Overview of the functionality to be added to the system, compiled by a SearchInform client who wished to remain anonymous.

Today, the most advanced Data Loss Prevention (DLP) systems are continuously expanding the number of channels they monitor and enhancing the quality of text analytics. However, in standard DLP configurations, traditional data leaks are typically detected through correspondence and file transfers. Nevertheless, this functionality isn’t enough sufficient, as methods of leaking information are becoming increasingly sophisticated. Having worked with various systems, I have occasionally found the functionality lacking when it comes to comprehensively addressing internal incidents. I will share my experience and discuss which tools have helped to resolve these issues.

A little background

I am the CISO of a large pharmaceutical company, overall, I have more than 20 years of experience, working in IT sphere.

The safeguarding of information, such as trade secrets and personal data, continues to be a priority. The primary operational tool was DLP. However, some additional functionality was required. Let me share a few examples.

Case 1. Good intentions

DLP detected an upload of 16 MB Excel spreadsheets to a non-corporate cloud storage, despite it being password-protected. We began our investigation. It turned out that an employee had uploaded data on suppliers from his work PC to his personal cloud storage and had ‘shared’ the link and password with someone via Messenger.

We quickly arranged a meeting with the employee, who explained that he had followed his supervisor’s instructions, as the boss was on a business trip and urgently needed access to important work documents. However, the issue was that no record of this task was documented anywhere. According to the employee, his supervisor provided the instructions over the phone just before his departure. In fact, the only way to verify this account was by reviewing the IP telephony call records.

However, in our case it wasn’t required. We simply called the employee’s supervisor and he admitted that he was aware that his instructions violated information security rules. Nonetheless, he believed that as long as the files were protected with a password, the data would remain secure. We appreciated his good intentions, but the fact remained that a breach had occurred and the data had left the company’s secure perimeter. Consequently, the employee deleted the spreadsheets from the cloud, and his supervisor removed them from his phone where they had been downloaded. We also scheduled a second IT security training session for the team.

In our case, this was not necessary, but it is quite possible that such actions by employees could have led to a genuine leak. Without monitoring the conversations, it would have been impossible to piece together what happened, and the culprit might have been an ordinary employee.

Case 2. Was there an employee?

DLP detected that a photo editor was frequently being run on the computer of the head of a transport-related department. Screen analysis revealed that the program was used to edit the scans of receipts for fuel, vehicle maintenance, and similar expenses, with the amounts manually inflated. We reported this to the accounting department. It turned out that the manager's reimbursement requests were considerably higher than those of his colleagues.

Next, we needed to prove that the cheques had been forged by the suspect himself, as the PC name and user name alone were insufficient; in this regard, standard security camera footage from the office proved highly valuable. Through the cameras, we uncovered another violation. The manager was often absent from his workplace for personal reasons and asked a colleague to switch on his PC. She performed tasks for him to create the impression that he was present. However, when it was time to claim expenses, the offender would return to the office and falsify reports.

Following a thorough investigation, it was estimated that his actions had cost the company approximately $11,000. The most recent illicit reimbursement, around $900, was recovered, and the perpetrator was dismissed. DLP uncovered the fraud, but it was only through security cameras that we could demonstrate the employee’s selfish motives and habitual workplace violations.

Case 3. Where is it, the flash drive?

In DLP, we received a notification that an employee had copied documents from the corporate server and subsequently deleted them. In total, approximately 1000 files were affected, and she transferred them to her flash drive.

An analysis of the contents of the deleted files revealed that they included trade secrets (such as commercial offers, customer database, etc.). The incident was serious, so we responded immediately.

We requested employee to insert the flash drive she used to perform the data leak, with the help of DLP system we verified the serial number of the device, connected to the PC, confirming that it matched the one used to upload the files. Using a remote connection, we transferred the files from the flash drive to the NAS (network-attached storage) and formatted the drive, ensuring that all steps were carried out transparently and securely.

