Yazen Rahmeh, Cybersecurity Expert at SearchInform, explains that DLP solutions have evolved beyond merely preventing data leaks. Today, they offer powerful investigative capabilities that uncover root causes, detect anomalies, and proactively prevent future incidents—ultimately protecting organizations from significant financial and reputational harm.
In the past, Data Loss Prevention (DLP) solutions were solely employed to detect and prevent data leaks. Today, however, such systems offer a broader range of functionalities and analytical capabilities. In the digital landscape, where data security risks are increasingly common, investigative functionality has become a crucial element of DLP. This capability allows organizations to analyze incidents effectively. By providing detailed insights into the context and nature of potential breaches, investigative functionality (archives, online activity control tools, etc.) helps security teams understand how vulnerabilities arise and what actions can be taken to mitigate risks. Without investigative tools, we are destined to deal with the consequences of incidents rather than addressing their causes. However, as we understand, it is far better to prevent an illness than to treat someone who is already unwell. In our opinion, the most desirable incident is one that did not occur.
Let’s consider real cases to understand what functionality of a DLP system is really necessary to investigate and correctly analyse events.
Document Forgery
SearchInform DLP system detected that a manager in the Sales Department was using Photoshop, which was not necessary for her job responsibilities. The time monitoring module indicated that the employee was spending several hours each day using the programme. Simultaneously, copies of scanned sales proposals were consistently appearing on her PC. The anomaly monitoring module alerted the Information Security Department, which conducted a retrospective investigation. It was discovered that the employee had been forging commercial offers in the graphic editor, altering the monetary amounts to be higher.
Outcome: Thanks to the analytical tool of our DLP system, the company was able to uncover the fraudulent scheme and save money.
Monitoring of Working Hours
Employees in a Project Department had volunteered to work overtime on weekends for several weeks. The Information Security Department honoured their request but also used SearchInform DLP to monitor their activities. The reports from the PC activity monitoring module indicated that the employees were engaged in their tasks; they were utilising the software required for their jobs and demonstrating high productivity. To complete the monitoring, the IS Department reviewed the screenshots of their work computers. It became evident that these employees were spending their working hours on third-party projects. Not only were they using the employer’s hardware and software, but they were also handling confidential company data in those projects.
Outcome: The investigation helped to prevent the leakage of confidential data and uncovered outsourced work.
Violation of Corporate Regulations
An architecture company decided to purchase SearchInform DLP. As soon as the system commenced monitoring, an IS specialist detected a suspicious connection between three employees. They did not communicate during the working day, did not have lunch together, and even worked in different departments. However, they were using the same e-mail address.
The IS Department started to investigate the incident: the analysis showed that the email drafts contained financial documents of some third-party company. It turned out that three employees had set up a rival firm and were planning to poach their employer’s clients by offering better terms.
Outcome: Having security policies in place that facilitate thorough the investigation of incidents helped to uncover internal fraud and prevent direct losses due to client attrition.
Phishing Email
An employee of an insurance company opened a phishing email containing an encryption virus that disrupted work processes. On one of the corporate computers, the antivirus detected the infected file. Using the DLP system, the IS Department decided to conduct a comprehensive audit of the incident and determine the scope of the attack: whether the same attachment had been sent via another method such as corporate messenger, whether employees had received this phishing email from an alternative email address, whether other emails had come from this sender.
Outcome: The functionality of the DLP system helped to promptly respond to the incident and prevent infection in other departments and branches. And where infection occurred, it helped to minimise the damage.
Retrospective Investigation
An employee of a systems integrator was found guilty of long-term absenteeism, which led to his dismissal. This process did not proceed smoothly, and as the employee was a system administrator, the IS Department decided to monitor all his activities two weeks prior to the dismissal. It was discovered that the employee had downloaded a file bomb – a programme with a delayed start – into the system upon his departure. A month after his dismissal, this programme was due to activate and erase the configurations of the network equipment, preventing employees from receiving emails, printing documents, and accessing the Internet. It would have taken a long time to fully restore operations.
Outcome: A retrospective investigation helped to avoid a business interruption that would have inevitably caused financial losses.
In conclusion, as the landscape of data breaches and cyber threats continues to evolve, DLP solutions must prioritize robust investigative features to effectively combat these challenges. By integrating advanced analytics, real-time monitoring, and comprehensive reporting capabilities, organizations can not only detect and prevent data loss but also respond swiftly and effectively to incidents. The ability to conduct thorough investigations ensures that companies can mitigate risks, understand the root causes of breaches, and enhance their overall data security posture. Information security is not an abstract concept; rather, it is another business process that should be regarded through the lens of PDCA.