Egress Monitoring the environment for attacks from outside the organization is crucial, but so is the practice of reviewing all the possible ways data can leave your organization’s control. This is known, in general, as egress monitoring.
There are many ways data leaves the organization’s control (whether authorized or unauthorized), including but not limited to the following:
- FTP
- Portable media
- Removal of hardware
- Posted to public-facing website
- Printed
- Image capture
A comprehensive and effective egress monitoring effort should review all possible means for exfiltration of data, determine whether the action is authorized, and respond accordingly (which can include allowing the export of the data when doing so is authorized, alerting management/security personnel, or halting the action).
Current egress monitoring tools are often called DLP, a term that can stand for “data leak protection,” “data loss prevention,” or any variety of these and similar words. DLP is a marketing and branding term, not a standard nomenclature defined by an agency or industry body. DLP systems have evolved sophisticated capabilities, including extremely sensitive behavior-based and pattern-matching analysis that can be used by management to address potential insider threats.
For DLP systems to function properly, they must be “trained” to recognize baseline data/system/user behavior and operation; this can take a reasonably significant period of time, so DLP tools should not be considered fully effective “out of the box.” Further- more, the administrators “training” the DLP solutions need to be able to create discrete rule sets about the data and normal usage within the environment so that the tools can serve their purpose; this might require coordination and assistance from the DLP vendor. DLP solutions also typically have a data/system discovery component, allowing the tools to locate data within the environment and make determinations about that data’s sensitivity and authorized use.
In addition to discovery, DLP solutions are typically responsible for monitoring and enforcement functions. For data monitoring, DLP systems commonly use three types of monitoring tools: database, network traffic, and agents installed on client machines. For enforcement, the organization that deploys a DLP solution is usually capable of customizing the level of response the tool will provide when it detects anomalous/suspect activity; this might take the form of a basic user security awareness reinforcement (the system detects a user trying to send an email with sensitive information and creates a pop-up window the user sees, explaining the situation and requiring the user to verify the action), alerts (sent to the user’s supervisor/security personnel/data owner when questionable activity takes place), or prevention (the tool prohibits the action, notifies security personnel, and locks the user’s account).
