Data Leakage Prevention
Description
Data leakage prevention measures shall be applied to systems, networks, and any other devices that process, store, or transmit sensitive information.
⚠️ Risk Impact
Data exfiltration is the goal of most external breaches. DLP is the layer that catches data on the way out — even when access controls failed and detection missed the entry.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.
🔧 Remediation
Deploy DLP on egress paths: email, cloud storage uploads, USB, screenshot. Define sensitive-data patterns (PII, payment, IP). Alert on high-risk activity. Block when policy requires (vs alert-only).
💀 Real-World Attack Scenario
A departing engineer downloaded the customer database to personal Dropbox. The company had DLP deployed in 'monitor' mode. The alert fired; nobody reviewed alerts for 4 days; by then data was exfiltrated + accessible by competitor. Avg insider-data-theft: $15.4M (Ponemon).
💰 Cost of Non-Compliance
Insider-threat data theft: avg $15.4M (Ponemon 2024). DLP-deployed-but-unmonitored: increases incident scope 4-5×.
📋 Audit Questions
- 1.What DLP is deployed? Which channels?
- 2.Are sensitive-data patterns defined?
- 3.How are alerts triaged?
- 4.Block-mode vs alert-only?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔DLP in alert-only mode for everything (alerts ignored)
- ⛔Patterns too coarse — false positives produce alert fatigue
- ⛔DLP on email but not cloud storage uploads
📈 Business Value
Effective DLP catches data on the way out — the last line of defense.
⏱️ Effort Estimate
60-120 hours initial DLP deployment + tuning
EchelonGraph integrates with DLP tools for finding context
🔗 Cross-Framework References
Automate ISO 27001 A.8.12 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →