Sophos DLP

Question

hi,

i just want to ask about Sophos DLP solution.

can the dlp feature block user attemping to leak a data in which he will inject the data in a image file?

i somewhat heard this workaround but forgot to term.

appreciate any advice.

Thanks

This thread was automatically locked due to age.

jak · Accepted Answer

HI, I guess it's all s teganography but no, Sophos DLP is really targeted at stopping accidental data leakage and putting off the odd not too technical rotter. For example. A user unwittingly sending a database of PII, credit card numbers, email addresses, etc...  Maybe a sales person emailing themselves a list of contacts they day before they leave.  Even if they just get a block message it might be enough to put them off retrying as they might figure they are being watched, etc.. TBH, it's almost impossible to stop data being taken if the person can see it, you can only really make it harder by reducing the channels it can be moved via.   Plus if they are an admin on a client they can always subvert any client side solution, just depends on how knowledgeable the user is. You could give them user rights, lock the computer up to prevent physical access, i.e.. Access to removable media, tie them down with the ability only to view the specific data (i.e.. not access to move data from the machine, via the web) but they can always just write it down or even take a picture of the screen (must be screen filters that guard against this?).  I guess it then depends on either the sensitivity of the data vs.. the quantity and how badly they want it. You could put it into monitor only mode so the "rouge" user doesn't realize they are being monitored, alert is generated, fires off an email to security who prevents them leaving the building?  It's sounding more like something from the movies now though. At least you get in the Enterprise Console database an audit of what files are being moved from client machines should you ever need to think about if person x should have access to data y. That being said, using Application Control, you can block applications of type; "Encryption / Stenography Tool", so if you block online sites that can do this, using a web appliance.  And remove the tools that can do it on the client, I don't imagine many need admin rights to use/install however so a user just being a user wouldn't help.   Plus, if they are using online sites, they would have to upload the sensitive data in the original format so data control could pick it up at that point.  Of course they could obfuscate it then send it, but there are enough tools within the Sophos policies/products to stop this for the most part. Regards, Jak  :28511

QC · Answer

Hello Hopper,

is steganography what you're thinking of?

Now, DLP is not magic. Quoting from the console help (emphasis mine): Data control enables you to reduce accidental data los ..., i.e. it neither claims to prevent all data loss nor to completely impede deliberate (or criminal) attempts. A simple example is encryption which is designed to make the contents unreadable to a third party. While the contents can't be scanned, in some cases (but not generally) it is possible though that encryption is used. Similarly there are methods to detect the use steganography but they don't lend themselves to on the fly scanning. Thus the only way to counter leakage using this methods is to block steganography software tools - a few of them (but by far not all) can be blocked by Application Control.

Generally DLP (alone) on the client (alone) can protect against accidental loss - which has its merit. In order to guard against deliberate leakage you have to(at least)

have complete control over the software used on the computer (this includes "portable" software)

have complete control over what's written to removable media (or completely block them)

force all network connections through a gateway which enforces (additional) policies

prevent all communication over other channels (like Bluetooth, tethering and so on)

Christian