How the data leakage protection system understands what to protect

Ruslan Rakhmetov, Security Vision

Data transfer is important for the stable operation of a company, so when protecting sensitive data it is very important that DLP system interferes only with the traffic, the leakage of which can lead to problems. Copying a presentation to flash drives, sending an email to a contractor, collaborating on a document directly in the cloud - these are examples of familiar business processes that should not be disrupted if they are completely legitimate. That's why we continue our introduction to the work of DLP-systems with the possibilities of traffic analysis: how the data leakage protection system determines the necessity of blocking employee actions.

Once the data from the monitored channels reaches the core of the DLP system, it is analysed and compared to the data templates that your company has chosen to protect. Based on the results of the analysis, the system triggers blocking processes at the right time, which can be related to software, drivers, and user actions.

Depending on the type of data, the processes themselves differ, so let's try to classify them for detailed analysis:

1) archives (e.g. 7z, bzip, tar, rar, zip);

2) databases (ace, mdb, accdb, dmp, mxl, vcs, full, etc.);

3) multimedia files (mov, flac, wmv, mp3, wav, avi, gif, etc.);

4) documents (ppt, pptx, odp, xls, xlsx, ods, doc, docx, odt, pdf, txt, json, xps, djvu, etc.);

5) executable files, libraries, design files and other data types.

Signature processing

This is the first mechanism that analyses files for compliance with certain signatures (formats). Content analysis is not yet available, but according to IS policies, the transfer of data of a certain format can be blocked without analysis (e.g. transfer of archives or design documentation files).

This is the very first technology to appear in DLP solutions, but despite its age, signature analysis will never become obsolete because some types of data simply cannot be analysed using other methods.

Archive processing

Typically, DLP systems do not analyse the archives themselves, but the data inside. Therefore, the first set of technologies is dedicated to unpacking archives (and their attachments, if required), and analysing their contents comes next.

However, there are archives that are password protected (and thus encrypted), so additional processes are launched: classically, DLP systems do not deal with password brute force, this requires additional computing power, so for effective protection analysts are involved in the process in manual mode or organisational measures (for example, to send such an archive outside the perimeter of the company, a letter is generated indicating the need for this sending and the password, so that an IS employee of the department can make an informed decision and take the necessary actions).

Database processing

To protect the contents of databases and tables, digital fingerprint technology is usually used. To make this technology work, database fragments that need to be protected from leakage are loaded into the DLP engine, and the data from the traffic is compared to the samples. In case of a full or partial match (according to IS policies), traffic blocking processes are triggered.

Video processing

Modern DLP systems are not yet able to analyse video files on the fly, but you can perform targeted monitoring based on signature analysis, and there are separate tools for other types of media files (see below).

Audio processing

Audio files can be translated into text using special voice analysis engines (Google speech-to-text, MDG solutions, etc.), and the resulting text is then analysed. Few DLP systems can boast built-in analysis capabilities or integrations with third-party solutions. Therefore, such integrations often have to be developed in-house, using, for example, the capabilities of SOAR platforms or with the involvement of additional developers from DLP system vendors.

For example, when using voice recognition-compatible IP telephony, it is possible to send text transcripts of calls to DLP for analysis.

Image processing

Pictures can be important on their own or because of the text they contain. To analyse pictures, modern DLP uses machine learning capabilities (e.g. learning with a teacher), in which case a set of pictures is initially loaded into the analysis engine, the transmission of which will be monitored with special care. These can be blueprints (black lines on a white background), images of people (by searching for faces in photos), passports and credit cards (based on a set of bank icons and other elements), etc.

In addition to image analysis, optical text recognition technology (ABBYY OCR in Fine Reader, Google Cloud Vision in Tesseract) is connected, which extracts text from the image and transfers it to text analysis modules (see below).

So, for example, when using enterprise Google DLP when transmitting credit card photos via GMail, the picture can be recognised automatically and the numbers on it painted over for all recipients.

Text processing

Many DLP solutions use regular expression technology, which allows you to describe important pieces of text using formulas (e.g. ^((8|\+7)[\- ]?)?(\(?\d{3}\)?[\- ]?)?[\d\- ]{7,10}$ to search for mobile phone numbers in text). In this way it is possible to protect pre-understood combinations in numbers of passports, credit cards, driving licences, SNILS and other documents.

Moreover, by using various dictionaries and machine learning to search for similar texts, it is possible to detect the transmission of documents dedicated to specific topics (accounting, commerce, job search, industry-specific texts, etc.).

Thus, depending on how advanced the DLP system is and the technologies it uses, it is possible to automatically understand the contents of many files to secure them. This can be useful not only to protect against intruders who ‘leak’ customer databases or trade secrets, but also against accidental events, because probably each of you has sent an email to the wrong recipient at least once in your life.