Resources · Primer
What is DLP? A plain-English primer
Reading time: ~9 minutes
Data loss prevention is one of those terms that sounds self-explanatory until you try to buy it. Three vendors will give you three definitions, all of them tilted toward whatever their product does. This is a vendor-neutral version, written for the COO, HR director, and IT security lead who tend to sign Centyon's contracts together.
1. What DLP actually is
Data loss prevention is the practice of detecting (and sometimes blocking) movement of sensitive information out of an organisation. "Sensitive" is whatever you say it is: customer records, source code, financial models, employee data, the unsigned-merger spreadsheet sitting on your CFO's desktop.
The category covers a wide spectrum. At one end, simple controls like blocking USB ports at the OS level. At the other, large enterprise suites with kernel drivers, content classification, OCR on screenshots, and active blocking of policy-violating actions. In between — where most mid-market companies actually live — sits a class of tools that monitor endpoint behaviour, generate alerts when something looks like exfiltration, and give a security analyst enough context to investigate.
Centyon belongs to that middle band. We are detective, not preventive (more on that below). We watch the endpoints, we generate alerts, we keep the evidence. We don't sit in the kernel and block a copy mid-flight.
2. Who needs it (and who doesn't)
DLP makes economic sense when the cost of a leak — in revenue, regulatory fines, reputational damage, or stolen IP — is higher than the cost of the tool and the analyst time to triage its alerts. For most companies, the calculus tips somewhere between 50 and 200 employees, especially in these settings:
- BPO, contact centres, shared-service centres. High headcount, high turnover, USB and screen-grab risk, customer PII on every screen.
- IT services and professional services. Client code, design files, valuations, contracts — easy to walk out with on a USB stick or via personal cloud storage.
- Financial services back-office. Compliance evidence is a primary use case. Auditors specifically ask whether you can show who accessed what and when.
- Healthcare administration. Note: admin and HR-facing roles, not clinical workflows — Centyon doesn't touch clinical systems.
- Distributed retail and e-commerce HQs. Many staff working with customer data on laptops in multiple offices and home.
Companies that don't need full-spectrum DLP: small teams (under ~30), companies where everyone works in fully-sandboxed cloud SaaS with no local file storage, and companies whose risk profile is dominated by external threats (phishing, ransomware) rather than insider/accidental loss. For those, a good EDR plus mature email security earns the budget first.
3. How data actually leaves
Everyone imagines the malicious insider with a USB stick. They exist — but they're the minority. Most data loss is either accidental (a sales rep emails the wrong attachment) or quietly purposeful but not dramatic (an analyst syncs their work folder to a personal cloud account "just in case"). The exfil paths worth knowing:
| Path | Why it matters | What you'd watch for |
|---|---|---|
| USB / external drives | The classic. Still happens. | Plug/unplug events; files written to the drive letter. |
| Personal cloud sync | Dropbox / OneDrive / Google Drive / iCloud / Box folders configured against personal accounts. | Files appearing in ~/Dropbox etc.; URL access to consumer cloud login. |
| Personal email | Gmail / Outlook / Yahoo webmail — the quietest, most common path. | URL access to webmail; large outbound transfers. |
| AI assistants | Pasting customer data into ChatGPT / Claude / Gemini for "help drafting a reply". | URL access to AI services; clipboard transfers preceding navigation. |
| Print-to-PDF | Underrated. Generates a portable document that bypasses many file-based controls. | Print spooler activity, including the Microsoft PDF printer. |
| Screen capture | Snipping tool, Greenshot, ShareX. Hard to scale, but used surprisingly often. | Processes from the screen-capture category running outside expected sessions. |
| PowerShell / robocopy | Bulk extraction at the script level. Rare but a high-severity signal when seen. | Process events for powershell.exe, robocopy.exe. |
| Remote-access tools | AnyDesk, TeamViewer, ngrok used to pull data through a tunnel. | Process start of known remote-access binaries. |
A good DLP product doesn't have to catch every path — it has to catch the paths your population actually uses. For a contact centre, that's USB and personal email. For a finance team, it's print-to-PDF and personal cloud. For an IT shop, it's PowerShell and ngrok.
