Archive for May, 2011

Data loss protection - what it does not cover

Thursday, May 26th, 2011

Its very interesting to know and talk about the data loss protection. But there are some things, that as of now is not possible unless you can huge cost.  How and why?  Please read below.

Data loss protection can protect data deemed confidential and also trigger an incident. This is nice for a huge corporation which would be busy dealing with IP and knowing their business well,  busy selling and making the revenue target.  When corporations are busy with this, its quite possible that employees, knowingly or unknowingly, send data thats considered confidential.  Ideally the data should be protected in the sense, it should not be sent out and if sent (email, or cipied to USB drive or send file or copy pasted on Chat, etc)  it should be filtered and the management or Information security team needs to know.

(At one of our client company, 5 people were walked out as they forwarded CEO’s email about the business direction and how this Qtr, they would make money, etc. CEO himself acknowledged - Thanks to Data loss protection)

How did this all happen? Data loss protection taps ( thats inserted inline with the ingress and outgress  traffic )  would filter out emails and based on the keywords on the email, DLP would trigger an action and perhaps could trigger a Incidence. (Other option for Companies having Symantec is to have Endpoint - a DLP agent on each and every end-point such as desktop, laptop, etc)

So, what does it not accomplish? Can a end user open a secure shell? Can a user open a https over 443 and send some confidential data? Yes and No. It mainly depends on the your infrastrcure.

Lets take Symantec’s DLP solution.  Symantec has an ‘Endpoint’ product that is an agent installed on every desktop/laptop and also network device.  When a end-user opens a ssh, the endpoint would take over and it will open the connection to destination website. Since Endpoint can read every byte of the packet, if the end-user has confidential data sent, Endpoint will let the user know or silently discard based on the policy. This makes the end-user think that he sent the email with confidential data. This costs a lot and also, not all sites certificate is noted so, Endpoint lacks and so, end-user is still able to send confidential data via https.

The other way to do this is to  install a tap that can decrpt and encrypt to do a ‘man-in-the-middle’ attach.

The Firewall should be loaded with certificate  when the end-user opens a new https site.  Hence Firewall will be able to decrypt the packet. Its an expensive opportunity but you can make it happen.

So, if you have money they can be able to accomplish as DLP does not provide a clear filtering of packets that are sent via https.

Let me know if I am wrong and something has appeared that can filter the packets and accomplish the DLP.