Login  |  Register  |  Contact

What Do DLP and Condoms Have in Common?

They both work a heck of a lot better if you use them ahead of time.

I just finished reading the Trustwave Global Security Report, which summarizes their findings from incident response and penetration tests during 2009.

In over 200 breach investigations, they only encountered one case where the bad guy encrypted the data during exfiltration. That's right, only once. 1. The big uno.

This makes it highly likely that a network DLP solution would have detected, if not prevented, the other 199+ breaches.

Since I started covering DLP, one of the biggest criticisms has been that it can't detect sensitive data if the bad guys encrypt it. That's like telling a cop to skip the body armor since the bad guy can just shoot them someplace else.

Yes, we've seen cases where data was encrypted. I've been told that in the recent China hacks the outbound channel was encrypted. But based on the public numbers available, more often than not (in a big way) encryption isn't used. This will probably change over time, but we also have other techniques to try to detect such other exfiltration methods.

Those of you currently using DLP also need to remember that if you are only using it to scan employee emails, it won't really help much either. You need to use promiscuous mode, and scan all outbound TCP/IP to get full value. Also make sure you have it configured in true promiscuous mode, and aren't locking it to specific ports and protocols. This might mean adding boxes, depending on which product you are using. Yes, I know I just used the words 'promiscuous' and 'condom' in a blog post, which will probably get us banned (hopefully our friends at the URL filtering companies will at least give me a warning).

I realize some of you will be thinking, "Oh, great, but now the bad guys know and they'll start encrypting." Probably, but that's not a change they'll make until their exfiltration attempts fail -- no reason to change until then.

—Rich

Posted at Wednesday 3rd February 2010 4:57 pm Filed under: breacdlpencryptiontrustwave

Previous entry: Project Quant: DatabaseSecurity - WAF | | Next entry: Analysis of Trustwave's 2010 Breach Report

Comments:

If you like to leave comments, and aren't a spammer, register for the site and email us at info@securosis.com and we'll turn off moderation for your account.

By smithwill  on  02/03  at  05:50 PM

DLP and condoms? Neither is a 100% solution. Best results when used in conjunction with axillary monitoring.

By TLG  on  02/04  at  02:24 AM

The report states “a single case contained the use of an encrypted channel for data extraction”, indeed encryption at the network level is seldom used for data exfiltration. However, what the report does not mention explicitly is that attackers do use encryption at the *data* level.

Splitting the data in a series of archives protected by a password allows to exfiltrate large sets of data. Plus you can drop files to third parties servers without having to disclose the information. Unless your DLP solution rings a bell when such files get transported on your network, you will be blind.

By Rich  on  02/04  at  10:32 AM

TLG-

The context in the paper makes it clear the files weren’t encrypted either, but I agree that wasn’t explicitly stated.

Yes- the technique you describe would probably work, but again, that’s not yet how the bad guys are doing it. Also, some DLP solutions can detect and alert on encrypted archives if a standard encryption method is used. A bunch of the tools support that.

By DMc  on  02/05  at  06:37 AM

I prefer an analogy of DLP protection to a six foot fence.  You aren’t going to protect against a very determined bad guy but you will prevent the majority of violations.  Your intentions to protect are made very clear.  Further, it is getting to the point where it is difficult to report a violation while admitting you didn’t at least put up some kind of fence.

By Yuval Eldar  on  02/08  at  06:42 AM

At the risk of offending someone with graphic descriptions, a better analogy when explaining DLP solutions is “coitus interupptus”.

Let me explain.

The extreme approach to “content blindness” in DLP is indeed encryption. However, there are other methods that are equally as effective in making DLP “content blind” that do not necessarily involve malicious users, for example, modifying content at its origin by users and systems. The modus operandi of DLP agents (network gateways, crawlers, or endpoint agents) is to identify the similarities in content at the exit/channel/medium from the sources that they were generated. In this case, we are now playing in the field of statistics and probability, even if we assume that they are 99% exact. For the record, I don’t believe DLP technologies are that accurate. What this means is that one or two items per user per day will mistakenly be enforced (AKA false-positives or false-negatives).

