How to set up your network to prevent data loss

Critical data is at risk from both insider and external threats. Here's how to configure your Windows network for data loss prevention (DLP).

CSO > global security
Leo Wolfert / Getty Images

Data. Your business and computers are full of it. While much of that data is useless to anyone else, every firm has key assets that any attacker or other competitor would love to access.

Data can leave your organization in many ways. Before the internet, files had to be transferred to storage devices and taken off the premises. Now, data thieves can move massive numbers of files through any number of cloud services. Attackers often compress files so that when they are moved they are less noticeable by network traffic monitoring.

What options do you have to protect yourself from data loss? Plenty. The key is to put in place data loss prevention (DLP) technology to block or track the movement of data, or to put alerts that trigger when files are moved. You also need to protect against insider threats as well as external actors.

Insider data loss threat basics

Data loss is often a human resource problem. If your employees are not happy, they will justify stealing from the organization as an acceptable action against the culture of the organization. First, ensure that your employees understand what data should not be shared or exposed. Create a signed employee manual that instructs the employees. Also, make sure that data is properly identified and stratified in the organization and protect it accordingly.

Edward Snowden was able to move sensitive documents because he had access to them. That’s why you need to define basic file access based on – to use a trite phrase –  a need-to-know basis. Set up plain old NTFS file and folder permissions to only allow access to users who actually need it.

Enable file auditing and network monitoring

Always enable auditing on files and folders to track file access and use by employees. You won’t be able to confirm who had access to what unless you’ve set up auditing to monitor. Start with Group Policy and enable auditing on file-sharing locations.

Next, use tools to protect the data based on the stratification and set up alerts when important or compressed files move across your network. For on-premises file servers you can use the File Server Resource Manager (FSRM) to identify and move files that contain sensitive information. You can even use FSRM to encrypt sensitive data based on classification and files.

Then review what options you have in your firewall. You can easily set up web filters to block file-sharing websites or specific anonymizer locations so that users can’t move files out of the network using online means. You can set up SMTP/S Scanning Rules to block outgoing zip files or other compressed file formats.

On the workstation side, install monitoring software to track user actions and use of systems to flag when inappropriate actions are taken. If you use Exchange 2013 or later or Office 365, you can set DLP policies to prevent data from leaving the organization. Exchange 2013 allows you to set transport rules to limit data transfer based on information contained in emails. You can set classifications on data and files to be sensitive (or non-sensitive) based on keywords, dictionaries or regular expressions, thus determining if an email violates any DLP policies.

Setting up data access rights in Office 365

Compliance is part of Office 365 Advanced Data Governance. This is part of Office 365 E5/A5/G5 licenses, Microsoft 365 E5/A5/G5 licenses, Microsoft 365 E5/A5/G5 Compliance licenses, and Office 365 Advanced Compliance, a standalone license.

Information Rights Management (IRM) is available for Office 365 plans that include an Azure Information Protection Premium plan or an Office 365 plan that includes Rights Management. For example, if your organization has a plan for Office 365 E3 or Office 365 E5, IRM is included.

Enable IRM with these steps:

  • Go to “Admin Center”.
  • Go to “Settings”.
  • Go to “Services”.
  • Go to “Microsoft Azure Information Protection”.
  • Go to “Manage Microsoft Azure Information Protection Settings”.
  • On the rights management page, click “Activate”.
  • When you see the message “Do you want to activate Rights Management?”, click “Activate”.

You should now see Rights Management is activated and the option to deactivate it.

bradley dlp 1 Susan Bradley

Enable rights management

You can click on advanced features and configure do-not-forward rules.

bradley dlp 2 Susan Bradley

Advanced rights management

You can set up Azure Information Protection, which is available for $2 per user (U.S.), to automatically detect when sensitive data is used in a document or email, and to automatically apply restrictions based on the policy settings. A client is installed on the workstation to enforce the settings.

Finally, don’t forget to block physical ways that files can leave the office. Configure system BIOS settings to block the use of USB ports so that users can’t use flash drives to remove sensitive information from the office. You can set policies either using the manufacturer’s BIOS software or using Group Policy settings.

Data can leave firms in any number of ways. Ensure that you’ve evaluated the best ways to protect your data both from outside attackers but also insider risks as well.

Don’t forget to sign up for TechTalk from IDG the new YouTube channel for tech news of the day.

Copyright © 2020 IDG Communications, Inc.

How to choose a SIEM solution: 11 key features and considerations