Sophos DLP

HI,

I guess it's all steganography but no, Sophos DLP is really targeted at stopping accidental data leakage and putting off the odd not too technical rotter. For example. A user unwittingly sending a database of PII, credit card numbers, email addresses, etc...  Maybe a sales person emailing themselves a list of contacts they day before they leave.  Even if they just get a block message it might be enough to put them off retrying as they might figure they are being watched, etc..

TBH, it's almost impossible to stop data being taken if the person can see it, you can only really make it harder by reducing the channels it can be moved via.   Plus if they are an admin on a client they can always subvert any client side solution, just depends on how knowledgeable the user is.

You could give them user rights, lock the computer up to prevent physical access, i.e.. Access to removable media, tie them down with the ability only to view the specific data (i.e.. not access to move data from the machine, via the web) but they can always just write it down or even take a picture of the screen (must be screen filters that guard against this?).  I guess it then depends on either the sensitivity of the data vs.. the quantity and how badly they want it.

You could put it into monitor only mode so the "rouge" user doesn't realize they are being monitored, alert is generated, fires off an email to security who prevents them leaving the building?  It's sounding more like something from the movies now though.

At least you get in the Enterprise Console database an audit of what files are being moved from client machines should you ever need to think about if person x should have access to data y.

That being said, using Application Control, you can block applications of type; "Encryption / Stenography Tool", so if you block online sites that can do this, using a web appliance.  And remove the tools that can do it on the client, I don't imagine many need admin rights to use/install however so a user just being a user wouldn't help.  

Plus, if they are using online sites, they would have to upload the sensitive data in the original format so data control could pick it up at that point.  Of course they could obfuscate it then send it, but there are enough tools within the Sophos policies/products to stop this for the most part.

Regards,

Jak 

HI,

I guess it's all steganography but no, Sophos DLP is really targeted at stopping accidental data leakage and putting off the odd not too technical rotter. For example. A user unwittingly sending a database of PII, credit card numbers, email addresses, etc...  Maybe a sales person emailing themselves a list of contacts they day before they leave.  Even if they just get a block message it might be enough to put them off retrying as they might figure they are being watched, etc..

TBH, it's almost impossible to stop data being taken if the person can see it, you can only really make it harder by reducing the channels it can be moved via.   Plus if they are an admin on a client they can always subvert any client side solution, just depends on how knowledgeable the user is.

You could give them user rights, lock the computer up to prevent physical access, i.e.. Access to removable media, tie them down with the ability only to view the specific data (i.e.. not access to move data from the machine, via the web) but they can always just write it down or even take a picture of the screen (must be screen filters that guard against this?).  I guess it then depends on either the sensitivity of the data vs.. the quantity and how badly they want it.

You could put it into monitor only mode so the "rouge" user doesn't realize they are being monitored, alert is generated, fires off an email to security who prevents them leaving the building?  It's sounding more like something from the movies now though.

At least you get in the Enterprise Console database an audit of what files are being moved from client machines should you ever need to think about if person x should have access to data y.

That being said, using Application Control, you can block applications of type; "Encryption / Stenography Tool", so if you block online sites that can do this, using a web appliance.  And remove the tools that can do it on the client, I don't imagine many need admin rights to use/install however so a user just being a user wouldn't help.  

Plus, if they are using online sites, they would have to upload the sensitive data in the original format so data control could pick it up at that point.  Of course they could obfuscate it then send it, but there are enough tools within the Sophos policies/products to stop this for the most part.

Regards,

Jak