How to Detect and Prevent Data Leaks with Teramind

Introduction

Data breach incidents are growing at an alarming rate. This site, information is beautiful has prepared a nice graph showing World's Biggest Data Breaches & Hacks since 2004. Here are some statistics to put things into perspective:

Total Records Exposed in 2020 37B
The volume of records that were compromised by data breaches jumped by 141% compared to 2019. Source: RBS.
Avg. Cost of Data Breach in the USA $8.64M
The US is the most expensive country where the average cost of a data breach is $8.64M. Global average is $3.86M. Source: IBM.
Avg. Time to Identify & Contain a Breach 280 Days
Most companies still have a long way to go to improve their detection rates to find and contain a breach incident. Source: IBM.
Human Error is a Major Cause of Breaches 22%
While criminal hacking is the main cause, the second main cause was the result of a mistake made by employees. Source: Verizon.

No wondering, companies all over the world are looking for ways to fight against this growing threat. The causes, impacts, and frequency of data leaks prove businesses need a robust data loss prevention strategy and associated technology that is also future proof.

What is Data Loss Prevention (DLP)?

Data Loss Prevention (DLP) is a strategy for monitoring potential breach incidents by proactively monitoring, detecting, and blocking the incidents. Hence, this is in essence a risk minimization strategy. The ultimate goal is to ensure your employees and other stakeholders do not accidentally or intentionally share sensitive and confidential data outside your organization. A DLP solution utilizes content discovery, digital inspection techniques, and contextual analysis to identify and categorize sensitive data and IP. A typical strategy for defending against data loss targets 3 key areas: while the data is in-use, in-motion (network), and at-rest (storage). Traditional DLPs use a combination of standard measures: instruction detection, firewall, signature database, file tagging, or structured data fingerprinting to protect sensitive data.

Traditional DLP vs. Endpoint DLP

Storage-based DLPs protect data at rest. For example, file servers, databases, web servers, etc. Network-based DLP is usually installed at network egress points where it analyzes network traffic while enforcing security policies on the data movement. A majority of them are installed at network egress points giving them clear line-of-sight to all incoming and outgoing data.

 

Teramind is an endpoint-based DLP solution. This means it is installed at the endpoint (user’s machine) where data is in use. Teramind DLP can monitor a user’s day-to-day behavior on apps, websites, emails even raw inputs such as keylogging, onscreen activity, and more. This helps detect ‘human’ risks such as malicious employees, collusion, sabotage, thefts, and other insider threats. They are also often real-time; detecting threats and where appropriate, preventing them on the spot.

Data Loss Prevention with Teramind DLP

Teramind’s Data Loss Prevention solution is built on top of our employee monitoring and behavior analytics platform. On top of that, it adds intelligent behavioral rules, automated data discovery, classification, and content-based rules to protect your sensitive data and IP from exfiltration. As such, the solution is more effective than traditional DLP solutions in detecting human factors such as malicious intent, errors, or accidents allowing you to implement an effective plan for protection against data breaches and other exfiltration attempts.

Teramind DLP uses a simple, 3-step process to protect your organization against data and IP leakage and other data exfiltration attempts:

DLP_steps.png

The dashboards are easy to configure using drag-and-drop widgets. You can also create your own custom dashboards. To create a new dashboard, hover your mouse over the DASHBOARD menu, then click the Green CREATE DASHBOARD at the bottom of the sub-menu.

i

Only the main Administrators, Department Managers, and Privileged Users (created using the CONFIGURE > ACCESS CONTROL menu) have access to the DASHBOARD menu. Each user’s dashboards are specific to their own login account and cannot be viewed or edited by another user.

Step 1: Data Discovery & Classification

Keep in mind that, Teramind DLP does not perform traditional data discover/scanning. It installs an endpoint Agent which scans in-motion data in real-time. For example, when the user sends an email, when they access a file or browses a website, etc. That being said, Teramind DLP has all the necessary data discovery and classification features that you would need for the most common use cases. The table below summarizes the data discovery and classification capabilities of Teramind DLP compared to what is found in other DLP technologies.

