Overview of the functionality to be added to the system, compiled by a SearchInform client who wishes to remain anonymous.

Today, the most advanced DLP systems are continuously expanding the number of channels they monitor and enhancing the quality of text analytics. However, in standard DLP configurations, traditional data leaks are typically detected through correspondence and file transfers. Nevertheless, this is insufficient, as methods of leaking information are becoming increasingly sophisticated. Having worked with various systems, I have occasionally found the functionality lacking when it comes to comprehensively addressing internal incidents. I will share my experience and discuss which tools have helped to resolve these issues.

A little background

I am the CISO of a large pharmaceutical company, and my focus today is on information security. However, my journey began in the field: for over 20 years, I worked on IT projects and maintained infrastructure at various production sites, repeatedly implementing diverse control systems and investigating incidents. As a result, I have handled a wide range of tasks, including:

• Access control
• Infrastructure management
• Data protection
• Discipline monitoring
• Ensuring the stability of business processes, and more.

The safeguarding of information, such as trade secrets and personal data, continues to be a priority. The primary operational tool was DLP. However, I did not abandon the control tools I was previously familiar with: video surveillance, remote control tools, telephony monitoring, etc. These have repeatedly proven useful in the investigation of internal incidents. Allow me to provide a few cases.

Case 1. Good intentions

DLP detected an upload of 16 MB Excel spreadsheets to a non-corporate cloud storage, despite it being password-protected. We began our investigation. It turned out that an employee had uploaded data on suppliers from his work PC to his personal cloud storage and had ‘shared’ the link and password with someone via Messenger.

We promptly called the employee in for a conversation. He claimed that he had acted on the instructions of his supervisor: boss had gone on a business trip and urgently needed access to work documents. However, the issue was that no record of this task was documented anywhere. According to the employee, the instructions had been given by his supervisor over the phone just before he left. The only way to verify this version was through the recording of the IP telephony call.

The employee’s supervisor admitted that he was aware that his instructions violated IS rules. Nonetheless, he believed that as long as the files were protected with a password, the data would remain secure. We appreciated his good intentions, but the fact remained that a breach had occurred and the data had left the company’s secure perimeter. Consequently, the employee deleted the spreadsheets from the cloud, and his supervisor removed them from his phone where they had been downloaded. We also scheduled a second IT security training session for the team.

The investigation could have gone faster if DLP had recognised the incident as a false positive. For instance, if it had found confirmation of an order in its archive – even if communicated verbally. In such situations, good old IP telephony recordings prove invaluable: call recordings are a great help and an additional source of evidence for the information security team.

Case 2. Was there an employee?

DLP discovered that a photo editor was frequently being run on the computer of the head of a transport-related department. Screen recordings revealed that the program was used to edit the scans of receipts for fuel, vehicle maintenance, and similar expenses, with the amounts manually inflated. We reported this to the accounting department. It turned out that the manager's reimbursement requests were considerably higher than those of his colleagues.

Next, we needed to prove that the cheques had been forged by the suspect himself: the PC name and user name alone were insufficient. Video surveillance within the office helped. Through the cameras, we uncovered another violation. The manager was often absent from his workplace for personal reasons and asked a colleague to switch on his PC. She performed tasks for him to create the impression that he was present. However, when it was time to claim expenses, the offender would return to the office and falsify reports.

Following a thorough investigation, it was estimated that his actions had cost the company approximately $11,000. The most recent illicit reimbursement, around $900, was recovered, and the perpetrator was dismissed. DLP uncovered the fraud, but it was only through video surveillance that we could demonstrate the employee’s selfish motives and habitual workplace violations.

Case 3. Where is it, the flash drive?

In DLP, we received a notification: an employee had copied documents from the corporate server and then deleted them from there. In total, approximately 1000 files were affected, and she transferred them to her flash drive.

An analysis of the contents of the deleted files revealed that they included trade secrets (such as commercial offers, customer database, etc.). The incident was serious, so we responded immediately. However, since the employee worked in a remote division, our contact was limited to a phone call. We persuaded her to return the documents, but we recognised the risk that she might decide to replace the thumb drive. Therefore, we checked everything via a video link:

• The employee showed the flash drive to the camera and inserted it into her PC in front of us.
• We compared the serial number of the device online in DLP; it matched the one used to upload the files.
• Using a remote connection, we transferred the files from the flash drive to the NAS and then formatted the flash drive.

