A small leak will sink a great ship: An Empirical Study of DLP solutions

Similar documents

Understanding and Selecting a DLP Solution. Rich Mogull Securosis

Defending Against Cyber Attacks with SessionLevel Network Security

Application Intrusion Detection

ITAR Compliance Best Practices Guide

External Supplier Control Requirements

AB 1149 Compliance: Data Security Best Practices

Five Tips to Ensure Data Loss Prevention Success

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

A Buyer's Guide to Data Loss Protection Solutions

How To Protect Your Data From Theft

ensuring security the way how we do it

White paper. Why Encrypt? Securing without compromising communications

Chapter 4 Application, Data and Host Security

Websense Data Security Suite and Cyber-Ark Inter-Business Vault. The Power of Integration

McAfee Data Protection Solutions

Where every interaction matters.

DATA LEAKAGE PREVENTION IMPLEMENTATION AND CHALLENGES

Lecture 15 - Web Security

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Master of Science in Information Systems & Security Management. Courses Descriptions

Turning your managed Anti-Virus

8070.S000 Application Security

Firewall Testing Methodology W H I T E P A P E R

RIA SECURITY TECHNOLOGY

SAST, DAST and Vulnerability Assessments, = 4

Intrusion detection for web applications

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

Data Loss Prevention

locuz.com Professional Services Security Audit Services

Data Loss Prevention Best Practices for Healthcare

Identifying Broken Business Processes

Live-Hacking von Oracle- Datenbanken

Unified Threat Management, Managed Security, and the Cloud Services Model

2012 Data Breach Investigations Report

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

Presentation for : The New England Board of Higher Education. Hot Topics in IT Security and Data Privacy

Office 365 Cloud App Security MARKO DJORDJEVIC CLOUD BUSINESS LEAD EE TREND MICRO EMEA LTD.

Active Network Defense: Real time Network Situational Awareness and a Single Source of Integrated, Comprehensive Network Knowledge

External Supplier Control Requirements

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

DISA's Application Security and Development STIG: How OWASP Can Help You. AppSec DC November 12, The OWASP Foundation

Data Loss Prevention. Keeping sensitive data out of the wrong hands*

Efficient Prevention of Credit Card Leakage from Enterprise Networks

FROM PRODUCT TO PLATFORM

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

RSA Data Loss Prevention (DLP) Understand business risk and mitigate it effectively

Implementation of Web Application Firewall

Protecting Your Organisation from Targeted Cyber Intrusion

Protecting personally identifiable information: What data is at risk and what you can do about it

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Data Loss Prevention: A Holistic Approach. Sam D Amore, Principal Information Technology Security Office The Vanguard Group (

CPSC 467b: Cryptography and Computer Security

Is Your SSL Website and Mobile App Really Secure?

Next-Generation Firewalls: Critical to SMB Network Security

Defending Behind The Device Mobile Application Risks

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Presentation on Black Hat Europe 2003 Conference. Security Analysis of Microsoft Encrypting File System (EFS)

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

EXTENDING NETWORK SECURITY: TAKING A THREAT CENTRIC APPROACH TO SECURITY

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Data-Centric Security vs. Database-Level Security

Protecting Sensitive Data Reducing Risk with Oracle Database Security

How To Manage Security On A Networked Computer System

WEBSENSE TRITON SOLUTIONS

Citrix Solutions for Complying with PCI-DSS ENSURING PROTECTION OF WEB APPLICATIONS AND PRIVACY OF CARDHOLDER INFORMATION

How To Perform An External Security Vulnerability Assessment Of An External Computer System

Security vulnerabilities in the Internet and possible solutions

Computer Security. Draft Exam with Answers

Aiming at Higher Network Security Levels Through Extensive PENETRATION TESTING. Anestis Bechtsoudis. abechtsoudis (at) ieee.

Securing enterprise collaboration through and file sharing on a unified platform

MySQL Security: Best Practices

Websense Web Security Gateway: Integrating the Content Gateway component with Third Party Data Loss Prevention Applications

Web App Security Audit Services

REVOLUTIONIZING ADVANCED THREAT PROTECTION

Security, Privacy, and the Effects of Ubiquitous Encryption. Kathleen Moriarty Security Area Director (1 of 2) (Speaking for myself, not the IETF)

Security Advisory. Some IPS systems can be easily fingerprinted using simple techniques.