We were fortunate in this case: the incident was detected in time, so the employee simply did not have enough time to take the flash drive out of the company. Although DLP identified the incident promptly, it required some additional functionality, such as connected devices management and integration with RDP to mitigate the threat securely and efficiently.

Why did DLP need assistance?

The answer is simple: leaks, fraud, and violations of regulations do not always occur solely in digital form. And to conduct a thorough investigation, establish the details, and evaluate subsequent risks of an incident, additional tools are required. For example, the offender, mentioned in the previous case could deceive us by taking advantage of the distance and ‘handing over’ the wrong flash drive. Similarly, a cheque fraudster could blame a colleague if we did not visually identify him at the time of the breach. 

That is why it is important to utilize control tools comprehensively, employing additional methods and sources of information. It makes sense to integrate data from these sources into the DLP system or to look for a system that has this functionality out of the box. Ideally, there is a single console where all features are available at a click.

What did we do?

In addition to source coverage and analytics quality, we considered the ability to handle atypical sources (such as video and audio), rapid response and preventive protection features, and built-in integration tools. As a result, we chose SearchInform Risk Monitor, and here are a few reasons why:

• Online protection. The system enables you to view active processes on an employee's PC in real time. If a user conducts suspicious activity, SearchInform Risk Monitor will collect evidence useful for retrospective investigations to uncover the facts and substantiate a breach when there is no doubt.
• Direct PC control. The information security team has the ability to swiftly intervene in an incident, even if an employee's actions are not explicitly covered by security policies. For instance, you can terminate an active session on a user's PC in case of suspicion that a breach may occur. So, you will have additional time to respond.
• Intruder Identification. SearchInform Risk Monitor can be additionally equipped with an AI-powered feature of the facial recognition function; the system compares images captured from employees' webcams with a reference image. This helps to reliably establish the ‘authorship’ of the incident, if it occurred, and to control that no outsiders are accessing employees' PCs using compromised login credentials.
• Audio leak prevention. The system can automatically identify data leaks through audio messages in instant messaging platforms and video communication tools.
• Flash drive protection. If business processes do not permit you to block a flash drive recording, DLP will ensure that it is recorded in a secure format. Consequently, documents on a flash drive can only be accessed on work computers equipped with the SearchInform Risk Monitor agent.
• Document protection. SearchInform Risk Monitor features its own password generation service, meaning employees won't need third-party tools to send a secure document elsewhere. The system automatically analyses the type of file being uploaded to the service and notifies the IS team. As a result, you won't have to deal with false positives alerts.
• Integration tools. SearchInform Risk Monitor ‘out of the box’ is compatible with a variety of PACS, CRM, and payroll systems, and can import data from nearly any source: including archives from cameras and IP telephony, or databases of custom-developed corporate systems. The interface is fully customizable, with the vendor providing pre-configured templates and integration scenarios. It is convenient to tailor controls and develop your own complex setups from a single control center.

There are many useful ‘features’ within the system. The point is that they serve to expand the incident picture and enhance the capabilities of the information security team. Here is a case study to illustrate this.

Case study.

The policy of controlling working regulations triggered: a team of corporate software developers received a call concerning an urgent deadline. To meet the deadline, they decided to release a ‘live’ version of the software without testing and verification by the IS service, as required by the rules. At the same time, a ‘raw’ update was a risk that something would go wrong and the business processes would be frozen. This could result in significant loss. That is why we intervened and blocked the download of the update.

This was facilitated by the speech recognition module in SearchInform Risk Monitor, which automatically analyzed the call recording and detected the incident. At the same time, in DLP, we quickly conducted an inventory of software on all PCs across the company to ensure that no ‘raw’ versions were present.

And as a preventative measure, we monitored online to ensure that the team had performed all the necessary procedures before deploying the software.

The moral of the story is straightforward: a well-equipped DLP makes incident management easier and investigations faster. Give it a try and see for yourself. After all, attention to details is a professional standard for an IS specialist.