one rule is learned, then in a neighboring place the potential risks of leakage have increased.

You should also pay attention to seasonality in the operation of the enterprise. During the year, key parameters related to the specifics of the company’s work may change. For example, for a wholesale supplier of small equipment, bicycles will be relevant in the spring, and snow scooters in the fall.

3. Consider an algorithm for responding to incidents

There are several approaches to incident response. When testing and running DLP systems, people are most often not notified of changes. The participants in the incidents are only observed. When a critical mass has accumulated, a representative from the security department or human resources department communicates with them. In the future, work with users is often left to representatives of the security department. Mini-conflicts arise and negativity accumulates in the team. It can spill out into deliberate sabotage of employees towards the company. It is important to maintain a balance between the requirement of discipline and maintaining a healthy atmosphere in the team.

4. Check the operation of the blocking mode

There are two modes of responding to an incident in the system - fixation and blocking. If every fact of sending a letter or attaching an attached file to a flash drive is blocked, this creates problems for the user. Employees often attack the system administrator with requests to unlock some functions; management may also be dissatisfied with such settings. As a result, the DLP system and the company receive negative feedback, the system is discredited and unmasked.

5. Check whether the trade secret regime has been introduced

Provides the ability to make certain information confidential, and also obliges any person who knows about it to bear full legal responsibility for its disclosure. In the event of a serious leak of information under the current trade secret regime at the enterprise, the violator can be recovered the amount of actual and moral damage through the court in accordance with 98-FZ “On Trade Secrets”.

We hope that these tips will help reduce the number of unintentional leaks in companies, because it is precisely these that DLP systems are designed to successfully combat. However, we should not forget about the comprehensive information security system and the fact that intentional information leaks require special, close attention. There are modern solutions that can complement the functionality of DLP systems and significantly reduce the risk of intentional leaks. For example, one of the developers offers an interesting technology - when confidential files are accessed suspiciously frequently, the web camera automatically turns on and starts recording. It was this system that made it possible to record how the unlucky thief was actively taking screenshots using a mobile camera.

Oleg Necheukhin, information systems protection expert, Kontur.Security

Today you can often hear about such technology as DLP systems. What is such a system? How can it be used? DLP systems mean software designed to prevent data loss by detecting possible violations during filtering and sending. These services also monitor, detect and block confidential information during its use, movement and storage. Leakage of confidential information, as a rule, occurs due to the operation of equipment by inexperienced users or malicious actions.

Such information in the form of corporate or private information, intellectual property, medical and financial information, credit card information requires special protection measures that modern information technologies can offer. Cases of information loss turn into leaks when a source containing confidential information disappears and ends up in the hands of an unauthorized party. Information leakage is possible without loss.

Conventionally, technological means that are used to combat information leakage can be divided into the following categories:

— standard security measures;
— intellectual (advanced) measures;
— access control and encryption;
— specialized DLP systems.

Standard measures

Standard security measures include firewalls, intrusion detection systems (IDS), and antivirus software. They protect the computer from outsider and insider attacks. So. For example, connecting a firewall prevents outsiders from accessing the internal network. An intrusion detection system can detect intrusion attempts. To prevent internal attacks, you can use antivirus programs that detect Trojan horses installed on your PC. You can also use specialized services that operate in a client-server architecture without any confidential or personal information stored on the computer.

Additional Security Measures

Additional security measures use highly specialized services and timing algorithms that are designed to detect abnormal access to data, more specifically to databases and information retrieval systems. Such protections can also detect abnormal email exchanges. Such modern information technologies identify requests and programs that come with malicious intent and carry out deep checks of computer systems, such as recognizing speaker sounds or keystrokes. Some services of this kind are even capable of monitoring user activity in order to detect unusual data access.

What are custom-designed DLP systems?

DLP solutions designed to protect information are designed to detect and prevent unauthorized attempts to copy and transmit sensitive information without permission or access from users who are authorized to access the sensitive information. In order to classify information of a certain type and regulate access to it, these systems use mechanisms such as exact data matching, statistical methods, structured fingerprinting, reception of regular expressions and rules, publication of code phrases, keywords, and conceptual definitions. Let's look at the main types and characteristics of DLP systems.

Network DLP

This system is typically a hardware solution or software that is installed at network points originating near the perimeter. Such a system analyzes network traffic in order to detect confidential information sent in violation of information security policies.

Endpoint DLP

Systems of this type operate on end-user workstations or servers in organizations. An endpoint, as in other network systems, can face both internal and external communications and can therefore be used to control the flow of information between types and groups of users. They are also capable of monitoring instant messaging and email. This happens as follows: before the message data is downloaded to the device, it is checked by the service. If there is an unfavorable request, messages will be blocked. Thus, they become uncorrected and are not subject to the rules for storing information on the device.

The advantage of a DLP system is that it can control and manage access to physical devices, as well as access information before it is encrypted. Some systems that operate on the basis of end leaks can also provide application control to block attempts to transmit sensitive information and provide immediate feedback to the user. The disadvantage of such systems is that they must be installed on every workstation on the network and cannot be used on mobile devices such as PDAs or cell phones. This circumstance must be taken into account when choosing DLP systems to perform certain tasks.

Data Identification

DLP systems contain several methods aimed at identifying confidential and classified information. This process is often confused with the procedure for decoding information. However, information identification is the process by which organizations use DLP technology to determine what to look for. In this case, the data is classified as structured or unstructured. The first type of data is stored in fixed fields within a file, such as a spreadsheet. Unstructured data refers to free form text. According to expert estimates, 80% of all processed information can be classified as unstructured data. Accordingly, only 20% of the total amount of information is structured. To classify information, content analysis is used, which is focused on structured information and contextual analysis. It is done at the place where the application or system in which the information appeared was created. Thus, the answer to the question “what are DLP systems” can be the definition of an information analysis algorithm.

Methods

The methods for describing sensitive content used in DLP systems today are very numerous. Conventionally, they can be divided into two categories: accurate and inaccurate. Accurate are methods that are associated with content analysis and practically reduce all false positive responses to queries to zero. Other methods are inaccurate. These include statistical analysis, Bayesian analysis, meta tags, advanced regular expressions, keywords, dictionaries, etc. The effectiveness of data analysis will directly depend on its accuracy. A DLP system with a high rating has high performance in this parameter. Accuracy of DLP identification is important to avoid false positives and other negative consequences. Accuracy depends on many factors, which may be technological or situational. Accuracy testing helps ensure the reliability of the DLP system.

Information leak detection and prevention

In some cases, the data distribution source makes sensitive information available to a third party. Some of this data will most likely be found in an unauthorized location after some time, for example, on another user's laptop or on the Internet. DLP systems, the cost of which is provided by developers upon request, can range from several tens to several thousand rubles. DLP systems must investigate how data was leaked from one or more third parties, whether this was done independently, or whether the information was leaked by some other means.

Data at rest

The description “data at rest” refers to old archived information that is stored on any of the hard drives of the client personal computer, on a remote file server, or on a network storage drive. This definition also applies to data stored in a backup system on CDs or flash drives. Such information is of great interest to government agencies or enterprises, since a large amount of data is stored unused in memory devices. In this case, there is a high probability that access to information will be obtained by unauthorized persons outside the network.