Is the system really hidden on an endpoint? All about invisible DLP control and where its cloak of invisibility loses powers
02.04.2021
Back to blog listBy Alexei Parfentiev, leading analyst at SearchInform.
The DLP doesn’t function in a hidden mode for nothing: on the one hand, it doesn’t interfere with the work of respectable employees, on the other hand, it helps to catch insiders off guard. In most cases, the agent is hidden by default, it is impossible or very difficult to detect and even more so to disable it.
But information security specialists are professional paranoid and prefer to play it safe.
Recently, one of them contacted us with a request: can you also put a password on the agent – for greater reliability? Frankly, the question surprised me. So this post was born as a response – what ensures the "invisibility" of the DLP agent and why additional protection with a password is too much and even harmful.
What is “the agent”?
The DLP agent is a part of the software that is installed on employees' PCs – endpoints, and collects traffic from there - information about activity, running programs, connected devices, open websites and sent/received messages, i.e. interception. Then it transfers the collected data to a DLP server, where the traffic is parsed and analysed to identify security breaches.
Agents can analyse on their own. It is on the endpoints that the fastest blocking of dangerous user actions is implemented - for example, sending confidential documents or encrypting files copied to a USB flash drive.
To ensure that nothing interferes with the agent's work, DLP vendors disguise them as much as possible. System and other security software are "friendly" with him (for example, they add it into the antivirus exceptions so that the software doesn’t consider the constant transfer of data from the agent to the external DLP server an incident). Moreover, it gets hidden from the user so as not to compromise control - otherwise, violators will start looking for ways to bypass protection.
How does it work?
I’ll narrate you an example. By default, the DLP operates in a completely invisible mode. An employee can’t not just disable, but even detect the DLP agent on a PC - even if it is a local or domain administrator. The agent is not displayed in the list of running services, processes, it is not visible in the registry and file system. Disguise also works in the Safe Mode of the operating system boot.
An additional security measure - the agent's traffic to the DLP server is encrypted and transmitted through one of the standard ports using the HTTP(s) protocol. That is, at the network level, it looks like regular browser web traffic.
Even in the worst-case scenario, if the agent is “exposed”, users will not be able to remove it or otherwise interfere with its operation. Anti-vandal deterring effect is achieved due to the following logic:
Constant local monitoring of the status of all agent components;
Continuous network monitoring of the status of all agent components by the server;
If a failure is detected based on the results of the these types of monitoring - the agent doesn’t respond, then the following algorithm is activated:
- forced restart of the problematic component, if it doesn’t help, then:
- forced restart of the agent as a whole unit (all its components), if it doesn’t help, then:
- forced reinstallation of the agent by the server.
Thus, even if the user somehow alters the agent’s work, uninstalls or disables it on a PC, the agent will simply be reinstalled from the server and launched with all previous security policies.
Is that a "big brother"?
We figured it out: if a user gets on the "radar" of the information security service, he or she will not disappear from there. But this doesn’t mean that control will be total.
First of all, we recommend to customers: tell employees about the control and explain that it doesn’t “trespass” their personal boundaries. Sign an agreement with them making them fully informed about what this is - to comply with the law and to steer clear of doubts and worries.
Second of all, even with strict controls, there are special ethical options to ensure that employees' privacy is not compromised. Here are just a few of them:
Automatically mute audio recording from the microphone if the PC is not in the office.
Prohibit saving passwords entered by a user in the Keylogger module.
Disable reading of correspondence history in instant messengers.
Finally, the information security service may decide to exclude the user from control for one reason or another. And then it will remove the agent from the PC automatically - via the main "control center" of the DLP system.
And what do passwords have to do with it?
Remember the situation: you want to remove the program, and the PC asks for administrator rights and asks to enter the key? This is a simple and good way if you want to protect your corporate messenger or email client from especially proactive employees. Some of our customers would like to see a similar mechanism for protecting a DLP agent - so that even advanced, privileged users who somehow reached the place of its storage on a PC, would be asked by the system to enter a key to delete or stop the agent.
I hope it’s already clear: there are no folders with the “all-seeing eye” label, which could be disabled or deleted, on employees' computers. It is impossible to imagine the proposed circumstances in practice. But even if there was such a possibility, passwords would not help.
Even the most complex permanent password has a weakness: it is stored somewhere. So, in theory, it can fall into the wrong hands. Then, instead of protection, a vulnerability is created, which can be exploited by potential attackers.
In my opinion, the mode of operation of any protection equipment, when a user decides to disable/remove the tools, is a useless and even harmful thing. What is the point of an antivirus that a user disables if it doesn’t allow an infected attachment to be opened? Likewise for a DLP system - how should protection against insiders work, if an insider can turn it off at will? Moreover, if an intruder knows the intricacies and the peculiarities of the operation of security systems, there is no use in such instruments - after all, the intruder's behavior will change, he will find ways to bypass control.
Therefore, the algorithm where the user sees the DLP agent in the tray or installed programs and can remove it from there simply by entering a password – we consider it inappropriate and even harmful from the point of view of information security.