Security Goals Services

Advanced ANDROID & ios Hands-on Exploitation

Application Code Development Standards

OWASP Mobile Top Ten 2014 Meet the New Addition

Executable Integrity Verification

ENABLING FAST RESPONSES THREAT MONITORING

Security Services. 30 years of experience in IT business

WHITEPAPER. Nessus Exploit Integration

Transcription:

A small leak will sink a great ship: An Empirical Study of DLP solutions Matthias Luft, Thorsten Holz {mluft thorsten.holz}@informatik.uni-mannheim.de

Agenda Problem Statement Motivation Key Concepts Evaluation Criteria & Test Cases Evaluation Results

Problem Statement To lose controls over one s own data is the primal fear of the digital age. Organizations and individuals want to prevent leakage of Trade secrets ( the Coca Cola formula ) Marketing plans / financial data Data that is regulated by laws (e.g. HR data) Data to be protected for some flavor of compliance (credit card nos.) Embarrassing stuff (your private poems from adolescence ;-)

Case Studies

Case Studies

Case Studies

Case Studies

Case Studies

Johnson & Dynes: Inadvertent Leakage They examined data that was published by accident to a P2P Network. This data is still available ;-)

Definition of Key Concepts

DLP term Data Loss Prevention Data Leakage Prevention Extrusion Prevention Content Monitoring and Filtering Data Loss Protection

Referring to Rich Mogull, DLP suites are products that, based on central policies, identify, monitor, DLP definitions and protect data at rest, in motion, and in use, through deep content analysis.

Leakage Using the case studies, the following definition explains the term leakage in more detail Data Leakage is from the owner's point of view unintentional loss of confidentiality for any kind of data

Evaluating DLP Suites

How to evaluate a DLP suite? Find weaknesses in DLP [suites] But: What are weaknesses in terms of DLP? Buffer overflows in endpoint agents? SQL Injections in the Webinterface? Format string attacks on parsers?

Three main questions Is accidental leakage still possible? Is it possible to subvert the solution? Are there any design flaws?

DLP Test Cases

Test cases Identify Are all methods to match data properly working? RegEx (Cyclic) Hashing Are all file extensions handled properly? Are unknown data structures handled properly? Is encrypted data handled properly?

Test cases Monitoring Are all removable devices (USB, floppy disc, CD) monitored properly? Are all file systems monitored properly, including all special functionalities? Are all network protocols (Layer 2/3/4) handled properly? Are all intercepting network devices monitored properly? Is there a possibility to decrypt files using an enterprise encryption system?

Test cases Reacting Is sensitive data blocked? Are all incidents reported properly? Are there reaction or blocking rules? Allow reaction rules race conditions? Is there a firewall/proxy integration to block network connections?

Test cases Design Is all sensitive traffic encrypted? Can vulnerabilities be easily found using simple vulnerability assessment methods? Are all access rights set properly?

Evaluation

Evaluated Solutions Focus on removable storage media McAfee Host Data Loss Prevention Formerly Reconnex Quite new product Integrates perfectly in AV/ePO landscape Websense Data Security Suite One of the market leading products Stand alone product

Result overview Test McAfee Websense Textfile/Basic recognition Filename PDF Word/Excel embedment Compression Unknown MIME Type Metadata NTFS Alternate Data Stream Third Party Filesystems Multiple partitions Secure reaction Encryption Fuzzing Huge files

Test of basic functionality

Results: MIME type

Results: Metadata

McAfee: Filename

McAfee: Multiple partitions

McAfee: Secure reaction

McAfee: Secure reaction

Websense: Reporting

Evaluation summary Test McAfee Websense Textfile/Basic recognition Filename PDF Word/Excel embedment Compression Unknown MIME Type Metadata NTFS Alternate Data Stream Third Party Filesystems Multiple partitions Secure reaction Encryption Fuzzing Huge files

Further work Evaluation of more DLP solutions Evaluation in depth: Network & discovery functionality Vulnerability assessment It s very likely that there are some ;-) Creation of a DLP checklist Questions to ask your DLP vendor

Summary Both evaluated solutions contained vulnerabilities It s all about risk Vendors did not react for a very long time Deployment will very likely cause lots of problems in most environments Missing information classification Missing awareness of employees Missing infrastructure to apply such a huge solution in a safe way

Questions!

Thank you for your attention!