Zeus and other trojans today encrypt data before they get sent over regular channels (HTTP) to the drop sites. It's also easy for users to install open source encryption software (e.g. TrueCrypt) and encrypt files before they get copied to USB drives.
The issue here is that DLP relies on content analysis and packet inspection, but if it can't be understood, DLP doesn't seem to be helpful.Short of draconian measures like blocking all USB ports or blocking all data that cannot be identified, are there practical ways that DLP or other means can help?
For the sake of discussion, let's leave aside techniques like better access control, application whitelisting, or tighter file permissions for now. I'd also like to leave aside data-at-rest scanning to preemptively encrypt and/or move to secure locations. The assumption is that users keep copies of sensitive files on their local PCs, unencrypted. Let's assume we're talking about a typical large enterprise that can't force their employees to only use certain applications and can't prevent them from using social networking sites.
Mark Mahovlich, Director of Business Development at Attevo, provides his insight:
Outside of the obvious choice of disabling the administrative capabilities of a managed endpoint, the reality is you would have to deploy one, I say all, of the following content security practices:
- Endpoint Controls - If you have the right endpoint technology deployed, you can stop the user action before it moves to the encrypt or transmit phase. Policy would define enforcement action based upon the content and the end user activity. For example, "Deny the ability to copy and paste confidential data (even a subset of the data) into any unapproved application (email, IM, HTTP post, etc.) In your, case, "deny any Encryption Activities that are not my company approved Encryption Technology," This would stop any third-party encryption, and allow you to automatically de-crypt and scan data content (for compliance to Policy) for anything the end user did encrypt manually.
- Content Gateway - Deploy Content Gateway technology that is capable of de-encrypting SSL Encrypted traffic. Why is this important? Google Mail. In this use case, we will assume the endpoint is not being managed, and hence does not have any ability to block end user activities with confidential data (as in #1). The end user accesses Google Mail and attaches a confidential document or pastes confidential date into the Email. Because Google Mail is SSL encrypted traffic, most DLP solutions would not be able to monitor, identify and take action on the confidential data per Policy. Therefore, you need a Content Gateway to de-encrypt the Google Mail traffic allowing your DLP solution to analyze the confidential data and provide enforcement actions per Policy.
- DLP Network Monitor - Deploy a DLP solution that allows you to monitor, analyze and enforce action on network protocols (HTTP, HTTPS, FTP, IM, SMTP, CIFS, NFS, and other P2P channels). The solution would detect traffic that was encrypted using a third-party product, and would be set by Policy to deny that transmission.
In addition, technology moves at a rapid pace. As seen in the Google example above, organizations will go to great lengths to secure their application driven revenue. Consider the security concerns and breaches being seen today simply with Web 2.0 technologies. What will Web 3.0 bring? Single Point solutions simply will not provide the coverage necessary for an organization to adequately protect itself.
No comments:
Post a Comment