What is Endpoint Data Loss Prevention?

Endpoint Data Loss Prevention is securing sensitive information stored on laptops, desktops, smartphones and other devices and preventing it from being accidentally or maliciously leaked, lost, misused or destroyed. 

By monitoring the access and use of data on each device, endpoint DLP can identify movement or behavior that may represent potential leaks or unauthorized actions and take steps to remediate the potentially harmful activity.

Endpoint Data Loss Prevention has become a critical part of the security IT stack as companies have embraced bring-your-own-device (BYOD) policies that allow employees to use personal devices when connecting to the organization’s network. 

One of the digital transformation outcomes is that many organizations are contending with a rapid proliferation of devices connecting to the corporate network. From employees’ smartphones to the laptops of mobile workers and the thousands of sensors in an IoT network, the volume of connected devices represents a significant expansion of the attack surface and a greater risk of data being lost, leaked, destroyed or accessed by unauthorized individuals.

Data on endpoint devices can be lost or leaked in many ways.

• Physical theft or loss. When a smartphone or USB flash drive is lost or stolen, any sensitive information stored on the device may be at risk.
• Insider attacks. Malicious insiders are employees, vendors, contractors, partners or others with access to the organization’s network and intent on stealing sensitive data. Malicious insiders may send business plans to a competitor, download intellectual property to sell on the black market, steal customer credit card numbers to use in cyberattacks or copy lists of customers and prospects to take with them when changing jobs.
• Negligence. Human error is often the cause of a data leak, as when an employee attaches the wrong file to an email and accidentally exposes confidential information. Employees may fail to encrypt sensitive material when emailing or transferring it properly, or they may include personal data like Social Security numbers or credit card information within the body of an email without realizing it. 
• Cyberattack. Many employees outside the office connect to the network via personal devices on unsecure connections, creating a very attractive attack vector for cybercriminals. When these connections are breached, attackers can use compromised credentials to hijack accounts and exfiltrate sensitive data, intellectual property, customer records and other confidential information.

Endpoint Data Loss Prevention includes both agent-based and agentless solutions. Agent-based endpoint DLP uses software installed on a device to monitor sensitive data stored on, accessed from, sent to or sent from the device. Agentless Data Loss Prevention services use cloud-based technology to protect unmanaged devices that IT teams cannot access.

Creating a Data Loss Prevention system for endpoint devices involves five major steps.

• Classifying sensitive data. Endpoint Data Loss Prevention begins with classifying all the types of data that may be considered sensitive, confidential, private or protected. Classification may include intellectual property, personally identifiable information, trade secrets, financial records, customer credit card numbers and many other types of sensitive information. By classifying data, security teams can more easily establish granular security policies for how each data class should be stored, used, protected and retained and who within the company can access it.
• Monitoring all network endpoints. By constantly monitoring the activity on endpoints and user interactions with data, endpoint Data Loss Prevention solutions can identify potential leaks, misuse or exilfration incidents on each device. For example, endpoint Data Loss Prevention software may detect when a user attempts to access confidential data without appropriate authorization, attach an unencrypted file to an email, copy intellectual property to a flash drive, or access customer data in violation of regulatory requirements.
• Applying security policy. As endpoint Data Loss Prevention technology monitors devices, it applies the security policies set by IT teams for each classification of sensitive material. When a user’s action violates a policy, endpoint DLP solutions may block the activity, enforce encryption requirements, flag the actions for review by security teams, or take other steps to remediate the concern.
• Reviewing incidents. Endpoint Data Loss Prevention solutions notify administrators when incidents occur, enabling security teams to analyze activity and behavior within context. This allows teams to refine security policies to ensure that data is protected while not impeding legitimate users from accessing the data they need.

In addition to overall Data Loss Prevention benefits, endpoint DLP solutions provide several significant advantages.

• Improved visibility. Implementing endpoint DLP solutions enables security teams to achieve much greater visibility into the types of data and sensitive information stored on various endpoints. Without such technology, IT teams may have difficulty understanding the important data assets that need protection.
• Heightened data security. Endpoint Data Loss Prevention solutions protect data no matter where it resides. This is increasingly important within highly distributed corporate networks where the notion of defending a traditional network perimeter no longer applies. With effective endpoint DLP, employees can take or access business-critical data wherever they go.
• Enhanced device control. Endpoint DLP gives IT teams greater control over a wide range of devices. DLP policies can control whether device users can access, view, download, upload or transmit sensitive data on each device.
   

As a leading user security and Data Loss Prevention company, Forcepoint provides DLP solutions for endpoints and Data Loss Prevention for email, web, cloud, and networks. With Forcepoint DLP, businesses can intuitively discover, classify, monitor, and protect data on endpoints with zero friction to the user experience.

Forcepoint DLP technology enables businesses to:

• Secure sensitive data on Windows and Mac OS X endpoint devices on or off the network.
• Stop inbound threats and secure outbound data hidden in SSL traffic from all endpoints.
• Block or encrypt sensitive data assets transferred to USB storage devices and other removable media.
• Demonstrate security controls and compliance with regulatory requirements to auditors and executives.
• Apply custom data patterns to millions of files by defining a policy once and leveraging AI/ML for highly precise data classification.

Forcepoint also offers solutions for Google Cloud Data Loss Prevention and DLP in Office 365 environments.