Can organizations afford it?  Probably not. That is why most DLP solutions end up in “Monitoring Mode”. So I ask, what type of “birth control” does this resemble?

I believe that in order to make data loss prevention solutions effective, it must identify the content as close to the origin and/or point of creation as possible, where information is produced from enterprise applications, databases, repositories, or even users. At this stage, before the end-user manipulates the content (to the extreme, before the end-user tries to encrypt or send it in encrypted channels), content is still in its original form, in a structured format, that can be identified with no false-positives. At this stage, the solution should embed the protection into the data at creation, by using E-DRM rights or encryption. This technique will, also, overcome the challenges that you have mentioned – adding agents in order to support additional ports/exits to be scanned. Now, you can kill three birds with one stone. In a single action, you have an integrated solution that handles the three aspects of information protection and control; data at rest, data in use, and data in motion. This solution is agnostic to channels, ports, devices, and mediums. This should be the way IPC/DLP solutions should work. Let’s not be confused of the current and future integration of DLP & E-DRM solutions- Embedding ERM rights in the late stages of the information cycle (acting upon exits or acting when directories are scanned). These solutions will have the same flaws that DLP solutions encounter today…

We, at Secure Islands Technologies, are focused on solving these issues by supplying an automated data-centric security from the origin.

By Roee Oz  on  02/09  at  12:14 AM

Anyway, sending mail from outlook using gmail for example uses sll, so it’s encrypted, so sometimes user encrypts without even knowing

By Chris  on  02/09  at  11:51 AM

All Enterprise DLP solutions have the ability to peak into and actively remediate SSL connections containing sensitive data.

Also, using a DLP solution you can easily sniff out many other types of encrypted traffic on the wire.  You do this by leveraging the DLP solutions ability to identify files of different types.  Encrypted Zip files, Protected PDFs, and Protected MS Word documents can all be easily identified and blocked even if you can’t see what is inside them.

**Editors note- this comment was left by a member of a DLP company; they identified themselves with their email, but since we don’t display that I’m adding it as a note.

By Allen Baranov  on  02/10  at  05:34 AM

I think that the analogy is “interesting” but the issue is not really the effectiveness but the cost.

In South Africa we have a huge AIDS problem so government issued condoms are free and very easy to get hold of. Fancier condoms are slightly more expensive but not much.

A DLP solution can cost in the multi-millions which is quite a bit of money for something that is “sorta” effective.

By Yuval Eldar  on  02/10  at  11:43 AM

A feature like identifying the encryption of a file will not help much…Indeed you can block encrypted files but it will block also a legitimate business activity that I am sure security officers will not do it. So we again end up with monitoring mode…which is ineffective in this case (” audit spamming”).

Regarding SSL connections, DLP solutions dont have ability to decrypt SSL without integrating through ICAP to solutions like BlueCoat…Aha and what about laptops/endpoints outside the perimeter? It wont work!

**Moderators note- The commenter is with a vendor that offers an alternative to DLP. He indicated this in his registration, but since we don’t display email addresses I’ve added this note.

By smithwill  on  02/10  at  03:50 PM

I bet the topic of condoms has never seen so much scrutiny from a security/performance perspective.

By Roee Oz  on  02/10  at  11:47 PM

DLP and SSL…
It kind of sometimes works, but you have some problems:

- Show a trusted! certificate on behalf of the ssl server (gmail). This usually requires root authority certificate distribution to all endpoint.

- Know what certificate to show by IP and port only.

- Know what IPs and ports to monitor.

And it’s compromise the security of the ssl.

Condom anyone?

Roee

Page 1 of 1 pages

Name:

Email:

Remember my personal information

Notify me of follow-up comments?

Submit the word you see below: