Update– Lanscope posted some new information positioning this as a compliment, not substitute, to DLP. Looks like the marketing folks might have gotten a little out of control.
I’ve been at this game for a while now, but sometimes I see a piece of idiocy that makes me wish I was drinking some chocolate milk so I could spew it out my nose in response the the sheer audacity of it all.
Today’s winner is Lancope, who astounds us with their new “data loss prevention” solution that detects breaches using a Harry Potter-inspired technique that completely eliminates the need to understand the data. Actually, according to their extremely educational marketing paper, analyzing the content is bad, because it’s really hard! Kind of like math. Or common sense.
Lancope’s far superior alternative monitors your network for any unusual activity, such as a large file transfer, and generates an alert. You don’t even need to look at packets! That’s so cool! I thought the iPad was magical, but Lancope is totally kicking Apple’s ass on the enchantment front. Rumor is your box is even delivered by a unicorn. With wings!
I’m all for netflow and anomaly detection. It’s one of the more important tools for dealing with advanced attacks. But this Lancope release is ridiculous – I can’t even imagine the number of false positives. Without content analysis, or even metadata analysis, I’m not sure how this could possibly be useful. Maybe paired with real DLP, but they are marketing it as a stand-alone option, which is nuts. Especially when DLP vendors like Fidelis, McAfee, and Palisade are starting to add data traffic flow analysis (with content awareness) to their products.
Maybe Lancope should partner with a DLP vendor. One of the weaknesses of many DLP products is that they do a crappy job of looking across all ports and protocols. Pretty much every product is capable of it, but most of them require a large number of boxes with sever traffic or analysis limitations, because they aren’t overly speedy as network devices (with some exceptions). Combining one with something like Lancope where you could point the DLP at target traffic could be interesting… but damn, netflow alone clearly isn’t a good option.
Lancope, thanks for a great DLP WTF with a side of BS. I’m glad I read it today – that release is almost as good as the ThinkGeek April Fool’s edition!
Reader interactions
4 Replies to “Hit the Snooze on Lancope’s Data Loss Alarms”
Hi Adam,
Thanks for responding and sorry for the slow reply… had a bit of a back end server issue today, and was distracted by the iPad and childcare all weekend.
I’m definitely up for a briefing- just have someone email me at rmogull@securosis.com.
Your comments here are very different than how your marketing materials read (I aven had some other people run past them before I put the post up to make sure I wasn’t too out of line).
In terms of the other companies, they aren’t using the same kind of flow data you are. They are tracking data flows by watching where the content moves within the organization… data flow, not netflow.
But let’s talk- your marketing materials are either uninformed or deceptive when read from the outside.
Hi Rich, sorry the marketing materials for this feature irked you so. I don’t think we’ve ever actually briefed you on StealthWatch but would love to if you have some free time. You really need to see the system demonstrated to get a feel for how this relatively small feature fits in with the rest of flow analysis capabilities provided. This “Suspect Data Loss” feature is only one of dozens of ways we’ve found to use NetFlow technology to monitor the on-goings of the network environment.
“Maybe paired with real DLP, but they are marketing it as a stand-alone option, which is nuts.”
To be clear, I/we *do not* suggest that this one algorithm is the end-all-be-all replacement for traditional content-based extrusion detection technology. I’m sorry if that message is implied in the materials you read. Our point is that you can use IP connection meta data (NetFlow) to extract and alert on interesting “uploads” occurring from internal clients to external servers. Paired with content-based tech the two radically different approaches complement one another quite nicely. We do allow for import of most any syslog event from such a content-based system so connecting the two in our product is available today. As you say though, we do lack formal integrations. We should work on that agreed.
As I’m sure you and your readers know, any product oriented around NetFlow must use stats, behavior, flow counting, etc to work its brand of magic as payload analysis simply isn’t applicable. We think that so far as NetFlow analysis goes, we’ve found a very clever way to detect and report on interesting Internet uploads. It’s interesting enough that we did a quick dot release, press release, and associated .pdf to tell the world about it.
“Especially when DLP vendors like Fidelis, McAfee, and Palisade are starting to add data traffic
flow analysis (with content awareness) to their products.”
So if these guys are adding flow analysis functionality it must have some utility, yes? I’m excited the industry is finally beginning to understand the value of flow-based telemetry. Greater understanding for the need results in more activity for us. We’ve been touting its value for 5 years+ and would like to think we’re a bit ahead of these other guys and until they catch up, sure we’re going to talk up our advances, wouldn’t you?
Love the post, Rich. It is clear that Rothman is rubbing off on you!
this is absolutely hilarious!! I particularly enjoy the note on tracking large file transfers. Clearly, a definitive method of identifying anomalies. I sure hope that product is cheap 🙂