They both work a heck of a lot better if you use them ahead of time.
I just finished reading the Trustwave Global Security Report, which summarizes their findings from incident response and penetration tests during 2009.
In over 200 breach investigations, they only encountered one case where the bad guy encrypted the data during exfiltration. That’s right, only once. 1. The big uno.
This makes it highly likely that a network DLP solution would have detected, if not prevented, the other 199+ breaches.
Since I started covering DLP, one of the biggest criticisms has been that it can’t detect sensitive data if the bad guys encrypt it. That’s like telling a cop to skip the body armor since the bad guy can just shoot them someplace else.
Yes, we’ve seen cases where data was encrypted. I’ve been told that in the recent China hacks the outbound channel was encrypted. But based on the public numbers available, more often than not (in a big way) encryption isn’t used. This will probably change over time, but we also have other techniques to try to detect such other exfiltration methods.
Those of you currently using DLP also need to remember that if you are only using it to scan employee emails, it won’t really help much either. You need to use promiscuous mode, and scan all outbound TCP/IP to get full value. Also make sure you have it configured in true promiscuous mode, and aren’t locking it to specific ports and protocols. This might mean adding boxes, depending on which product you are using. Yes, I know I just used the words ‘promiscuous’ and ‘condom’ in a blog post, which will probably get us banned (hopefully our friends at the URL filtering companies will at least give me a warning).
I realize some of you will be thinking, “Oh, great, but now the bad guys know and they’ll start encrypting.” Probably, but that’s not a change they’ll make until their exfiltration attempts fail – no reason to change until then.
Reader interactions
11 Replies to “What Do DLP and Condoms Have in Common?”
I bet the topic of condoms has never seen so much scrutiny from a security/performance perspective.
A feature like identifying the encryption of a file will not help much…Indeed you can block encrypted files but it will block also a legitimate business activity that I am sure security officers will not do it. So we again end up with monitoring mode…which is ineffective in this case (” audit spamming”).
Regarding SSL connections, DLP solutions dont have ability to decrypt SSL without integrating through ICAP to solutions like BlueCoat…Aha and what about laptops/endpoints outside the perimeter? It wont work!
**Moderators note- The commenter is with a vendor that offers an alternative to DLP. He indicated this in his registration, but since we don’t display email addresses I’ve added this note.
I think that the analogy is “interesting” but the issue is not really the effectiveness but the cost.
In South Africa we have a huge AIDS problem so government issued condoms are free and very easy to get hold of. Fancier condoms are slightly more expensive but not much.
A DLP solution can cost in the multi-millions which is quite a bit of money for something that is “sorta” effective.
All Enterprise DLP solutions have the ability to peak into and actively remediate SSL connections containing sensitive data.
Also, using a DLP solution you can easily sniff out many other types of encrypted traffic on the wire. You do this by leveraging the DLP solutions ability to identify files of different types. Encrypted Zip files, Protected PDFs, and Protected MS Word documents can all be easily identified and blocked even if you can’t see what is inside them.
**Editors note- this comment was left by a member of a DLP company; they identified themselves with their email, but since we don’t display that I’m adding it as a note.
Anyway, sending mail from outlook using gmail for example uses sll, so it’s encrypted, so sometimes user encrypts without even knowing
At the risk of offending someone with graphic descriptions, a better analogy when explaining DLP solutions is
I prefer an analogy of DLP protection to a six foot fence. You aren’t going to protect against a very determined bad guy but you will prevent the majority of violations. Your intentions to protect are made very clear. Further, it is getting to the point where it is difficult to report a violation while admitting you didn’t at least put up some kind of fence.
TLG-
The context in the paper makes it clear the files weren’t encrypted either, but I agree that wasn’t explicitly stated.
Yes- the technique you describe would probably work, but again, that’s not yet how the bad guys are doing it. Also, some DLP solutions can detect and alert on encrypted archives if a standard encryption method is used. A bunch of the tools support that.
The report states “a single case contained the use of an encrypted channel for data extraction”, indeed encryption at the network level is seldom used for data exfiltration. However, what the report does not mention explicitly is that attackers do use encryption at the *data* level.
Splitting the data in a series of archives protected by a password allows to exfiltrate large sets of data. Plus you can drop files to third parties servers without having to disclose the information. Unless your DLP solution rings a bell when such files get transported on your network, you will be blind.
DLP and condoms? Neither is a 100% solution. Best results when used in conjunction with axillary monitoring.