tag:blogger.com,1999:blog-4088979.post2353858207518497..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Data Leakage Protection ThoughtsRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger10125tag:blogger.com,1999:blog-4088979.post-3100689634922973182009-02-10T00:23:00.000-05:002009-02-10T00:23:00.000-05:00Yep, Data Leakage (Loss) Prevention is really just...Yep, Data Leakage (Loss) Prevention is really just another method of enforcing policy. And you are correct, it's just a nice marketing term for extrusion detection, however I think DLP is best managed by the owner of an edge service and/or by the data owner's themselves. For example, if the policy is no SSN's will leave the company via SMTP or HTTP unencrypted. The email gateway is then configured to force encryption on the message before handing it to the remote domain, and an HTTP post of the SSN is rejected by the proxy. There are lots of other options, but I really think this level of data detail would be too much for an NSM team to support.Venioushttps://www.blogger.com/profile/11764254462793172944noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-5686908256127244912009-02-05T03:59:00.000-05:002009-02-05T03:59:00.000-05:00My response ended up too long, so I moved it to my...My response ended up too long, so I moved it to my blog, you can find it at http://singe.za.net/blog/archives/972-A-Response-to-Bejtlich-on-DLP.htmlAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-14373763698782243772009-02-03T22:43:00.000-05:002009-02-03T22:43:00.000-05:00I agree with several commentors and disagree with ...I agree with several commentors and disagree with others so here it goes:<BR/><BR/>I am very much a supporter of DLP products as a level of protection for general users. I also agree that DLP isn't the answer to all your problems.<BR/><BR/>I see DLP tools as a technology solution to help drive awareness and behavior patterns. More a "front end" tool. Policies used in these tools can help reduce significant gap areas that network and log monitoring aren't going to cover all the way. Examples: CD burning, USB writing, Emailing files, and uploading classified data to websites. To me this can also be leveraged as a Security Awareness tool that helps when you can't do presentations 24 hours a day.<BR/><BR/>This being said I have reservations on network based DLP products and lean more toward the client side. I do not see this as a replacement for personal firewalls, antivirus, anti-malware tools. I would have serious doubts over any "single-client" product that would profess to cover all those areas.<BR/><BR/>My experiences with client side DLP tools is that it is very intrusive (+ and - on that),but once you get past the configuration hurdles (standard in a number of products) it has proven in several occasions to be very enlightening to those using it in terms of what was "thought" to be happening to what was "really" happening. Very helpful when explaining to a non-technical crowd as they see data flying out the door.<BR/><BR/>I think NSM has the potential to be a good complement to DLP, but will reserve commentary on it as a replacement until I see the end results of an ongoing implementation.<BR/><BR/>Fortunately I will have the opportunity to see both sides.<BR/><BR/>PS - I second Kevin Rowney's comment. "The threat surface is actually quite complex and not so simple as "stupid-employee" vs. "evil genius hacker".Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-81122792595173484232009-02-03T17:12:00.000-05:002009-02-03T17:12:00.000-05:00I think you and other commentors above hit this on...I think you and other commentors above hit this one properly.<BR/><BR/>To me, "DLP" is nothing more than the continued marketing spew of antivirus->antispyware->antimalware->Hips->endpoint security->DLP... Basically the same product, bloated. <BR/><BR/>It does fine on the surface, but anything below that is weak or hard to analyze. Anyone with a proper security environment anyway won't need DLP. It's just the same old HIPS product with some endpoint security pieces tacked on, most of which should be done anyway by system management tools or LDAP-pushed policies.Unknownhttps://www.blogger.com/profile/15357840241031190415noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-35790560477333794542009-02-03T14:54:00.000-05:002009-02-03T14:54:00.000-05:00http://en.wikipedia.org/wiki/Security_theater<A