May 8, 2018

Data leakage prevention at work

Fernando Jorge

Low and slow data leakage can be challenging to detect, and leaks that contain critical data can have a substantially negative impact on an organization. These leaks can come in many forms. For example, users emailing small pieces of data over time to off-network accounts, or individuals printing out documents or placing them on removable media devices, and taking them to other locations.

Forcepoint has an advanced approach for detecting these leaks through its extensive libraries of rules and policies that are configurable and tunable to an organization. Rules provide simple or graduated logic for a DLP Policy. They are the conditions that govern the behavior of the policy. When should something be blocked?  When should it be encrypted if moved? When should it be audited and managers be notified?

Rules can apply to a single breach or to the accumulation of breaches over a period of time. Standard rules create incidents every time a rule is matched. Cumulative rules gather matches over time and create incidents when a threshold is met, a.k.a. “Data Leakage Prevention.”

Data Leakage Prevention at work:

In this example, our PII Policy Rule will observe matches of the conditions of the rule over a five minute period. Once the third condition is met (i.e. the third leak within five minutes) DLP will mark that as a Medium incident and apply the Audit and Notify action plan. Going forward, this action plan will audit incidents from all channels and send notifications out to the administrator. The policy will continue monitoring for five minutes after the last leak is sent out, before the clock gets reset.

How do you get more granular in approach?  Under Advanced, once a fifth incident is triggered, it is going to be marked as High and apply the Block All action plan. At that point in time, given the sensitivity to the PII data being accessed, you can establish a more preventative set of actions – in this example, Blocking and Auditing incidents from all channels (including email, print, removable media) -- and generate notifications back to the administrator.

The channels that are going to be monitored by this policy and rules are shown under the Destination tab above.

Forcepoint DLP Suite can monitor across all the following channels:

  • Email (Network email and Endpoint email)
  • Web
  • Cloud Services
  • Mobile Email
  • Endpoint Printing
  • Endpoint Applications
  • Endpoint Removable Media
  • Endpoint LAN

In the world of low and slow data leakage we can detect and prevent leaks, because we monitor and provide graduated logic across more channels than other solutions today. It’s one of the many reasons we lead the industry today in DLP solutions.


Fernando Jorge

Fernando is the Technical Marketing Engineer (TME) for the User and Data Security (UDS) Business Unit at Forcepoint, a position that helps sales enablement providing competitive intelligence, proof of concept labs and associated content.  Previously, Fernando worked as a TME for a...

Read more articles by Fernando Jorge

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.