It’s 2012 (didn’t I already say that on Wednesday?) and the reality of 2011’s shifting security landscape should have set in by now. As much as many of you may want to go back to the days of worrying about Anti-Virus definition files, basic patching, and a single border firewall as the makeup of your entire security posture, its time to take a serious look at how you will plan your defenses for 2012.
One defensive technologies that is getting another look is Data-Loss Prevention (DLP) ((John Kindervag from Forrester just released some research on Rethinking DLP that is pretty interesting as well, especially his DLP Maturity Grid.)). By itself, an implementation of DLP can go a long way to prevent serious issues in simple to moderately complex IT environments—but the bad guys are better than that. They know ways to hide the ex-filtration of information in ways that will look like legitimate traffic to your porous border controls.
Civilian Technician Inspects Circuit Board at Army Aviation Centre Middle Wallop, by UK Ministry of Defence
Corporate IT users today have an unjustified sense of entitlement. They feel they are entitled to use corporate assets for whatever they wish, regardless if it contributes to their job or not. How many corporate citizens with company-issued phones have called or texted loved ones? How about the week after thanksgiving—shop much? Every corporate user is guilty of doing this because we’ve let them do it for years. And why not? The environment ten years ago was nothing like today! Browsing most websites wasn’t a big deal—except for productivity levels of course—and the worst IT offenders were typically handled by HR after we investigated their usage.
In the last several years, we’ve seen more companies deploy filtering products to help protect their IT assets against known threats. DLP is one of those, but as with many walls, it needs help to be effective. Many companies block popular personal email and social media sites because they fear accidental (or intentional) information disclosure. I’m sure that every new site added to a “block list” creates a flurry of hate directed back toward IT and IS.
The use of corporate IT systems is a privilege, not a right.
Let’s say that you deployed DLP on your network to watch for certain types of information entering and leaving your infrastructure. What happens when a legitimate user goes to an SSL-enabled site to purchase something? Do you proxy your SSL and inspect it? Do you match the URL against an “OK to use” list? What about a site that presents an SSL certificate, but isn’t known to be a legitimate website and the certificate is self-signed? And if you get an agent to the user’s corporate desktop, is it actually functioning as an enforcement point or just used for policy violation tracking?
DLP by itself is useful, but it can be so much more effective when paired with a few other controls. Before you can start building and enabling other controls, however, you must know what NORMAL looks like in your infrastructure. Server-to-server traffic is easier to find because it typically has firewall rules associated with it whereas desktop-to-server will just look like SSL or HTTP traffic over ports 443 and 80. Do you proxy your SSL traffic so you can inspect it? If not, consider it. That might be a good way to see if data is being moved while masquerading as legitimate traffic.
filter flower, by tonx
What about other outbound access, do you filter and/or inspect it? Can someone FTP files from your infrastructure to a site somewhere on the net? How about SSH, do you get detailed enough to know the difference between a legitimate HTTP session and someone using SSH over port 80? Do you tie that information back to other anomalies in your environment to provide context to your decision makers? Do you 0nly allow access to sites relevant for business or can someone research products, buy personal airline tickets, and set their fantasy football lineup from their corporate device?
DLP as a technology has been beat up over the years as a luxury product that doesn’t deliver upon expectations. Sure, every DLP solution out there has positives and negatives, but that’s because it’s not a silver bullet technology. It is one of the many tools you need in order to really do this stuff the right way. Deploying it well is preventative work—a type of work we should prioritize as it leads to less unplanned work down the road ((I’m implementing a Personal Kanban system right now, and reminiscing of my days of The Goal.)).
Possibly Related Posts:
- Selective Domain Filtering with Postfix and a SPAM Filtering Service
- Preventing Account Takeover, Enable MFA!
- Proofpoint Patches URL Sandbox Bypass Bug
- Improve Outbound Email with SPF, DKIM, and DMARC
- Life after G-Suite/Postini