5

How do you prevent confidential information from leaving the network?

Nowadays online storage facilities are in abundance. e.g. Google Drive, One Drive, etc. Any employee can just upload sensitive information to these sites for storage. This is just one example. Other examples maybe to store such information to USB and bring out of office.

I am thinking of implementing DLP for such purposes. How easy is it to do this and what are some considerations? Is it an expensive solution? Are there any other cheaper alternatives if DLP solutions are expensive?

Anders
  • 65,582
  • 24
  • 185
  • 221
JinPangPang
  • 1,951
  • 2
  • 17
  • 27

2 Answers2

11

The key point here is that any security is only as strong as its weakest link.

Be clear from the start whether you are protecting against:

  • inadverent leaks by clueless or forgetful users or
  • against intentional leaks by motivated adversaries

The former are easier to protect against. But to design an effective & practical solution against the latter is a very challenging job. Don't let the colorful whitepapers from the Vendor's Sales guys fool you.

I'll illustrate using examples: I've seen organizations spend a lot on network based filtering and flagging solutions only to find after an incident that the guilty party used encryption (making even deep packet inspection moot). In another case encryption was stymied using end point protection running on the client PC's only to discover how this hampers encryption of data that ought to have been legitimately encrypted by the users.

One Firm decided to incorporate a complex hierarchy of role based security where access to many sensitive documents had to be authorized by a second person who was higher up in the hierarchy. In practice, this caused so many operational difficulties that a lot of sensitive documents ended up giving blanket clearances to dozens of guys thereby obviating any usefulness of the system.

In one case all the network and end point solutions seemed in place but mobile devices were not very closely controlled so any motivated adversary could just use those to leak out sensitive data. Even if you are mandating only company issued mobile devices have you disabled USB ports and Bluetooth and even cameras on them?

In some third world leaks I've seen reports where the modus operendi was quite low tech and involved printing lists of clients and other sensitive data and sneaking out actual printouts over an extended duration. Ironically the site actually had security frisking but sadly they were watching for USB keys, cellphones, hard disks and such. Paper printouts were never checked by the security guys.

The point is that a lot of these loopholes can indeed be blocked with some effort but one has to realize that most effective protection strategies will involve the downside of making legitimate use more inconvenient.

There's this convenience versus security trade-off and every organization must decide at what point of this trade-off curve does it want to live at. Even better, your chosen solution should have the granularity to set the right trade-off at site or even department or person level and not some blanket organization wide policy. The latter rarely work out well in practice.

PS. Every vendor will show case the wizardry of its own product but it is important to have a holistic view and the right question often is: Can the very medium this expensive security software is dedicated to protecting be entirely bypassed by an adversary? e.g. Network based protection is of very little use if USB sticks are being allowed

curious_cat
  • 1,023
  • 1
  • 11
  • 18
2

As curious_cat said you need to take a holistic veiw of this, you have many separate but connected issues at play here. Below is general rundown of how I would take on this task.

First and formost you should be looking at data architecture, the how, where and whys your data is stored where it is, ideally sensitive data should be segmented and have tightly controlled ACL's placed upon it.

Web filtering, IDS/IPS and firewalls will allow you to granularly control user (and machine) generated traffic coming in and out of the network.

Snort can be configured with rules specific to your needs, including preventing and spotting data exfiltrarion from a specific location, although this may prove limited.

Likewise a DLP solution can act as a dedicated service for this. MyDLP is open source, you can get a free tier or a paid tier.

Additionally you could use a SIEM solution with specially crafted rules to spot any anomalous or not-permitted activity. For example a use case can be developed to catch users or machines inserting removable media and copying to it.

The best way to do this is to look at what you want to do and what (if anything) you need to be compliant with. Then break it down in to discreet objectives and tackle them one at a time.

TheJulyPlot
  • 7,829
  • 6
  • 32
  • 44