4. Detective vs preventive — pick a side honestly
DLP vendors split into two camps. Preventive DLP sits in the kernel (or via a deep filter driver) and physically blocks the action — the file copy fails, the upload doesn't complete, the print job is cancelled. Detective DLP watches the action happen, logs it, alerts on it, and gives an analyst the context to follow up.
Preventive sounds better. In practice it has costs:
- Kernel drivers fail in ways that take user machines offline. A bad signed-driver update can be a corporate-scale outage.
- False positives become user-blocking. The auditor can't open her own working file. The COO loses an hour. Trust in the tool erodes.
- Anti-malware vendors flag aggressive prevention agents, leading to ongoing whitelisting overhead.
Detective is honest about what it does. You see the event. You decide what to do about it. The user isn't surprised by their machine fighting them. The trade-off is that an intentional, technically-skilled bad actor with seconds to act can complete an exfil before anyone reads the alert. That's a real gap — but for the majority of insider risk (which is sloppy, not professional), detective is enough.
Centyon is detective by design. If you need real-time blocking on top, layer Microsoft Purview Endpoint DLP or Forcepoint with us — we're the visibility, they're the brake.
5. What "good" looks like
- A rule library that ships full, not empty. The common exfil paths are the same across customers. You shouldn't be paying a vendor to discover them on your behalf.
- Content hashing. Every captured file has a SHA-256. Same hash across machines means same file. That's how you suppress known-benign content (your templated NDA) without silencing the rule it triggered.
- A suppression workflow that doesn't require editing rules. When the inevitable noisy match arrives, your analyst should mark "this hash is fine, stop alerting" in one click. Rule changes are bigger, scarier, and version-controlled.
- Per-severity routing. Not every event is an email-someone-at-3am event. High-severity stays sticky in the dashboard; medium digests hourly; low rolls up daily.
- Audit trail of who reviewed what. Auditors don't care that you saw the event — they care that someone looked at it and made a call. The review state matters.
- A model that respects role boundaries. HR shouldn't see the DLP rule config. The security analyst shouldn't have admin over shifts. The line manager only sees their team. Granular permissions, not "admin or nothing".
6. Common pitfalls
- Surveillance creep. The temptation, once you've installed a DLP agent, is to use it for everything. Productivity scoring. Screen recording. Tone-of-voice analytics. This is how programmes die — staff find out, trust collapses, and the works council files a complaint. Limit scope to what you'd be comfortable defending in a labour-board hearing.
- Alert fatigue. Forty-five rules on day one, generating thousands of low-severity events, is a recipe for nobody reading any of them. Triage discipline matters more than rule count: review the daily digest, suppress the obvious benign matches, and your signal-to-noise climbs within a fortnight.
- Treating it as compliance theatre. A DLP tool that nobody reads the output of doesn't reduce risk; it just creates a record showing you ignored warning signs. Either commit a named person's time to triage, or don't deploy it.
- No employee notification. In most jurisdictions you're legally required to tell people they're being monitored, and explain in plain language what's captured. Pretending it's a secret is both ineffective and unlawful.
- Buying preventive when detective would do. If your population is mostly ordinary staff handling ordinary risk, you don't need a kernel driver. You need visibility, alerting, and a process for handling what you find.
7. How Centyon does DLP
Briefly, since this is a primer and not a sales pitch:
- Windows agent in user session — no kernel driver, no admin install for most features.
- 45 detection rules seeded with every workspace (URL, file-path, event-type).
- SHA-256 content hashing on copied / saved / USB-written files, capped at a configurable size.
- Per-tenant SMTP so alert content stays on your email infrastructure.
- Per-feature toggles so customers can disable monitors that don't fit their policy (clipboard, print, USB, file watching — each independently controllable).
- No keystroke logging. No screen video recording. By design.
If you'd like to see it against your own environment, request a 14-day free trial or email manish@ddsplm.com.