In an era where cyber threats are increasingly sophisticated, traditional Data Loss Prevention (DLP) may no longer be enough.
With over 20 years of experience as a CISO, it's clear that data breaches today aren't just limited to email transfers or file sharing. Conventional DLP systems often fall short in comprehensively addressing internal incident investigations.
Real-World Scenarios We Face
Case 1. Good intentions
Our DLP system detected a 16 MB Excel file being uploaded to a personal cloud service outside the organization. Despite being password-protected, the investigation revealed that an employee had uploaded supplier data from their work computer to their personal cloud storage and "shared" the link and password via Messenger.
When questioned, the employee explained they were following orders from their supervisor who was traveling abroad and urgently needed access to critical documents. The problem was that there was no formal record of such instructions. The supervisor had given the order over the phone before departure. Fortunately, the supervisor acknowledged knowing full well that their instruction violated data security policies, despite believing that password protection would keep the data safe.
Despite good intentions, the data had left the company's secure perimeter. The employee deleted the spreadsheets from the cloud, and the supervisor removed them from their phone. We also scheduled a follow-up IT security training session for the team.
Lesson Learned: A complete investigation requires data from multiple sources, not just digital detection alone.
Case 2. Was there an employee?
DLP detected frequent use of image editing software on the transportation department head's computer. Analysis revealed that fuel receipts and maintenance bills were being altered to inflate amounts fraudulently.
When the accounting department was notified, they found that his expense claims were significantly higher than those of his colleagues. Proving document forgery became essential. The office CCTV system proved invaluable, revealing that the manager was frequently absent from work for personal reasons and would ask colleagues to turn on his computer to create the impression he was working. However, when it came time to submit expenses, the perpetrator would return to the office and forge the reports.
Lesson learned: Complete investigations require data from multiple sources, not just digital detection alone.
Case 3. Where is it, the flash drive?
When DLP alerted us to approximately 1,000 files being copied to a flash drive, including trade secrets and customer databases.
This incident was severe, so we responded immediately by asking the employee to insert the flash drive she had used. The DLP system verified the serial number of the device connected to the computer, confirming it matched the device used for file uploads. We then used remote connection to transfer files from the flash drive to NAS (Network-Attached Storage) and formatted the drive to ensure all procedures were conducted transparently and securely.
Fortunately, this incident was detected in time, so the employee had no opportunity to take the flash drive outside the company. While DLP identified the incident immediately, it required additional functions such as connected device management and RDP (Remote Desktop Protocol) integration to safely and efficiently reduce risks.
Lesson learned: Modern DLP should have device management capabilities and integration with other tools for rapid and effective incident response.
Why did DLP need assistance?
The simple answer is that data breaches, fraud, and regulatory violations don't always occur in digital formats. To conduct thorough investigations, establish detailed findings, and assess the subsequent risks of incidents, additional tools are necessary. For example, the perpetrator in the previous case might have deceived by exploiting distance and "sending" the wrong flash drive. Similarly, the check fraudster could have blamed colleagues without visual identification during the violation.
Therefore, using comprehensive control tools with additional methods and data sources is crucial. Integrating data from these sources with DLP systems or looking for systems with built-in functionality is optimal. Ideally, having a single console where all features can be accessed with one click.
What did we do?
After assessing our needs, we chose SearchInform Risk Monitor for the following main reasons:
- Online protection: The system allows for real-time viewing of active processes on an employee's PC. If suspicious activity occurs, SearchInform Risk Monitor collects evidence useful for retrospective investigations.
- Direct PC control: Security teams can intervene quickly, including terminating usage in cases of suspected violations.
- Intruder Identification: The security team can quickly intervene, even if employee actions aren't explicitly covered by policies. For instance, you can terminate an active session on a user's PC if a breach is suspected.
- Audio leak prevention: SearchInform Risk Monitor can install additional AI-powered facial recognition functions. The system compares images captured from employee webcams with reference photos. This helps reliably identify the "perpetrator" of incidents.
- Flash drive protection: Documents on flash drives can only be accessed on work computers with SearchInform Risk Monitor agents installed.
- Document protection: The system provides automatic password generation services, eliminating the need for employees to use other tools to send critical documents. The system also analyzes uploaded file types and immediately alerts the IT team, reducing false alarm issues and making document transmission more secure.
- Integration tools: Supports connections with various systems such as PACS, CRM, and payroll systems, with the ability to import data from virtually all sources, including CCTV files, IP phone systems, or proprietary organizational system databases. The interface is fully customizable with templates and connection examples from developers, making everything manageable from a single control center.
Case study
Our corporate software development team received an urgent deadline call. To meet it, they decided to release a "live" software version without the required testing and IS service verification. This "raw" update posed a significant risk of disrupting business processes and incurring substantial losses.
Fortunately, SearchInform Risk Monitor's speech recognition module automatically analyzed the call recording and detected the incident in time. Simultaneously, DLP swiftly inventoried software across all company PCs to ensure no "raw" versions were present.
Comprehensive DLP makes incident management easier and investigations faster. Attention to detail is a professional standard for IS specialists.