HREF="http://en.wikipedia.org/wiki/Security_theater" REL="nofollow">http://en.wikipedia.org/wiki/Security_theater</A>Unknownhttps://www.blogger.com/profile/07516635059359062531noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-79174312998759441982009-02-03T02:57:00.000-05:002009-02-03T02:57:00.000-05:00DLP is part of the problem, not part of the soluti...DLP is part of the problem, not part of the solution. <BR/><BR/>It is an impossible exercise - if you have the capability to read data, you have the capability to copy it, some way or another. It is folly to pretend otherwise. <BR/><BR/>The best one can hope for with DLP is that it will help you tell a more convincing lie to an auditor, regulator or judge about "due diligence". <BR/><BR/>As a product category it's guaranteed to be an expensive, distracting failure. That money and productivity are flushed away on products that can fundamentally deliver nothing but a CYA story (the MORE it costs, the more it shows you care!) -- that the entire category of DLP has even the tiniest shred of credibility and legitimacy -- is a perfect example of the problems of fossilized corporate infosec.<BR/><BR/>Let us just pray that these jokers don't manage to ensconce themselves as a requird best practice in government, PCI or audit requirements.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-14243608460085703812009-02-02T18:44:00.001-05:002009-02-02T18:44:00.001-05:00When I began analyzing network traffic via NSM, ma...When I began analyzing network traffic via NSM, management was extremely worried about the data leakage being detected, especially data leaked from inside to outside the corporate network via IM, FTP, etc.<BR/><BR/>When management directed me to investigate data leakage protection/prevention (B/F/D), it quickly became apparent that whatever risk mitigation these systems provided would be trumped by the business impact of administering the system. The anticipated increase in first-level help desk calls alone was nightmarish.<BR/><BR/>On the other hand, I did not find the "inspect and log" modes to be terribly verbose or challenging to handle. I agree that there was a fair amount of asset understanding involved in making data leakage detection systems useful, to the extent they are a poor candidate for outsourcing/MSSP, but I cannot imagine that an organization which can manage an NSM infrastructure would not be able to manage a DLP infrastructure.<BR/><BR/>In the end, I didn't find much that the DLP systems had to offer in "inspect and log" mode compared to SGUIL. Vigilance, some clever Snort rule writing, and user training on data leakage will go a long way to managing the "stupid" leakage.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-54922844498491615092009-02-02T18:44:00.000-05:002009-02-02T18:44:00.000-05:00Yes, DLP does plenty of "stopping stupid" and in m...Yes, DLP does plenty of "stopping stupid" and in many large scale deployments does so in what you call b/f/d mode.<BR/><BR/>DLP has also busted numerous id-theft rings, corrupt employees, and hackers.<BR/><BR/>The threat surface is actually quite complex and not so simple as "stupid-employee" vs. "evil genius hacker".<BR/><BR/>@Gunnar: AAA is baseline protection, but field results from DLP deployments clearly indicate this is a low hurdle to clear. More detail on that <A HREF="https://forums.symantec.com/t5/Data-Loss-Prevention/Six-Myths-of-Information-Security-cont-d/ba-p/369261#A14" REL="nofollow"> here</A>Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-18019863197664680232009-02-02T16:13:00.000-05:002009-02-02T16:13:00.000-05:00Was about to comment then I had a brief spell of r...Was about to comment then I had a brief spell of rofl when i read the "Let's stop them at our firewall." comment. <BR/><BR/>To answer questions on hearing demand for "DLP", sure but I just chalk it up to InfoSec's endless Silver Bullet quest, where they reach for the stars and deliver next to nothing.<BR/><BR/>Here is a crazy idea - what if we put authentication, authorization, and auditing into our systems?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-83152102372958178042009-02-02T13:50:00.000-05:002009-02-02T13:50:00.000-05:00"DLP is not going to stop anyone who is not stupid..."DLP is not going to stop anyone who is not stupid"<BR/><BR/>Maybe. So, let's define 'stupid' a bit.<BR/><BR/>1. Negligent employee?<BR/>2. Script kiddie?<BR/>3. A no-so-skilled attacker who is still beyond a SK?<BR/><BR/>Or?Anton Chuvakinhttps://www.blogger.com/profile/12740087457147758558noreply@blogger.com