How dlp works. Overview of DLP systems in the global and Russian markets. Classified data protection platform

The term DLP often stands for Data Loss Prevention or Data Leakage Prevention - preventing data leaks. Accordingly, DLP systems are software and firmware tools for solving the problem of preventing data leaks.

Countering information leaks through technical channels can be roughly divided into two tasks: combating an external threat and combating an internal intruder.

The valuable corporate data your organization is trying to protect with firewalls and passwords literally slip through the fingers of insiders. This happens both by accident and as a result of deliberate actions - illegal copying of information from work computers to flash drives, smartphones, tablet computers and other data carriers. In addition, data may be transmitted uncontrollably by insiders via email, instant messaging services, web forms, forums and social networks. Wireless interfaces - Wi-Fi and Bluetooth - along with local data synchronization channels with mobile devices open up additional ways for information leaks from the user's computers of the organization.

In addition to insider threats, another dangerous leak scenario occurs when computers are infected. malwarethat can record text entered from the keyboard or certain types stored in random access memory computer data and subsequently transfer them to the Internet.

How does a DLP system prevent information leaks?

While none of the vulnerabilities described above can be eliminated by either traditional network security mechanisms or built-in OS controls, DeviceLock DLP software effectively prevents information leaks from corporate computers using a full set of contextual control mechanisms for data operations, as well as technologies their content filtering.

Support for virtual and terminal environments in DeviceLock DLP system significantly expands the capabilities of services information security in solving the problem of preventing information leaks when using different solutions virtualization of working environments created both in the form of local virtual machinesand terminal sessions of desktops or published applications on hypervisors.

To meet the definition of a “full-featured” (or full-fledged) DLP system, it must meet the following basic functional criteria:

1. Availability of the function of selective blocking of local data transmission channels and network communication channels.
2. Developed subsystem for monitoring all channels of information leakage in all scenarios of user work.
3. Inspection of the content of roaming data in real time with the ability to block such an attempt or send an alarm.
4. Detection of documents with critical content in various data storage locations.
5. Alarming notifications about significant events in real time.
6. Implementation of the set policies equally both inside the corporate perimeter (in the office) and outside it.
7. Availability of analytical tools for analyzing prevented attempts at unlawful actions and incidents.
8. Protection against intentional or accidental user actions aimed at interfering with the DLP system.

Contextual control and content filtering in a DLP system

An effective approach to protecting against leaks of information from computers begins with the use of context control mechanisms - control of data transmission for specific users depending on data formats, types of interfaces and devices, network protocols, direction of transmission, time of day, etc.

However, in many cases, a deeper level of control is required - for example, checking the content of the transmitted data for the presence of confidential information in an environment where data transmission channels should not be blocked so as not to disrupt production processes, but individual users are included in the "risk group" because they are suspected involvement in corporate policy violations. In such situations, in addition to contextual control, it is necessary to use content analysis technologies to identify and prevent the transfer of unauthorized data, without interfering with the information exchange within the scope of employee's duties.

DeviceLock DLP software uses both contextual and content-based control methods to provide reliable protection against information leaks from user computers and corporate IP servers. DeviceLock DLP contextual mechanisms provide granular control of user access to a wide range peripherals and input-output channels, including network communications.

A further increase in the level of protection is achieved through the use of methods of content analysis and data filtering, which makes it possible to prevent their unauthorized copying to external drives and Plug-and-Play devices, as well as transmission over network protocols outside the corporate network.

How to administer and manage a DLP system?

Along with active control methods, the effectiveness of DeviceLock DLP application is ensured through detailed logging of user and administrative staff actions, as well as selective shadow copying of transmitted data for their subsequent analysis, including using full-text search methods.

For information security administrators, DeviceLock DLP offers the most rational and convenient approach to managing a DLP system - using objects group policies Microsoft domain Active Directory and integrated into the Windows Group Policy Editor. At the same time, DeviceLock DLP policies are automatically distributed using the directory as an integral part of its group policies to all computers in the domain, as well as virtual environments... This solution allows the information security service to centrally and quickly manage DLP policies throughout the organization, and their execution by distributed DeviceLock agents ensures an exact correspondence between the business functions of users and their rights to transfer and store information on work computers.

