“There’s a war out there, old friend. A world war. And it’s not about who’s got the most bullets. It’s about who controls the information. What we see and hear, how we work, what we think… it’s all about the information” — Cosmo, Sneakers (1992)
The headline news of Wikileaks has drawn considerable attention to the huge, intractable problems of digitized data and how much a single individual can damage an organization, business or nation-state. But these issues are not just with Wikileaks, as the recent breach of gaming leader Blizzard resulted in disclosure of business plans and product roadmaps.
Blizzard Product Roadmap
With this focus on DLP, some insightful commentary is out there. In particular, Gary Warner in his Wikileaks: Lessons Learned blog post discusses the subtleties of data classification versus data categorization, and outlines a pragmatic approach to detection, such as frequency of access monitoring across these defined planes. This article is well worth the read. Another good, and short blog post is from Neil MacDonald at Gartner, who advocates redefining “Data Loss prevention” as a subset of “Data Lifecycle Protection” — a really good point.
These are going to be heady times for DLP (Data Loss Prevention) vendors, and we can expect to see DLP solutions become as popular as the late 90′s and early 2000′s security mantra of “we have to install antivirus and firewalls.” Many organizations are seeking and will continue to seek technical solutions to gain control over data exfiltration. As expected, many DLP vendors are offering “the perfect solution” that promises to fix your problems.
In my view, however, I’m seeing vendors either unaware or willfully ignorant of the many technical means to exfiltrate data over the network in a surreptitious manner. And put simply, their products and solutions can’t begin to address these threats.
To provide folks with some ammo to use for Q&A with DLP vendors, I’ve come up with the following 10 questions. The first few are easy, and the DLP vendor probably has some type of coverage. However, as the questions progress, you can expect to start seeing blank stares, and hearing the hemming-hawing and mentioning of “it’s on the product roadmap — just wait one more quarter” and “we’ll check with our engineers and get back to you” — always my favorite vendor answers
1. How does it inspect SSL traffic?
This is a softball question, with the likely answer being some kind of man-in-the-middle decryption scheme, possibly having to use another vendor’s hardware. The follow-up to this is: What about Stunnel?
2. How does it inspect services like Dropbox, EverNote, etc.?
Another softy, but starting to get a little more difficult because we’re dealing with multiple consumer services.
3. Inspection of various consumer communications over IM like AIM, Google Chat, etc.?
Lulling them into complacency, this should be a gimme question with no problem answering.
4. Does it do any metadata analysis is conducted on documents (.doc,.xls, .pdf, etc.) or images (.png, .gif, .jpg, etc.)? What about video files (.avi, .mp4, etc.)?
You should expect some raised eyebrows on this one.
5. Does it do any steganography analysis of images?
Some will say yes, others no. If yes, the follow-up question is: How do you do this? There are literally hundreds of steganography tools — do you have strings or signatures that you’re looking for from all of these tools?
6. You product probably blocks well-known P2P like Limewire, Bearshare, etc. What about private P2P networks like WASTE?
7. What about VoIP, including encrypted ones like zphone, Skype, Cisco Skinny? Specifically, does it inspect for DMTF tones?
“It’s on the roadmap” will be most likely answer.
8. Does it block/ inspect advanced data exfiltration tools and tactics?
- LOKI-types (tunneling through ICMP)
DNS-tunneling (Iodine and services like dnstunnel.de)
pwnat tunnels – They will likely not even know this tool!
Old school SSH reverse tunnels and forwarding
This will be perhaps the most exciting Q&A. Be sure to do your homework on these tools and techniques!
Expect audible groans.
10. How does it address IPv6 tunneled inside IPv4?
Expect quizzical looks.
Hopefully this will enlighten you about some of the methods attackers will use to perform data exfiltration. And will also provide you some good questions to beat up vendors after they take you out for lunch or golf. At the very least, you can expect your DLP vendor to mention that nobody has asked some of these questions of them before