How we implemented the DLP system in one international oil and gas holding

At the dawn of my work in the field of information security, I had the opportunity to participate in one very interesting project. It began with the fact that the security service of one of the largest private producers and suppliers of natural gas and oil in the CIS in the framework of implementing an integrated approach to information security, decided to implement a DLP system. Now, this holding company is subject to the general trends of the Russian market and has disappeared in the depths of several state corporations, and I can tell you this story.

The purpose and objectives of the project

The main goal of the project was to increase the security level of the company's business processes by introducing a system of control over information flows.

Project tasks solved by the introduction of DLP-system:

  1. Monitoring and preventing leaks beyond the organization of confidential information: trade secrets, personal data, objects of intellectual property, etc.
  2. Providing tools for investigating incidents: creating an archive of transmitted information with the possibility of subsequent retrospective search.
  3. Timely detection of insiders: monitoring of suspicious user actions.
  4. Optimization of the use of corporate information resources: the suppression of the use of resources for personal purposes.

Project Approach

The implementation of the DLP system in the geographically distributed corporate network of the holding was a rather difficult task from the technical and organizational point of view. It was necessary to take into account that the DLP system must be absolutely “transparent” for already existing corporate information systems and not even allow temporary blocking or slowing down of established business processes. In addition, its implementation should pass unnoticed by ordinary users.

Thus, the decision was made on the phased implementation of the DLP-system in the offices of the company and the gradual increase of its functionality.

Project implementation

Stage 1: Monitoring and archiving of corporate e-mail at the head office


At the head office of the holding, a DLP system was installed consisting of:

  • information retrieval module at a speed of 1 Gbit / s;
  • interaction module;
  • analysis module;
  • information storage module;
  • AWP analyst.

In addition, a special plugin was installed on the corporate mail server.

In conjunction with the security service of the holding, taking into account the specifics of the business, the Rubricator was set up - a hierarchical tree of the topics sought for morphological
text analysis . In accordance with the corporate security policy, as well as with the local regulatory act on trade secrets and confidential information, the Rubricator has set up appropriate rules for searching and analyzing information.

During the first months of operation, the Rubricator iteratively changed and supplemented to obtain the required level of accuracy of the detected critical information. In parallel, work was carried out to achieve error levels of the 1st and 2nd genus, satisfying the customer.


It was possible to identify the availability of some confidential documents to employees who formally do not have access to them (detection and analysis of documents in attachments to e-mails). According to the results of the investigation, some parameters of the corporate information security policy were adjusted in terms of storing confidential documents and delineating access to them.

Stage 2: FTP traffic monitoring


A decoding information module has been added to the DLP system.


  • The facts of placing confidential information on corporate FTP-resources not intended for this purpose were revealed.
  • Found duplication of large volumes of information (photos, videos, archives) simultaneously on several resources.

Adjusted authority to place information on network resources. The network infrastructure was reconfigured to eliminate duplication of large amounts of information, as a result of which the free space in the data storage system was optimized.

Stage 3: Monitoring HTTP traffic


Plugin is installed on a corporate proxy server that allows you to control get and post requests, as well as “open” https traffic. In accordance with the tasks of the security service and the top management of the company, the Rubricator is set up to monitor certain information.


  • The amount of non-work related information viewed by company staff (blogs, forums, entertainment and news sites) was estimated. It is concluded that the percentage of such traffic is extremely small and is within the permissible limits.
  • Identified a number of individuals who regularly browse the Internet a large amount of information, formally outside the scope of their competencies and interests. Employees taken over the control of the security service.
  • Employees are found who are interested in information about competitors and compromising on their own company. The necessary measures have been taken in relation to them.

Stage 4: Retrospective analysis of the archive


A module has been added to the product that allows for repeated analysis of the entire accumulated traffic archive.


As part of the restructuring of the group of companies, in a certain period mass reductions, transfers to new positions and changes in the functionality of employees were carried out.
A new Rubricator was set up, which allowed conducting searches for information on specific employees.

Conducting a full retrospective analysis of the accumulated information according to the new search rules made it possible to reveal out-of-office interests, illegitimate working contacts and other suspicious facts in the work of the employees planned to be reduced or moved to another position.

Proper use of the information received allowed us to revise some personnel decisions in one direction or another and significantly reduce the risks of negative consequences of the organizational and staff reform.

Stage 5: Implementation of the system in remote offices


The solutions tested at the head office according to the schedule were gradually introduced in all territorial offices of the group of companies.


Thanks to the flexible scaling capabilities of the DLP system, it was possible to fully implement it across the customer’s entire information and telecommunications network, including 10 remote offices, 160 legal entities, 4,500 people.

Information collection modules were installed on all external communication channels in the offices. System management is implemented from a single monitoring and control center at the head office of the company. In this case, when communication between offices disappears, the system installed in the remote unit continues to operate autonomously in accordance with the specified policies.


The introduction of the DLP-system in the holding increased the level of business security and allowed to significantly reduce the economic, reputational and other risks, including during the large-scale restructuring of the company.

Also popular now: