Which security control is designed to prevent unauthorized data exfiltration from endpoints?

Preventing unauthorized data exfiltration from endpoints is accomplished by Data Loss Prevention (DLP) Endpoint Software. This type of solution enforces policies at the device itself, inspecting data as it tries to leave the endpoint across channels like email, USB devices, cloud sync, and printers. It classifies sensitive information (PII, financial data, intellectual property) and can block the transfer, quarantine the data, encrypt it, or alert security teams when a policy is violated. By controlling data in use and in motion right at the source, it stops exfiltration before it happens, rather than just recording that it occurred.

Audit logs, while valuable for detecting and investigating incidents after the fact, do not prevent data from leaving a device. They provide a record of what happened, not a barrier to prevent the action. The other two option names don’t describe a real prevention mechanism for data leakage; they don’t implement controls to stop data from leaving endpoints.