Data Leak Prevention as protection from intentional theft or disclosure?
Data Leak Prevention is yet another hyped technology. These are solutions that aims to protect sensitive corporate data from being disclosed or stoled, or more formally to
“protect data at rest, in motion, and in use through deep content analysisâ€?.
The technology used is similar to Intrusion Prevention by both it’s name and by its means (content analysis). The main difference is that they look for indications of leaking data instead of attacks. Here is a great six-part overview of these products by ex-Gartner analyst Rich Mogul.
Somehow I’m pessimsistic about these solutions. The simple reason is that it is is resonable to assume that a person with the intents of leaking data would at least take some action to do it stealthy. Some simple actions that causes problems for these solutions would be to:
- Transfer the information by other protocols than standard messaging such as HTTP, SMTP or IM. Why not use Cryptcat, DNS, ICMP or another covert channel? Or chop it up and send it by many different protocols?
- Use another physical mean of transporation. Why not save it on a floppy, cd-rom, usb-drive or beam it to the PDA? Take a photo of it or just try to remember it?
- Modify the information. Why not rename or resave the file, translate the information to another language, encode or encrypt it?
The failure to combat these is why some argue that DLP solutions are limited to preventing mistakes, rather than intentional leaks. I suppose issues with credit-card and identity theft is driving companies in investing in these solutions, and the belief that these systems will act as another layer when their intrusion prevention systems fails on them.
25. January 2008 at 13:02
I agree with most of your points.
Reg. export on floppy, CD-ROM, USB drive etc.:
Endpoint-based DLP systems (e.g. systems that install an agent on the endpoint) typically do address this threat.
I think it is important to understand and accept that DLP will not efficiently address intentional, malicious data export, performed by IT experts. It’s simply too easy to camouflage the data to be exported using a coding scheme (e.g. ROT-13) that the DLP system does not understand, or to export the data via a channel that the DLP system does not (yet) cover. Hence, the DLP system will only stop inexperienced malicious users.
However, a DLP system will add substantial value in the following areas:
1.
Training of innocent users who would inadvertently leak confidential data, by pointing them to a potential problem. For instance, certain DLP systems pop up a dialog that explains the problem, possibly prompts the user to enter an explanation for the intended export, which is logged centrally.
2.
Performing an assessment of the existence and actual handling of confidential documents within the corporate IT infrastructure. This is achieved by logging any export of confidential data over a certain period of time without further sanctions. Alternatively, many DLP products offer the opportunity to scan the corporate IT infrastructure for the existence of confidential documents. This is performed without any interception of actual document exports. Evaluation of the results will help IT to introduce and enforce proper secure workflows for confidential documents (e.g. encryption on export).
3.
Meeting compliance regulations (esp. in the US):
Using a DLP system will help to meet regulations like Sarbanes-Oxley, HIPAA etc.
Michael
8. March 2008 at 13:09
Hi Michael,
Surely a leak prevention system will provide value, just not the kind of value and the amount of value it says it does. Your examples of using the DLP system as a part of a user awareness initiative and as an actual assessment of how data and information is actually being used are all good points.
Still, I’m not convinced that this merits procuring these kinds of solutions. Companies put too much money into solutions that in reality is only effective on very few threats and attack vectors. Whenever a malicious party with a little talent actually wants something, they are often home free.