Data loss prevention (DLP) is a strategy for making sure that end users do not send

sensitive or critical information outside the corporate network. The term is also used
to describe software products that help a network administrator control what data
end users can transfer.

DLP software products use business rules to classify and protect confidential and
critical information so that unauthorized end users cannot accidentally or maliciously
share data whose disclosure could put the organization at risk. For example, if an
employee tried to forward a business email outside the corporate domain or upload
a corporate file to a consumer cloud storage service like Dropbox, the employee
would be denied permission.

Adoption of DLP is being driven by insider threats and by more rigorous

state privacylaws, many of which have stringent data
protection or access components. In addition to being able to monitor and control
endpoint activities, some DLP tools can also be used to filter data streams on the
corporate network and protect data in motion.

DLP products may also be referred to as data leak prevention, information loss
prevention or extrusion prevention products.

What is a DLP agent?

McAfee DLP Endpoint safeguards intellectual property and ensures compliance by protecting
sensitive data such as PCI, PII, and PHI wherever it lives—on premises, in the cloud, or at the
endpoints.
What does a DLP do?
Data loss prevention (DLP) is a strategy for making sure that end users do not send sensitive
or critical information outside the corporate network. The term is also used to describe software
products that help a network administrator control what data end users can transfer.

How does DLP work data loss prevention?

DLP is a solution used to detect (and at times prevent) potential breaches/ex-filtration by
monitoring data while in the following states: Data at Rest – data while it is being stored.
... Data in Motion – data while it is transmitted over a network (in transit)Dec 29, 2012

WHAT TYPE OF DATA LOSS

PREVENTION IS RIGHT FOR YOUR
ORGANIZATION? CHOOSING
BETWEEN ENDPOINT DLP AND
NETWORK DLP
Bill Bradley
Last Updated: Saturday October 1, 2016
Deciding between endpoint DLP and network DLP isn't always
a simple task. Watch our video for a breakdown of the key
differences between each approach and questions to help you
choose the best solution for your data protection needs.
While they both serve to meet the same goal – preventing sensitive data loss – endpoint DLP and network
DLP are very different in terms of how they’re deployed and what levels of control they offer. As a result,
both solutions also have different “sweet spots” in which they are more ideal than the other.
Understanding these differences is critical to planning your DLP deployment and being able to correctly
match DLP capabilities to your business’ data protection requirements.

To help in your DLP decision making process, we’ve developed a short video that covers the main
differences between both approaches as well as what kinds of questions security teams should answer in
order to choose the right solution:

Data loss prevention software

From Wikipedia, the free encyclopedia
 This article needs additional citations for verification. Please help improve this
article by adding citations to reliable sources. Unsourced material may be challenged and
removed. (July 2016) (Learn how and when to remove this template message)

Data loss prevention software detects potential data breaches/data ex-filtration transmissions and
prevents them by monitoring, detecting and blocking sensitive data while in-use (endpoint
actions), in-motion (network traffic), and at-rest (data storage). In data leakage incidents[1], sensitive
data is disclosed to unauthorized parties by either malicious intent or an inadvertent mistake.
Sensitive data includes private or company information, intellectual property (IP), financial or patient
information, credit-card data and other information.
The terms "data loss" and "data leak" are related and are often used interchangeably.[2] Data loss
incidents turn into data leak incidents in cases where media containing sensitive information is lost
and subsequently acquired by an unauthorized party. However, a data leak is possible without losing
the data on the originating side. Other terms associated with data leakage prevention are information
leak detection and prevention (ILDP), information leak prevention (ILP), content monitoring and
filtering (CMF), information protection and control (IPC) and extrusion prevention system (EPS), as
opposed to intrusion prevention system.

Contents
[hide]

 1Categories
o 1.1Standard measures
o 1.2Advanced measures
o 1.3Designated systems
 2Types
o 2.1Network
o 2.2Endpoint
o 2.3Data identification
o 2.4Data leak detection
o 2.5Data at-rest
o 2.6Data in-use
o 2.7Data in-motion
 3See also
 4References
 5External links