To be fairly consistent in the definitions, we can say that information security began precisely with the advent of DLP systems. Prior to that, all products that dealt with "information security" actually protected not information, but the infrastructure - where data is stored, transmitted and processed. The computer, application or channel in which confidential information is located, processed or transmitted is protected by these products in the same way as the infrastructure in which completely harmless information circulates. That is, it was with the advent of DLP products that information systems finally learned to distinguish confidential information from non-confidential. Perhaps, with the integration of DLP technologies into the information infrastructure, companies will be able to save a lot on information protection - for example, use encryption only when confidential information is stored or transmitted, and not encrypt information in other cases.

However, this is a matter of the future, and in the present, these technologies are used mainly to protect information from leaks. Information categorization technologies form the core of DLP systems. Each manufacturer considers its methods for detecting confidential information to be unique, protects them with patents and comes up with special trademarks for them. After all, the rest of the architecture elements other than these technologies (protocol interceptors, format parsers, incident management and data warehouses) are identical for most manufacturers, and for large companies they are even integrated with other information infrastructure security products. Basically, to categorize data in products for protecting corporate information from leaks, two main groups of technologies are used - linguistic (morphological, semantic) analysis and statistical methods (Digital Fingerprints, Document DNA, anti-plagiarism). Each technology has its own strengths and weaknesses, which determine their area of \u200b\u200bapplication.

Linguistic analysis

Using stop words ("secret", "confidential", etc.) to block outgoing electronic messages at mail servers can be considered the progenitor of modern DLP systems. Of course, this does not protect against intruders - it is not difficult to remove the stop word, which is most often placed in a separate stamp of the document, and the meaning of the text will not change at all.

The development of linguistic technology was pushed forward at the beginning of this century by the creators of email filters. First of all, to protect email from spam. It is now that reputational methods prevail in anti-spam technologies, and at the beginning of the century there was a real linguistic war between the projectile and the armor - spammers and anti-spammers. Remember the simplest techniques for fooling stopword based filters? Replacing letters with similar letters from other encodings or numbers, transliteration, randomly spaced spaces, underscores or line breaks in the text. Antispammers quickly learned how to deal with such tricks, but then graphic spam and other cunning types of unwanted mail appeared.

However, it is impossible to use anti-spam technologies in DLP products without serious modifications. Indeed, to combat spam, it is enough to divide the information flow into two categories: spam and non-spam. The Bayesian method, which is used to detect spam, gives only a binary result: "yes" or "no". This is not enough to protect corporate data from leaks - you cannot simply divide information into confidential and non-confidential. You need to be able to classify information by functional belonging (financial, production, technological, commercial, marketing), and within classes - to categorize it by the level of access (for free distribution, for limited access, for official use, secret, top secret, and so on).

Most modern systems of linguistic analysis use not only context analysis (that is, in what context, in combination with what other words a particular term is used), but also semantic analysis of the text. The larger the analyzed fragment, the more efficiently these technologies work. On a large fragment of text, the analysis is carried out more accurately, the category and class of the document is more likely to be determined. When analyzing the same short messages (SMS, instant messengers) nothing better than stop words has yet been invented. The author faced such a task in the fall of 2008, when thousands of messages like "they are cutting us down", "they will take away our license", "outflow of depositors" from the workplaces of many banks through instant messengers, which had to be immediately blocked from their clients.

Technology advantages

The advantages of linguistic technologies are that they work directly with the content of documents, that is, they do not care where and how the document was created, what stamp is on it and what the file is called - the documents are protected immediately. This is important, for example, when processing drafts of confidential documents or to protect incoming documents. If the documents created and used within the company can somehow be named, stamped or marked in a specific way, then the incoming documents may have stamps and labels that are not accepted in the organization. Drafts (unless, of course, they are created in a secure document management system) may also already contain confidential information, but do not yet contain the necessary labels and marks.

Another advantage of linguistic technologies is their learning ability. If you have pressed the "Do not spam" button in your mail client at least once in your life, then you already represent the client part of the linguistic engine training system. Note that you absolutely do not need to be a certified linguist and know what exactly will change in the base of categories - it is enough to indicate to the system a false positive, and it will do the rest itself.

The third advantage of linguistic technologies is their scalability. The speed of information processing is proportional to its quantity and does not depend at all on the number of categories. Until recently, the construction of a hierarchical base of categories (historically it is called BKF - the base of content filtering, but this name no longer reflects the real meaning) looked like a kind of shamanism of professional linguists, so the BKF setting could be safely attributed to shortcomings. But with the release in 2010 of several "autolinguists" products at once, building a primary database of categories has become extremely simple - the system indicates the places where documents of a certain category are stored, and it itself determines the linguistic characteristics of this category, and in case of false positives it learns on its own. So now the ease of customization has been added to the advantages of linguistic technologies.

