For data loss protection (DLP) that works with a largely remote workforce, companies should implement a DLP-specific toolset with companywide policies that account for the changed environment. Until then, teams can use tools they have on hand -- Zscaler, Proofpoint, Microsoft Cloud App Security (MCAS) and Microsoft Defender ATP, for example – to enforce DLP on remote workstations and prevent users from printing, using USBs and storing data inappropriately. After that, the security team will be in a good position to assess additional gaps and decide where their next technology investments should be made later in 2020.
The security team for an insurance company is struggling to prevent data loss now that the company has moved to remote work due to COVID-19. The team’s DLP processes are in their infancy. While it has tools such as Zscaler, Proofpoint and MCAS, and plans to roll out Microsoft Defender ATP later this year, the tools are not leveraged on a consistent basis. The team currently has one DLP policy and must investigate 150 emails per day marked “Confidential” and sent outside the network. Three scenarios must be addressed:
- Stop employees from printing at home.
- Stop employees from using USB drives to download company data off their workstation.
- Stop employees from uploading content to non-sanctioned clouds (anything other than Office 365 or OneDrive).
Specifically, the team asks:
- How can we collect data on which individuals are breaking the rules. Where do we get the data and how to we use it in a meaningful way?
- What is the best way to set up the tools and put in place a process to rapidly provide exceptions.
- How can we block offending workstations dynamically to prevent repeat behavior (either by an individual or a wider group of people)?
Restrict Printing Sensitive Information at Home
Some employees have a legitimate need to print, while others have no need whatsoever. Even if employees don’t print directly to a local consumer-grade printer, they can print to PDF and then just save the PDF locally or try to move it elsewhere. Or, they can open files on their mobile device and print locally from their phone or tablet.
Security teams can work with their desktop team to capture and monitor print history by setting up logging in PrintService. This is done by going to:
- Event Viewer
- Applications and Services Logs
- General, and checking off the Enable Logging box
Teams can then view a workstation’s printing history. Additionally, in the absence of local monitoring (natively through Microsoft or with third-party desktop management solutions), teams must have an open dialogue with those who are circumventing controls (and policy) to print. Security should work with the business units to learn whether anyone truly needs to print and what must be printed. All this comes back to the data and the users’ access.
If employees need to print, allow them to expense a crosscut shredder for their home. They cost only about $50 and will help ensure employees are not tossing sensitive information in the household trash.
DLP can also help address this issue, but in the absence of DLP products, organizations can apply technical policies locally to restrict employees from installing printers. Before getting into technical settings, organizations should step through the following:
- Ensure your work-from-home policy addresses safeguarding sensitive information. The policy should explicitly state that employees should not print or save files locally. Instead, all sensitive data should be saved to predefined locations.
- Determine who needs to print. Involve business units to help make decisions about who needs to versus wants to print. For workers who need to print, ensure their leadership signs off on the risk.
- Periodically reassess the situation. Consider recertifying those who need to print every quarter, for example.
- Impose technical restrictions such as the following:
- Script a local group policy to remove the “add printer” button:
- gpedit.msc > User Configuration\Administrative Templates\Control Panel\ Printers\
- Select “Prevent Addition of Printers” and select “Enabled”
- Set restrictions to prevent the installation of print drivers, as referenced by Microsoft.
- Use MCAS’ Conditional Access App Control to restrict data exfiltration (such as downloading and printing) via the configuration settings.
Restrict USB Usage
Generally, USB is difficult to manage when some employees must have access to USB while others are completely restricted. USB access can be granted based on specific devices (for example, if a device is company-issued). Also, policy must address what types of data are allowed to be copied onto a USB device.
If corporate policy is to ban USB devices, you can use Group Policy to set all hosts to deny USB devices from mounting or allowing read/write. Especially in a work-from-home environment, the need to copy files to a USB and provide them physically to a coworker does not seem needed. The risk that sensitive data is copied from the computer to the USB device increases, as does the risk employees will expose sensitive information to loss or theft, or to the possibility that malware gets written to the device and then later written back to a company-issued computer.
However, exceptions can be tracked on a case-by-case basis. Employees requiring USB access exceptions should go through an approval process and have their access signed off by a senior leader who accepts and understands the risks. Requests should be sent to a ticketing system that allows management to approve temporary or permanent access. Additionally, employees who are allowed USB access for business purposes should also accept and sign an acceptable use policy stating they understand their privileges and will not abuse them.
Generally, enterprise-wide technology usage and confidential information-handling policies are distributed to employees annually to read and sign. However, in the case of a company-wide change such as banning USB, but allowing for some exceptions, it is advisable for employees to receive a short written policy (a few sentences that link back to the overarching company policy). This way it is fresh and there is a chance for employees to ask questions.
Here are a couple of options to consider (using native Microsoft capabilities) to disable USB:
- Group Policy Editor
- gpedit.msc > Computer Configuration > Administrative Templates > System, and select Removable Storage Access. On the right-side pane, locate ''Removable Disks: Deny execute access,', ''Removable Disks: Deny read access'' and ''Removable Disks: Deny write access.'' Double-click on each of them to configure it.
- Choose Enabled to deny access to read and write settings from above.
- regedit > Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR, and then locate the DWORD value named ''Start'' on the right-side pane. The default value data of Start is “3.” Double-click on Start, and set its value data to “4.”
- Restart Windows for changes to take effect.
- Defender ATP
- If Defender ATP is available in the enterprise, this is the better path forward. Defender ATP will provide a very granular set of controls to manage USB and peripherals. Microsoft outlines the options in its documentation.
USB Access Exceptions for Above Registry and GPO Options
You may also have ad hoc exceptions. When that occurs, an “Enable USB Access” script can be useful. This script would run against the registry and revert the value back from “4” to “3.” The script would also grab the computer and username, send an alert to the security team, and log the entry for tracking purposes. This is optional, but it may be worth considering.
If you decide to write and use such a script, you may want to consider writing it to the hosts most likely to need or often need USB exceptions, because if the script is local, it can reside and run when off-network. Otherwise, take the most restrictive approach and when tickets are opened up, have the support team run the script to allow access as an exception.
Restrict Cloud Storage
Restricting data storage to approved cloud services is prudent. Often this is done in tandem with a robust DLP solution and policies. It requires network segmentation, fingerprinting of data and storing data in approved locations. It also requires determining who can access it and where it can be stored and used. Initially, data classification/storage and then ongoing identification and segmentation helps to control accessibility and use.
In the absence of DLP solutions, but with Zscaler and MCAS on hand, the security team can gain back visibility and some control. To control data storage with sanctioned apps and remote access solutions, you should:
- Ensure there is an acceptable use policy in place for accessing and using data. It should define what is and is not acceptable when it comes to using sensitive data. Furthermore, security should work with the business units to determine who can have access to data and what they are allowed to do with it.
- Document cloud apps that are sanctioned and permitted. In your case, that would be Office 365 and OneDrive.
- Ensure all remote traffic is controlled through Zscaler. Given the number of applications that exist, set a global whitelist for the allowed applications and destinations.
- Use MCAS Conditional Access to control and redirect users through MCAS rather than directly to the app. Additionally, MCAS can help with context-aware policies for sensitive data or document labeling. These settings will help with content labeled “Confidential,” for example. When employees label files “Confidential,” MCAS components will monitor and take action (for example, block) based on the settings. Lastly, locations and device state can also be assessed.
- Set information protection policy settings. Use these settings in conjunction with classification labels to control data uploads, downloads and sharing.
- Set Zscaler to allow access to permitted apps and restrict all others. In conjunction with other policies, permit or deny sensitive information from being stored in applications. For example, an intellectual property document can be saved to OneDrive, but not shared in Teams. Similarly, use these parameters with Office 365. This can be used with documents in email to trigger alerts. It is recommended to set DLP content and action parameters around sensitivity flags so alerts are not excessive. Typically, a DLP solution can inspect the data and align with policies, which means there should be less alerts to manage.
- Restrict sanctioned apps from sharing with unauthorized domains. Additionally, enable encryption with sanctioned apps.
Effective DLP starts with small incremental changes that produce repeatable results across various data sets and rules. Starting with policies and procedures, it is imperative to segment the network, isolate data, and determine who can access it and what they can do with it. It also requires constant tuning and analysis through teams responsible for managing alerts and escalation as needed. Native Windows capabilities and available third-party tools can help to get started. Then, over time, teams can implement additional endpoint and cloud-based solutions to address any gaps.
Get a Handle on the DLP Landscape, Nov. 18, 2019
10 Steps to Successful Data Loss Prevention (DLP), Aug. 13, 2018
Implement DLP Effectively, Sept. 1, 2017
Any views or opinions presented in this document are solely those of the Faculty and do not necessarily represent the views and opinions of IANS. Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our written reports, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by the client in connection with such information, opinions, or advice.