Ten Technical Questions to Make Your DLP Vendor Squirm

Thursday, December 09, 2010

shawn merdinger


"There's a war out there, old friend. A world war. And it's not about who's got the most bullets. It's about who controls the information. What we see and hear, how we work, what we think... it's all about the information" -- Cosmo, Sneakers (1992)                                

The headline news of Wikileaks has drawn considerable attention to the huge, intractable problems of digitized data and how much a single individual can damage an organization, business or nation-state.

But these issues are not just with Wikileaks, as the recent breach of gaming leader Blizzard resulted in disclosure of business plans and product road maps.

Blizzard Product Roadmap blizzard pwnage

With this focus on DLP, some insightful commentary is out there. In particular, Gary Warner in his Wikileaks: Lessons Learned blog post discusses the subtleties of data classification versus data categorization, and outlines a pragmatic approach to detection, such as frequency of access monitoring across these defined planes. This article is well worth the read.

Another good, and short blog post is from Neil MacDonald at Gartner, who advocates redefining "Data Loss Prevention" as a subset of "Data Lifecycle Protection" -- a really good point.

These are going to be heady times for DLP (Data Loss Prevention) vendors, and we can expect to see DLP solutions become as popular as the late 90's and early 2000's security mantra of "we have to install antivirus and firewalls."

Many organizations are seeking and will continue to seek technical solutions to gain control over data exfiltration. As expected, many DLP vendors are offering "the perfect solution" that promises to fix your problems.

In my view, however, I'm seeing vendors either unaware or willfully ignorant of the many technical means to exfiltrate data over the network in a surreptitious manner. And put simply, their products and solutions can't begin to address these threats.

To provide folks with some ammo to use for Q&A with DLP vendors, I've come up with the following 10 questions. The first few are easy, and the DLP vendor probably has some type of coverage.

However, as the questions progress, you can expect to start seeing blank stares, and hearing the hemming-hawing and mentioning of "it's on the product roadmap -- just wait one more quarter" and "we'll check with our engineers and get back to you" -- always my favorite vendor answers ;-)

1. How does it inspect SSL traffic?

This is a softball question, with the likely answer being some kind of man-in-the-middle decryption scheme, possibly having to use another vendor's hardware. The follow-up to this is: What about Stunnel?

2. How does it inspect services like Dropbox, EverNote, etc.?

Another softy, but starting to get a little more difficult because we're dealing with multiple consumer services.

3. Inspection of various consumer communications over IM like AIM, Google Chat, etc.?

Lulling them into complacency, this should be a gimme question with no problem answering.

4. Does it do any metadata analysis conducted on documents (.doc,.xls, .pdf, etc.) or images (.png, .gif, .jpg, etc.)? What about video files (.avi, .mp4, etc.)?

You should expect some raised eyebrows on this one.

5. Does it do any steganography analysis of images?

Some will say yes, others no. If yes, the follow-up question is: How do you do this? There are literally hundreds of steganography tools -- do you have strings or signatures that you're looking for from all of these tools?

6. Your product probably blocks well-known P2P like Limewire, Bearshare, etc. What about private P2P networks like WASTE?

7. What about VoIP, including encrypted ones like zphone, Skype, Cisco Skinny? Specifically, does it inspect for DMTF tones?

"It's on the roadmap" will be most likely answer.

8. Does it block/ inspect advanced data exfiltration tools and tactics?

This will be perhaps the most exciting Q&A. Be sure to do your homework on these tools and techniques!

9. How does it inspect TOR traffic? TOR hidden services?

Expect audible groans.

10. How does it address IPv6 tunneled inside IPv4?

Expect quizzical looks.

Hopefully this will enlighten you about some of the methods attackers will use to perform data exfiltration. And will also provide you some good questions to beat up vendors after they take you out for lunch or golf.

At the very least, you can expect your DLP vendor to mention that nobody has asked some of these questions of them before :)

Possibly Related Articles:
SSL Security Strategies Data Loss Prevention Vendor Management DLP
Post Rating I Like this!
courtney benson After reading this vendors will have time to come up with responses even if they don't do what they say they do.
shawn merdinger Hi Courtney,

Yes, you're right.

However, I believe the article does help to place everyone on equal footing. Further, just because a vendor may have a canned answer doesn't mean their DLP solution will provide an active defense against the data ex-filtration methods I described.

Robb Reck I hope the vendors read this and figure out a good response... I'm tired of blank stares! They don't do anyone any good.
Steven Fenton For me I think this article is good information, but I'm not sure I'd be looking to DLP to cover some of these technical threat vectors. Agree DLP could have some insight, but I don't want it to substitute an IDS or an application aware firewall. You build up defence in depth from hardening desktops to ensuring least priv to prevent such installs of tools etc. Network profiling \ zones and understanding traffic entering and leaving etc. I've never seen DLP as an anti-hacker tool. It's more about discovering broken business processes, education of unaware users and of course catching defectors with the 2nd control of deterrence. I wouldn't blame DLP because a rogue application such as a private P2P was punching its way out having been undiscovered and been installed without approval. Few other areas need to be addressed if this is the case.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.