Skip to main content

Lab 7 — Endpoint DLP

Lab 7⏱ 15 min⚗ Lab Tenant · Read/Write👤 Alex + Kevin
Endpoint DLP — USB Device Control
Not all data movement happens over the network. Kevin attempts to copy the payroll file to a USB drive to work from home. Without endpoint protection, this activity bypasses network controls entirely — the proxy never sees it.
🛡
Alex — Security Administrator
Lab Tenant (Read/Write)
Inline DLP covers network-based exfiltration. But what happens when Kevin takes a USB drive and copies files while completely off-network? That vector requires endpoint protection.

🎯Create an endpoint DLP policy that prevents sensitive data from being copied to USB storage devices.

1. Create an Endpoint DLP Policy [Alex]

Policy → Endpoint DLP → + New Rule

Create a new rule named:

Block Sensitive Data to USB

  • Detection Engine: Financial Data Detection
  • Device Type: Removable storage (USB drive)
  • Action: Block
  • User notification: Enabled

Save the policy and confirm it is active.

👤
Kevin — End User
Hand off to Kevin
You are now Kevin — about to copy a file to a USB drive, thinking no network controls can see you.

2. Trigger a Policy Violation [Kevin]

Attempt to copy the following file to a USB drive:

Payroll_2025.xlsx
Payroll_2025.xlsx — Fourth appearance. Off-network exfiltration attempt.

Observe:

  • File transfer is blocked by the endpoint agent
  • User receives notification explaining why
  • Incident is generated — even though no network traffic occurred
🛡
Alex — Back to Security Administrator
This incident was generated entirely off-network. Proxy-based DLP would never have seen it.
💬 Discussion
  • Why is endpoint protection necessary even when network controls exist?
  • Which employees or roles legitimately require exceptions for removable media?
  • Should all USB activity be monitored even when it is not blocked? What value does audit-only mode provide?
💡 Key Insight

Inline DLP protects data in transit over the network. Endpoint DLP protects data on the device.

These two controls are complementary — network DLP catches cloud uploads, endpoint DLP catches offline exfiltration. Both are required for complete protection coverage.

💡 Facilitator Notes

The "off-network" point is especially resonant for organizations with large remote workforces.

Labs 6 and 7 together make a clean argument: network and endpoint DLP are not redundant — they cover fundamentally different exfiltration vectors.

🎓
Lab Assistant
Zenith Live 2026 · Dataparity
Lab 7 — Endpoint DLP
Browse all topics