Unstructured data (e.g., emails) Unstructured data such as text on webpages, inside documents, emails, etc. are supported.
Structured data / database fingerprinting No. Teramind does not use any fingerprinting database. However, you can look for specific text or binary content inside documents.
Document tagging Teramind supports manual tagging of documents using meta-tags (custom file properties). String/text, integer and dates can be used as tag values.
Partial data matching  Yes
Keyword / phrase matching  Yes
Regular expressions / rule-based matching  Yes
Dictionary rules / data validation / category match Built-in classified data definitions are available for PII, PHI, and PFI. Custom definitions can be created using keyword lists and regular expressions.
Metadata analysis  Yes
Natural-language processing / semantic and contextual analysis Teramind does not directly support contextual analysis such as NLP. However, you can use regular expressions to identify language nuances and variations. For example: .*(surprised|concerned|frustrated|angry) that you (didn.?t|did not)(contact|call|email) me.*  
File type / extension matching  Yes
Statistical data analysis Teramind rules do not support sequential processing or detect threats based on statistical data. However, you can conduct manual analysis and trend detections with the built-in BI Reports.
OCR image analysis Text within images
Machine learning (detecting similar documents)  No
Protocol / signatures matching (network) Teramind DLP can detect network transfers over SMTP, HTTP/HTTPS, TCP, UDP, RDP, etc.
Directory group matching / identity matching Teramind DLP can be used to profile DGM for data sources containing email addresses, IP addresses, Windows usernames, IM names, etc.
Storage-based scanning (e.g., file server, SAN/NAS, DBMS) Teramind does not conduct any storage DLP discovery. However, Teramind Agent can be installed on a Windows Server, Terminal Server (RDS),  Application / Session Server, Citrix, VMware Horizon, etc. to monitor activities on those servers.
Encrypted / compressed document No
Quarantine and contain suspect data Some quarantine options are available. For example, user email copies and attachments, printed documents, etc. can be captured.

Use Predefined Data Categories

Teramind has built-in templates for many predefined data categories to help you classify information automatically and in real-time. You can use them with Content-sharing rules.

DLP-1.png

  1. Financial Data allows you to detect credit card numbers, Swift codes, ABA Route Numbers, etc. for PCI DSS.
  2. Health Data allows you to identify common drug/disease names, DNA profiles, HICN, ICD codes, etc. for HIPAA compliance.
  3. Personally Identifiable Data allows you to detect names, addresses, birth dates, zip codes, etc. for privacy such as GDPR compliance.
  4. Code Snippet allows you to prevent source code leaks for SQL and many other popular languages.

Create Your Own Custom Data Types

You can create custom data types specific to your organization easily using Regular Expressions (RegEx) and natural language definitions. For example, billing/invoice numbers, signup, enrollment and payment data, OGD, GSCP, special codes, etc.

DLP-2.png

You can create custom data types specific to  your organization easily using:

    1. Keywords: You can use the ‘Contains’ or ‘Equals’ condition to match partial or exact keywords.
    2. Regular Expressions: Any valid C++ RegEx can be used.
    3. Shared Lists: You can build lists of text, network addresses, and regular expressions or import them from a CSV file. These shared lists can be used when defining behavior rules, as well as in monitoring profiles.

Step 2: Behavior Policies & Rules

While Data classifications help you define what you consider to be sensitive data for your organization, defining policies allows you to direct the Teramind agent on how that sensitive data should be handled by your workforce. Teramind can then automatically prevent any rule violation with actions such as Warn, Block or Lock-Out, etc. In addition, Teramind allows administrators to set thresholds to reduce false positives and/or only take action for repeated violations (e.g. file copy action > 10 times within 1 day).