Categories[edit]
The technological means employed for dealing with data leakage incidents can be divided into
categories: standard security measures, advanced/intelligent security measures, access control and
encryption and designated DLP systems.[3]
Standard measures[edit]
Standard security measures, such as firewalls, intrusion detection systems (IDSs) and antivirus
software, are commonly available products that guard computers against outsider and insider
attacks. The use of a firewall, for example, prevents the access of outsiders to the internal network
and an intrusion detection system detects intrusion attempts by outsiders. Inside attacks can be
averted through antivirus scans that detect Trojan horses that send confidential information, and by
the use of thin clients that operate in a client-server architecture with no personal or sensitive data
stored on a client device.
Advanced measures[edit]
Advanced security measures employ machine learning and temporal reasoning algorithms for
detecting abnormal access to data (e.g., databases or information retrieval systems) or abnormal
email exchange, honeypots for detecting authorized personnel with malicious intentions and activity-
based verification (e.g., recognition of keystroke dynamics) and user activity monitoring for detecting
abnormal data access.
Designated systems[edit]
Designated systems detect and prevent unauthorized attempts to copy or send sensitive data,
intentionally or unintentionally, mainly by personnel who are authorized to access the sensitive
information. In order to classify certain information as sensitive, these use mechanisms, such as
exact data matching, structured data fingerprinting, statistical methods, rule and regular
expression matching, published lexicons, conceptual definitions and keywords.[4]

Types[edit]
Network[edit]
Network (data in motion) technology is typically installed at network egress points near the
perimeter. It analyzes network traffic to detect sensitive data that is being sent in violation
of information security policies. Multiple security control points may report activity to be analyzed by
a central management server.[2]
Endpoint[edit]
Endpoint (data in use) systems run on internal end-user workstations or servers. Like network-based
systems, endpoint-based technology can address internal as well as external communications. it can
therefore be used to control information flow between groups or types of users (e.g. 'Chinese walls').
They can also control email and Instant Messagingcommunications before they reach the corporate
archive, such that a blocked communication (i.e., one that was never sent, and therefore not subject
to retention rules) will not be identified in a subsequent legal discovery situation. Endpoint systems
have the advantage that they can monitor and control access to physical devices (such as mobile
devices with data storage capabilities) and in some cases can access information before it is
encrypted. Some endpoint-based systems provide application controls to block attempted
transmissions of confidential information and provide immediate user feedback. They must be
installed on every workstation in the network, cannot be used on mobile devices (e.g., cell phones
and PDAs) or where they cannot be practically installed (for example on a workstation in an Internet
café).
Data identification[edit]
DLP includes techniques for identifying confidential or sensitive information. Sometimes confused
with discovery, data identification is a process by which organizations use a DLP technology to
determine what to look for.
Data is classified as structured or unstructured. Structured data resides in fixed fields within a file
such as a spreadsheet, while unstructured data refers to free-form text or media as in text
documents, PDF files and video.[5] An estimated 80% of all data is unstructured and 20%
structured.[6] Data classification is divided into content analysis, focused on structured data and
contextual analysis which looks at the place of origin or the application or system that generated the
data.[7]
Methods for describing sensitive content are abundant. They can be divided into precise and
imprecise methods. Precise methods involve content registration and trigger almost zero false
positive incidents. All other methods are imprecise and can include: keywords, lexicons, regular
expressions, extended regular expressions, meta data tags, bayesian analysis and statistical
analysis techniques such as Machine Learning, etc. [8]

The strength of the analysis engine directly relates to its accuracy. The accuracy of DLP
identification is important to lowering/avoiding false positives and negatives. Accuracy can depend
on many variables, some of which may be situational or technological. Testing for accuracy is
recommended to ensure virtually zero false positives/negatives. High false positive rates cause the
system to be considered DLD not DLP.
Data leak detection[edit]
Sometimes a data distributor gives sensitive data to one or more third parties. Some time later,
some of the data is found in an unauthorized place (e.g., on the web or on a user's laptop). The
distributor must then investigate the source of the leak.[9]
Data at-rest[edit]
"Data at rest" specifically refers to old archived information. This information is of great concern to
businesses and government institutions simply because the longer data is left unused in storage, the
more likely it might be retrieved by unauthorized individuals.[10] Protecting such data involves
methods such as access control, data encryption and data retention policies.[2]
Data in-use[edit]
"Data in use" refers to data that the user is currently interacting with. DLP systems that protect data
in-use may monitor and flag unauthorized activities.[2] These activities include screen-capture,
copy/paste, print and fax operations involving sensitive data. It can be intentional or unintentional
attempts to transmit sensitive data over communication channels.[11]
Data in-motion[edit]
"Data in motion" is data that is traversing through a network to an endpoint destination. Networks
can be internal or external. DLP systems that protect data in-motion monitor sensitive data traveling
across a network through various communication channels.[2]