And one more advantage of linguistic technologies, which I would like to note in the article, is the ability to detect categories in information flows that are not related to documents within the company. A tool for controlling the content of information flows can identify categories such as illegal activities (piracy, distribution of prohibited goods), the use of company infrastructure for their own purposes, damage to the company's image (for example, spreading defamatory rumors), and so on.

Disadvantages of technology

The main disadvantage of linguistic technologies is their dependence on the language. It is not possible to use a linguistic engine designed for one language to analyze another. This was especially noticeable when American manufacturers entered the Russian market - they were not ready to face Russian word formation and the presence of six encodings. It was not enough to translate categories and keywords into Russian - in English, word formation is quite simple, and cases are put into prepositions, that is, when the case changes, the preposition changes, and not the word itself. Most nouns in English become verbs without word changes. Etc. In Russian, everything is different - one root can generate dozens of words in different parts of speech.

In Germany, American manufacturers of linguistic technologies were faced with another problem - the so-called "compounds", compound words. In German, it is customary to attach definitions to the main word, as a result of which words are obtained, sometimes consisting of ten roots. There is no such thing in the English language, there the word is a sequence of letters between two spaces, respectively, the English linguistic engine was unable to process unfamiliar long words.

For the sake of fairness, it should be said that now these problems have been largely solved by American manufacturers. The language engine had to be pretty much redesigned (and sometimes rewritten), but the large markets in Russia and Germany are certainly worth it. It is also difficult to process multilingual texts with linguistic technologies. However, most engines still cope with two languages, usually it is the national language + English - for most business tasks this is quite enough. Although the author has come across confidential texts containing, for example, Kazakh, Russian and English at the same time, this is more the exception than the rule.

Another disadvantage of linguistic technologies for monitoring the entire spectrum of corporate confidential information is that not all confidential information is in the form of coherent texts. Although the information in databases is stored in text form, and there are no problems to extract the text from the DBMS, the information received most often contains proper names - full names, addresses, company names, as well as digital information - account numbers, credit cards, their balances, etc. ... Linguistic processing of this kind of data won't do much good. The same can be said for CAD / CAM formats, i.e. drawings, which often contain intellectual property, program codes and media (video / audio) formats - some texts can be extracted from them, but their processing is also inefficient. Three years ago, this also applied to scanned texts, but the leading manufacturers of DLP systems quickly added optical recognition and coped with this problem.

But the biggest and most often criticized shortcoming of linguistic technologies is still the probabilistic approach to categorization. If you have ever read a letter with the category "Probably SPAM", then you will understand what I mean. If this happens with spam, where there are only two categories (spam / not spam), you can imagine what will happen when dozens of categories and privacy classes are loaded into the system. Although training the system can achieve 92-95% accuracy, for most users this means that every tenth or twentieth movement of information will be mistakenly assigned to the wrong class with all the consequences for the business (leakage or interruption of a legitimate process).

It is usually not customary to attribute the complexity of technology development to disadvantages, but it cannot be ignored. The development of a serious linguistic engine with the categorization of texts in more than two categories is a science-intensive and rather complicated technological process. Applied linguistics is a rapidly developing science that received a strong impetus in its development with the spread of Internet search, but today there are units of workable categorization engines on the market: there are only two of them for the Russian language, and for some languages \u200b\u200bthey simply have not been developed yet. Therefore, in the DLP market, there are only a couple of companies that are able to fully categorize information on the fly. It can be assumed that when the DLP market grows to multi-billion dollar sizes, Google will easily enter it. With its own linguistic engine tested in trillions search queries in thousands of categories, it will not be difficult for him to immediately grab a serious piece of this market.

Statistical Methods

The problem of computer search for significant citations (why exactly "significant" - a little later) interested linguists in the 70s of the last century, if not earlier. The text was broken into pieces of a certain size, from each of which a hash was taken. If a certain sequence of hashes occurred in two texts at the same time, then with a high probability the texts in these areas coincided.

A by-product of research in this area is, for example, the "alternative chronology" of Anatoly Fomenko, a respected scholar who worked on "text correlations" and once compared Russian chronicles of different historical periods. Surprised at how much the chronicles of different centuries coincide (more than 60%), in the late 70s he put forward the theory that our chronology is several centuries shorter. Therefore, when some DLP company entering the market proposes a "revolutionary citation search technology", it is highly likely that the company has not created anything other than a new brand name.

Statistical technologies treat texts not as a coherent sequence of words, but as an arbitrary sequence of characters, therefore they work equally well with texts in any languages. Since any digital object - even a picture, even a program - is also a sequence of characters, the same methods can be used for analysis not only text information, but also any digital objects. And if the hashes in two audio files match, one of them probably contains a quote from the other, so statistical methods are effective means of protecting against audio and video leaks, which are actively used in music studios and film companies.

It's time to get back to the concept of "meaningful quote". Key characteristic complex hash removed from the protected object (which in different products is called either Digital Fingerprint or Document DNA) is the step with which the hash is removed. As can be understood from the description, such a "fingerprint" is a unique characteristic of an object and at the same time has its own size. This is important because if you take prints from millions of documents (and this is the storage capacity of an average bank), then enough disk space will be required to store all the prints. The size of such a fingerprint depends on the hash step - the smaller the step, the larger the fingerprint. If you take a hash in steps of one character, then the size of the print will exceed the size of the sample itself. If you increase the step (for example, 10,000 characters) to reduce the "weight" of the print, then at the same time, the likelihood that a document containing a quotation from a sample of 9,900 characters long will be confidential, but slip through unnoticed, increases.

On the other hand, if you take a very small step, several characters, to increase the detection accuracy, you can increase the number of false positives to an unacceptable value. In terms of text, this means that you should not remove the hash from each letter - all words consist of letters, and the system will take the presence of letters in the text for the content of a quote from the sample text. Usually, manufacturers themselves recommend some optimal step for removing hashes so that the quote size is sufficient and the weight of the print itself is small - from 3% (text) to 15% (compressed video). In some products, manufacturers allow you to change the size of the significance of the quote, that is, increase or decrease the hash step.

Technology advantages

As you can see from the description, you need a sample object to detect a quote. And statistical methods can tell with good accuracy (up to 100%) whether there is a significant quote from the sample in the file being checked or not. That is, the system does not take responsibility for categorizing documents - this work is entirely on the conscience of the person who categorized the files before taking fingerprints. This greatly facilitates the protection of information in the event that infrequently changing and already categorized files are stored in some place (s) in the enterprise. Then it is enough to take a fingerprint from each of these files, and the system will, in accordance with the settings, block the transfer or copying of files containing significant quotes from samples.

The independence of statistical methods from the language of text and non-textual information is also an indisputable advantage. They are good for protecting static digital objects of any type - pictures, audio / video, databases. I will tell you about the protection of dynamic objects in the "disadvantages" section.

Disadvantages of technology

As with linguistics, the disadvantages of technology are the other side of the merits. The ease of training the system (indicated the file to the system, and it is already protected) shifts the responsibility for training the system to the user. If suddenly a confidential file is in the wrong place or has not been indexed due to negligence or malicious intent, the system will not protect it. Accordingly, companies concerned about protecting confidential information from leakage should provide a procedure for controlling how confidential files are indexed by the DLP system.

Another disadvantage is the physical size of the print. The author has repeatedly seen impressive pilot projects in prints where a DLP system is 100% likely to block the forwarding of documents containing meaningful citations from three hundred sample documents. However, after a year of operating the system in combat mode, the fingerprint of each outgoing letter is no longer compared with three hundred, but with millions of sample fingerprints, which significantly slows down the work of the mail system, causing delays of tens of minutes.

As I promised above, I will describe my experience in protecting dynamic objects using statistical methods. The time to take a print directly depends on the file size and its format. For a text document such as this article, it takes a split second, for an hour and a half MP4 movie - tens of seconds. For rarely modified files, this is not critical, but if an object changes every minute or even a second, then a problem arises: after each object change, a new fingerprint must be removed from it ... The code that the programmer is working on is not the biggest difficulty, much worse with databases used in billing, ABS or call-centers. If the fingerprint time is longer than the object invariance time, then the problem has no solution. This is not such an exotic case - for example, a fingerprint of a database storing phone numbers of federal customers cellular operator, is removed for several days, and changes every second. Therefore, when a DLP vendor claims that their product can protect your database, mentally add the word "quasi-static".

Unity and struggle of opposites

As you can see from the previous section of the article, the strength of one technology manifests itself where the other is weak. Linguistics doesn't need samples, it categorizes data on the fly and can protect information that hasn't been accidentally or intentionally fingerprinted. The imprint gives better accuracy and therefore preferred for use in automatic mode... Linguistics works great with texts, prints - with other formats of information storage.

