They both work a heck of a lot better if you use them ahead of time.
I just finished reading the Trustwave Global Security Report, which summarizes their findings from incident response and penetration tests during 2009.
In over 200 breach investigations, they only encountered one case where the bad guy encrypted the data during exfiltration. That’s right, only once. 1. The big uno.
This makes it highly likely that a network DLP solution would have detected, if not prevented, the other 199+ breaches.
Since I started covering DLP, one of the biggest criticisms has been that it can’t detect sensitive data if the bad guys encrypt it. That’s like telling a cop to skip the body armor since the bad guy can just shoot them someplace else.
Yes, we’ve seen cases where data was encrypted. I’ve been told that in the recent China hacks the outbound channel was encrypted. But based on the public numbers available, more often than not (in a big way) encryption isn’t used. This will probably change over time, but we also have other techniques to try to detect such other exfiltration methods.
Those of you currently using DLP also need to remember that if you are only using it to scan employee emails, it won’t really help much either. You need to use promiscuous mode, and scan all outbound TCP/IP to get full value. Also make sure you have it configured in true promiscuous mode, and aren’t locking it to specific ports and protocols. This might mean adding boxes, depending on which product you are using. Yes, I know I just used the words ‘promiscuous’ and ‘condom’ in a blog post, which will probably get us banned (hopefully our friends at the URL filtering companies will at least give me a warning).
I realize some of you will be thinking, “Oh, great, but now the bad guys know and they’ll start encrypting.” Probably, but that’s not a change they’ll make until their exfiltration attempts fail – no reason to change until then.
Reader interactions
11 Replies to “What Do DLP and Condoms Have in Common?”
DLP and SSL…
It kind of sometimes works, but you have some problems:
– Show a trusted! certificate on behalf of the ssl server (gmail). This usually requires root authority certificate distribution to all endpoint.
– Know what certificate to show by IP and port only.
– Know what IPs and ports to monitor.
And it’s compromise the security of the ssl.
Condom anyone?
Roee