>_AYSOLI SECURITY HUB
THREAT AREA

Endpoint & Device DLP

The user's endpoint is the place where data most frequently leaves the organization. Effective endpoint DLP protects data right where it is processed, even when the device is offline.

Your Strategy

Implement restrictive policies for unencrypted removable media and unmanaged cloud storage. Use deep kernel integrations to monitor data movements at the file system level in real time and block them in case of violations.

Best Practices

  • Browser Security: Enforce the use of managed browsers that support DLP rules for uploads and copy/paste.
  • Device Health: Link DLP permissions to the compliance state of the device.
  • Selective Wipe: Ensure that company data on lost devices can be immediately and specifically deleted.

STRIDE-LM Design Risks

SpoofingS-01

Identity Spoofing

Attacker impersonates a legitimate user or partner.

TamperingT-01

Data Tampering

Unauthorized modification of shared data or configurations.

RepudiationR-01

Audit Log Manipulation

Deleting or altering traces of an action.

Information DisclosureI-DLP-01

Insider Data Theft

Conscious or unconscious outflow of data by internal persons.

Information DisclosureI-DLP-02

USB & Peripheral Exfiltration

Data outflow via physical interfaces.

Information DisclosureI-DLP-03

Encrypted Channel Exfiltration

Data outflow via encrypted, non-inspectable channels.

Denial of ServiceD-01

Resource Exhaustion

Overloading systems through massive requests or resource hogging.

Monitoring GapsM-01

Insufficient Logging

Missing or inadequate recording of security-relevant events.

MITRE ATT&CK® Techniques

Initial Access
T1566

Phishing

ATT&CK

Delivering malicious content via electronic communication.

Mitigated by
Endpoint Compliance (Intune)Baseline ProtectionMedium
CIS: 4.1NIST: PR.AC-7
Conditional Access PoliciesBaseline ProtectionMedium
CIS: 6.1NIST: PR.AC-7OWASP: API2
Privilege Escalation
T1548

Abuse Elevation Control Mechanism

ATT&CK

Bypassing mechanisms for privilege escalation (e.g., UAC).

Mitigated by
Endpoint Compliance (Intune)Baseline ProtectionMedium
CIS: 4.1NIST: PR.AC-7
Least Privilege PrincipleBaseline ProtectionMedium
CIS: 6.2NIST: PR.AC-6OWASP: A01:2021
Credential Access
T1003

OS Credential Dumping

ATT&CK

Extracting credentials from the operating system.

Mitigated by
Endpoint Compliance (Intune)Baseline ProtectionMedium
CIS: 4.1NIST: PR.AC-7
T1539

Steal Web Session Cookie

ATT&CK

Capturing active session tokens to bypass authentication.

Mitigated by
Conditional Access PoliciesBaseline ProtectionMedium
CIS: 6.1NIST: PR.AC-7OWASP: API2
T1552

Credentials from Password Stores

ATT&CK

Extracting passwords from web browsers or password managers.

Mitigated by
Endpoint DLP PoliciesExtended ProtectionMedium
CIS: 13.3NIST: PR.DS-1
Collection
T1530

Data from Cloud Storage Object

ATT&CK

Accessing data from cloud storage (S3, Blobs).

Mitigated by
Automatic Data ClassificationExtended ProtectionHigh
CIS: 13.1NIST: PR.DS-1
Sensitivity Labels (Purview)Extended ProtectionHigh
CIS: 13.2NIST: PR.DS-1
Least Privilege PrincipleBaseline ProtectionMedium
CIS: 6.2NIST: PR.AC-6OWASP: A01:2021
Data Loss Prevention (DLP)Baseline ProtectionMedium
CIS: 13.3NIST: PR.DS-1
Data Anonymization (Differential Privacy)Extended ProtectionHigh
NIST: PR.PT-3
T1213

Data from Information Repositories

ATT&CK

Accessing data from knowledge bases (SharePoint, Confluence).

Mitigated by
Automatic Data ClassificationExtended ProtectionHigh
CIS: 13.1NIST: PR.DS-1
Exact Data Matching (EDM)Extended ProtectionHigh
CIS: 13.1NIST: PR.DS-1
Sensitivity Labels (Purview)Extended ProtectionHigh
CIS: 13.2NIST: PR.DS-1
Least Privilege PrincipleBaseline ProtectionMedium
CIS: 6.2NIST: PR.AC-6OWASP: A01:2021
Data Loss Prevention (DLP)Baseline ProtectionMedium
CIS: 13.3NIST: PR.DS-1
Exfiltration
T1020

Automated Exfiltration

ATT&CK

Automated exfiltration of data via interfaces.

Mitigated by
Endpoint DLP PoliciesExtended ProtectionMedium
CIS: 13.3NIST: PR.DS-1
Automatic Data ClassificationExtended ProtectionHigh
CIS: 13.1NIST: PR.DS-1
Exact Data Matching (EDM)Extended ProtectionHigh
CIS: 13.1NIST: PR.DS-1
OCR for DLPExtended ProtectionMedium
CIS: 13.3NIST: PR.DS-5
Sensitivity Labels (Purview)Extended ProtectionHigh
CIS: 13.2NIST: PR.DS-1
Data Anonymization (Differential Privacy)Extended ProtectionHigh
NIST: PR.PT-3
T1567

Exfiltration Over Web Service

ATT&CK

Data leakage via legitimate web interfaces.

Mitigated by
Endpoint DLP PoliciesExtended ProtectionMedium
CIS: 13.3NIST: PR.DS-1
Automatic Data ClassificationExtended ProtectionHigh
CIS: 13.1NIST: PR.DS-1
Exact Data Matching (EDM)Extended ProtectionHigh
CIS: 13.1NIST: PR.DS-1
OCR for DLPExtended ProtectionMedium
CIS: 13.3NIST: PR.DS-5
SIEM IntegrationExtended ProtectionHigh
CIS: 8.5NIST: DE.AE-3NIST: DE.CM-1OWASP: A09:2021
Sensitivity Labels (Purview)Extended ProtectionHigh
CIS: 13.2NIST: PR.DS-1
Data Loss Prevention (DLP)Baseline ProtectionMedium
CIS: 13.3NIST: PR.DS-1
Impact
T1565

Inplace Modification

ATT&CK

Manipulation of existing code or data at the storage location.

Mitigated by
Data Anonymization (Differential Privacy)Extended ProtectionHigh
NIST: PR.PT-3

Is your scenario more complex?

AYSOLI experts support you in implementing your specific security requirements.

Free consultation
Endpoint & Device DLP | IT Security Checklist for SMEs · AYSOLI Security Hub