Therefore, most leading companies use both technologies in their developments, with one of them being the main one, and the other additional. This is due to the fact that initially the company's products used only one technology, in which the company advanced further, and then, at the demand of the market, the second was connected. For example, previously InfoWatch used only the licensed Morph-OLogic linguistic technology, and Websense - PreciseID technology, which belongs to the Digital Fingerprint category, but now companies use both methods. Ideally, these two technologies should be used not in parallel, but in series. For example, prints will do a better job of defining the type of document - whether it is a contract or a balance sheet, for example. Then you can connect the already linguistic base, created specifically for this category. This greatly saves computing resources.

There are still several types of technologies used in DLP products outside the article. These include, for example, a structure analyzer that allows you to find formal structures (credit card numbers, passports, TIN, and so on) in objects that cannot be detected either by linguistics or by fingerprints. Also the topic is not disclosed different types labels - from records in the attribute fields of a file or just a special file name to special crypto-containers. The latter technology is out of date, as most manufacturers prefer not to reinvent the wheel on their own, but to integrate with DRM system manufacturers such as Oracle IRM or Microsoft RMS.

DLP products are a rapidly developing industry of information security; some manufacturers release new versions very often, more than once a year. We look forward to the emergence of new technologies for analyzing the corporate information field to increase the efficiency of protecting confidential information.

Leakage of commercially significant information can lead to significant losses for the company - both financial and reputation. Configuring DLP components allows you to track internal correspondence, mail messages, data exchange, work with cloud storage, launch applications on the desktop, connect external devices, reports, SMS messages, telephone conversations. All suspicious transactions are monitored and a reporting base for tracked precedents is created. To do this, DLP systems have built-in mechanisms for defining the system of confidential information, for which special document markers and their very content are analyzed (by keywords, phrases, sentences). A number of additional settings on personnel control (the legality of actions within the company, the use of work resources, up to printouts on printers).

If full control over data transmission is a priority, then initial setup DLP will consist in identifying and determining possible information leaks, controlling end devices and allowing users to access company resources. If statistics on the movement of important corporate information within the organization are a priority, then channels and methods of data transfer are calculated to track it. DLP systems are configured individually for each enterprise, based on the expected threat models, categories of violations, identification of possible channels of information leaks.

DLPs occupy a large market niche in the area of \u200b\u200beconomic security. Based on the research of the Anti-Malware.ru Analytical Center, there is a noticeable increase in companies' demand for DLP systems, an increase in sales and an expansion of the product line. The setting of preventing the transmission of unwanted information not only from the inside to the outside, but also from the outside to the inside is relevant. information network enterprises. Moreover, given the widespread virtualization in corporate information systemsah, and the widespread use of mobile devices through which business control of mobile employees is carried out is one of the highest priorities.

It is important to consider the integration of the selected DLP systems with the corporate IT network, the applications that the company uses. To successfully prevent data leakage and prompt action to suppress the abuse of corporate information, it is necessary to establish stable work DLP, configure the functionality in accordance with the tasks, establish work with internal corporate electronic boxes, USB drives, instant messengers, cloud storages, mobile devices, and in the case of working in a large corporation, integration with a SIEM system within the SOC.

Entrust the implementation of the DLP system to specialists. System integrator "Radius" will install and configure DLP in accordance with the standards and regulations of information security, as well as the characteristics of the client company.

We offer a range of markers to help you get the most out of any DLP system.

DLP-systems: what is it

Recall that DLP systems (Data Loss / Leak Prevention) allow you to control all channels of a company's network communication (mail, Internet, instant messaging systems, flash drives, printers, etc.). Protection against information leakage is achieved due to the fact that agents are installed on all computers of employees who collect information and transmit it to the server. Sometimes information is collected through a gateway using SPAN technologies. The information is analyzed, after which the system or the security officer makes decisions on the incident.

So, your company has implemented a DLP system. What steps need to be taken to make the system work effectively?

1. Correctly configure security rules

Imagine that in a system serving 100 computers, a rule has been created “Record all correspondence with the word“ contract. ”This rule will provoke a huge number of incidents, in which a real leak can get lost.

In addition, not every company can afford to maintain an entire staff of incident trackers.

The toolkit for creating effective rules and tracking the results of their work will help to increase the efficiency of rules. Each DLP system has functionality that allows you to do this.

In general, the methodology involves analyzing the accumulated base of incidents and creating various combinations of rules, which ideally lead to the emergence of 5-6 really urgent incidents per day.

2. Update safety rules at regular intervals

A sharp decrease or increase in the number of incidents is an indicator that a rule adjustment is required. The reasons may be that the rule has lost its relevance (users have stopped accessing certain files) or employees have learned the rule and no longer perform actions prohibited by the system (DLP - training system). However, practice shows that if one rule is learned, then in the next place the potential risks of leakage have increased.

You should also pay attention to the seasonality in the work of the enterprise. During the year, key parameters related to the specifics of the company's work may change. For example, for a wholesale supplier of small equipment, bicycles will be relevant in the spring, and snow-scooters in the fall.

3. Think over an incident response algorithm

There are several approaches to incident response. When testing and running DLP systems, most often people are not notified about changes. The participants in the incidents are only watched. When a critical mass is accumulated, a representative of the security department or personnel department communicates with them. In the future, work with users is often outsourced to representatives of the security department. Mini-conflicts arise, negative things accumulate in the team. He can splash out in the deliberate sabotage of employees in relation to the company. It is important to strike a balance between demanding discipline and maintaining a healthy team environment.

4. Check the operation of the blocking mode

There are two modes of incident response in the system - fixing and blocking. If every fact of sending a letter or attaching an attached file to a flash drive is blocked, this creates problems for the user. Often employees attack system administrator requests to unlock some of the functions, the management may also be dissatisfied with such settings. As a result, the DLP system and the company get negative, the system is discredited and unmasked.

5. Check if a trade secret regime has been introduced

It makes it possible to make certain information confidential, and also obliges anyone who knows about it to bear full legal responsibility for its disclosure. In the event of a serious leak of information under the commercial secret regime in force at the enterprise, the offender can be recovered the amount of actual and moral damage through the courts in accordance with Federal Law 98-FZ "On Commercial Secrets".

We hope that these tips will help reduce the number of unintentional leaks in companies, because they are designed to successfully fight DLP systems. However, one should not forget about the complex information security system and the fact that deliberate information leaks require special attention. There are modern solutions that allow you to add functionality dLP systems and significantly reduce the risk of intentional leaks. For example, one of the developers offers an interesting technology - with suspiciously frequent access to confidential files, the webcam is automatically turned on and starts recording. It was this system that made it possible to record how the hapless kidnapper actively took screenshots using a mobile camera.

Oleg Necheukhin, Information Systems Security Expert, "Kontur.Security"

The choice of a specific DLP system depends on the required level of data security and is always selected individually. To help you choose a DLP system and calculate the cost of its implementation in the company's IT infrastructure, leave a request and we will contact you as soon as possible.

What is a DLP system

DLP system (Data Leak Prevention in translation from English - means of preventing data leakage) are technologies and technical devicesthat prevent leakage of confidential information from information systems.

DLP systems analyze data flows and control their movement within a certain protected perimeter of the information system. These can be ftp connections, corporate and web mail, local connections, as well as sending instant messages and data to a printer. In the case of converting confidential information in the stream, a system component is activated, which blocks the transmission of the data stream.

In other words, DLP systems stand guard over confidential and strategically important documents, the leakage of which from information systems to the outside can bring irreparable damage to the company, as well as violate Federal laws No. 98-FZ "On commercial secrets" and No. 152-FZ "On personal data". Information protection against leakage is also mentioned in GOST. " Information technology... Practical rules for information security management "- GOST R ISO / IEC 17799-2005.

As a rule, leakage of confidential information can be carried out both after hacking and penetration, and as a result of carelessness, negligence of the company's employees, as well as the efforts of insiders - the deliberate transfer of confidential information by employees of the company. Therefore, DLP systems are the most reliable technologies for protecting against leakage of confidential information - they detect the protected information by content, regardless of the document language, signature, transmission channels and format.

Also, DLP system controls absolutely all channels that are used on a daily basis to transmit information to in electronic format... Information streams are automatically processed based on the established security policy. If, however, the actions of confidential information conflict with the security policy established by the company, then the transfer of data is blocked. At the same time, the company's authorized representative responsible for information security receives an instant message warning of an attempt to transfer confidential information.

DLP system implementation, first of all, ensures compliance with a number of PCI DSS requirements regarding the level of information security of an enterprise. Also, DLP systems carry out automatic audit of protected information, according to its location and provide automated control, in accordance with the rules for the movement of confidential information in a company, processing and preventing incidents of illegal disclosure of classified information. The data leakage prevention system, based on incident reports, monitors the overall level of risks, and also, in the modes of retrospective analysis and immediate response, controls information leakage.

DLP systems are installed in both small and large enterprises, preventing information leakage, thereby protecting the company from financial and legal risks that arise from the loss or transmission of important corporate or confidential information.