Rule Templates & Samples

DLP-3.png

  1. Teramind comes ready with a library of templated policies you can use right out of the box. when creating a new rule, select CHOOSE A TEMPLATE from the Rules Editor’s General tab.
  2. There are also many sample rules included with your deployment. Just pick a sample, and the rule editor will be automatically populated with core settings and sample data you can customize for your needs.
i
Useful Resources:

Rule Types By Use Case

You can create three types of rules in Teramind DLP (Teramind also comes with a special type of rule,  called Anomaly Rule, which will be covered in a different article):

DLP-4.png

  1. Agent-based rules are useful for productivity oversights but can also be sued to prevent potential data thefts and risky behaviors. For example, prevent user login during off-hours or from unknown IP addresses.
  2. Activity-based rules are available in both Teramind UAM and Teramind DLP. They allow you to detect and, in most cases, prevent harmful or risky user activity. For example, block the user when they are trying to upload files to a cloud drive such as Google Drive, DropBox, OneDrive, etc., detect sending of emails with attachments to non-business addresses, restrict access to non-whitelisted/unauthorized applications or websites, and more.
  3. In addition to defining activity-based rules, you can create Content-sharing rules for Clipboard, File, Email, and IM to protect important information from malicious or accidental data leaks. These rules focus more on the ‘content’ than the activity.

Document Tagging / Fingerprinting Rules

In Teramind DLP, you can use two special conditions with Content-based rules. These conditions, File Properties and File Origin can identify files based on their meta-tags and sources, allowing you to track documents even when changed or shared across users.

DLP-5.png

These two features can be useful to secure sensitive documents such as patents, legal files, government forms, etc.

i
Useful Resources:

OCR (Optical Character Recognition) Rules

Part of the Activity-based rule category, OCR allows you to detect on-screen text in real-time, even inside images or videos, and notify an admin. In addition to the OCR rules, you can also quickly search for information detected on the user’s screen. It works with multi-screen setups, virtual desktops, and Terminal Servers.

DLP-6.png

In the above example:

  1. OCR search can be conducted from Monitoring > OCR report. You can use Full Text, Wild Cards, Regular Expressions, etc.
  2. Screen location where OCR text was detected.
  3. An OCR rule using Regular Expressions to detect phone numbers.
i
Useful Resources:

Data Loss Prevention Rule Examples

Here are some use cases that demonstrate various data discovery, user activity detection, and rule violation actions available in Teramind DLP:

Step 3: Investigate Rule Violation Incidents

There are multiple ways you can investigate rule violation incidents on Teramind.

Behavior Alerts Report

This is your primary source to view all rule violation incidents. You can use the Alerts report to view a list of rule violation incidents with all the necessary details, such as the date/time the incident happened, the user or activity involved, and other pertinent information. The report also contains a Risk tab, where you can analyze the impact of rule violation incidents and the risks they pose to your organization. The report shows top risky rules, users, applications, and websites. You can drill down each risk category to further investigate what caused the risk level to change. You can also plot the risk trend by department, severity, the number of violations, etc. Unique risk scores help you identify high-risk rules or users so that plans can be developed for treating the risks.

You can access the Behavior Alerts report from the BI Reports > Behavior Alerts menu.

DLP-7.png

On the Behavior Alerts screen, you will see a table/grid widget. If you right-click on row, you will see a pop-up menu:

  1. Click the Investigate option from the pop-up menu to view the Employee’s Activity Monitoring Report. From that report, you can see all the alerts for the employee under the Alerts tab.
  2. Click the View record option to view the session recording of the employee at the selected timestamp.

Session Recording & Playback

Session Player allows you to view a user’s desktop in live view or history playback mode. You can precisely locate when a rule violation incident occurred, check out all the alert notifications the user received, and investigate the trail of user activities leading up to the incident.

DLP-8.png

You can access the Session Player from the BI Reports, from the Employee’s Activity Monitoring Report, or even from the Dashboards. Click the Movie Camera mceclip0.png icon, wherever you see it, to access the Session Player.

Was this article helpful?
1 out of 1 found this helpful