We were fortunate in this case: the incident was detected in time, so the employee simply did not have enough time to take the flash drive out of the company. Although DLP identified the incident promptly, we couldn’t have managed it without additional instruments. VCS and remote management tools proved invaluable for a swift response.

Why did DLP need assistance?

The answer is simple: leaks, fraud, and violations of regulations do not always occur solely in digital form. And to conduct a thorough investigation, establish the details, and evaluate subsequent risks of an incident, additional tools are required. For example, the offender, mentioned in the previous case could deceive us by taking advantage of the distance and ‘handing over’ the wrong flash drive. Similarly, a cheque fraudster could blame a colleague if we did not visually identify him at the time of the breach. 

That is why it is important to utilize control tools comprehensively, employing all available methods and sources of information. In my experience, video and audio control has proven particularly effective. It makes sense to integrate data from these sources into the DLP system or to look for a system that has this functionality out of the box. Ideally, there is a single console where all features are available at a click.

What did we do?

In addition to source coverage and analytics quality, we considered the ability to handle atypical sources (such as video and audio), rapid response and preventive protection features, and built-in integration tools. As a result, we chose SearchInform Risk Monitor, and here are a few reasons why:

Online monitoring. The system enables you to view active processes on an employee's PC in real time, connect to the screen or webcam. If a user conducts suspicious activity, SearchInform Risk Monitor will record video and audio evidence – useful for retrospective investigations to uncover the facts and to substantiate a breach when you have no doubt.

Direct PC control. The IS team has the ability to swiftly intervene in an incident, even if an employee's actions are not explicitly covered by security policies. For instance, you can terminate an active session on a user's PC if you ‘catch’ him in the act of a breach. So, you have additional time to respond.

Intruder Identification. SearchInform Risk Monitor features a facial recognition function; the system compares images captured from employees' webcams with a reference image. This helps to reliably establish the ‘authorship’ of the incident, if it occurred, and to control that no outsiders are accessing employees' PCs using compromised login credentials.

Audio control. If necessary, the system can connect to employees’ microphones, and also save recordings of calls and audio messages in messengers and videoconferencing. However, the IS service does not need to listen to all of them: the built-in ASR converts audio into text, allowing SearchInform Risk Monitor to instantly analyze conversations in accordance with security policies and alert to any threats.

Flash drive protection. If business processes do not permit you to block a flash drive recording, DLP will ensure that it is recorded in a secure format. Consequently, documents on a flash drive can only be accessed on work computers equipped with the SearchInform Risk Monitor agent.

Document protection. SearchInform Risk Monitor features its own password generation service, meaning employees won't need third-party tools to send a secure document elsewhere. The system automatically analyses the type of file being uploaded to the service and notifies the IS team. As a result, you won't have to deal with false positives alerts.

Integration tools. SearchInform Risk Monitor ‘out of the box’ is compatible with a variety of ACS, CRM, and payroll systems, and can import data from nearly any source: including archives from cameras and IP telephony, or databases of custom-developed corporate systems. Tools. The interface is fully customizable, with the vendor providing pre-configured templates and integration scenarios. It is convenient to tailor controls and develop your own complex setups from a single control centre.

There are many useful ‘features’ within the system. The point is that they serve to expand the incident picture and enhance the capabilities of the IS service. Here is a case study to illustrate this.

The policy of controlling working regulations triggered: a team of corporate software developers received a call concerning an urgent deadline. To meet the deadline, they decided to release a ‘live’ version of the software without testing and verification by the IS service, as required by the rules. At the same time, a ‘raw’ update was a risk that something would go wrong and the business processes would be frozen. This could result in significant loss. That is why we intervened and blocked the download of the update.

This was facilitated by the speech recognition module in SearchInform Risk Monitor, which automatically transcribed the call recording into text and identified the incident. At the same time, in DLP, we quickly conducted an inventory of software on all PCs across the company to ensure that no ‘raw’ versions were present. And as a preventative measure, we monitored online to ensure that the team had performed all the necessary procedures before deploying the software.

The moral of the story is straightforward: a well-equipped DLP makes incident management easier and investigations faster. Give it a try and see for yourself. After all, attention to details is a professional standard for an IS specialist.