How to use data loss prevention tools to stop data exfiltration

We normally think of data loss prevention (DLP) as something to limit employee errors, insider risks and poor data-management business processes, not external attacks. But in some of the recent, massive, financial data breaches (such as Heartland Payment Systems) it appears that DLP would have detected, if not stopped, the attacks.

While definitive information hasn't been released, sources are reporting that the perpetrators penetrated the networks (possibly using malicious software), installed sniffer software somewhere in the transaction pipeline, and exfiltrated the data over the network without encryption or any other obfuscation.

Exfiltrating stolen data over the network isn't anything new; if you think about it, the only alternative is to drive to the victim's location and physically retrieve it. In the 2005 CardSystems breach, the attackers used nothing more complex than FTP to retrieve their stolen data. Although malicious attackers have a myriad of options to export their ill-gotten gains, as recent events seem to indicate, they are just as likely to rely on the most basic of network channels.

This is exactly the kind of risk DLP is designed to mitigate, but it is only effective when configured properly and combined with additional security controls.

The first step is to ensure that your DLP has access to any outbound connections that might originate from your transaction processing network. If all your Internet traffic goes through established gateways this isn't a problem, but some organizations connect their transaction network through dedicated Internet pipes that won't be monitored by anything on the standard enterprise gateway. Since the transaction network also probably connects to your regular business network, it...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Architecture Insider Multifactor authentication options to secure online banking Security benefits of virtual desktop infrastructures How to secure data backup Too many encryption methods make secure communications difficult How to streamline role-based access control Five considerations for choosing network access control products Fighting fraud: Understanding technology and threats How to shift to centralized authentication and ease compliance Winning the war: Personal information protection Why financials must implement Web application security best practices Network security devices for financial institutions Five considerations for choosing network access control products Organization aims to develop encryption standard for card data How to perform a network device audit Event data analysis Security on the street with SearchFinancialSecurity.com: Mobile banking Don't let fads dictate your network security strategy How to easily integrate managed email security services Integrating firewalls into your financial enterprise systems How to integrate network behavior anomaly detection into enterprise systems How to get the most out of a SIM Data breaches and prevention strategies Bank computer technician indicted in identity theft scheme Survey: Consumers don't trust banks to keep their data secure ChoicePoint settles with FTC over second data security breach Data breach lawsuit puts spotlight on bank's security measures Google ordered to deactivate Gmail account after bank email error Threat of insider fraud growing with bad economy Data breach protection: Implementing vendor breach safeguards Zeus Trojan hitting banking customers hard TJX settles with banks for $525,000 RBS WorldPay agrees to market VeriFone end-to-end encryption

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Governance, Risk and Compliance  (SearchFinancialSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

's important to put network monitors on both gateways.

Although all major network DLP solutions can sniff all possible network traffic, some users restrict their tools to only certain kinds of traffic, or only protocols running on standard ports. Attackers are very likely to use unusual combinations, so you shouldn't restrict your DLP tool and may need to add extra resources to keep adequate performance.

DLP tools only block traffic when combined with a network proxy (some use TCP resets, but that has limited usefulness). Thus it's crucial to properly manage your egress filtering so the DLP solution can block as much as possible, and the rest of your network security makes it extremely difficult for attackers to use unmonitored channels. To monitor SSL communications, you'll also need a gateway that proxies SSL connections.

Finally, some DLP tools also alert when they detect encrypted files. This won't catch all the malicious transmissions, but it will force the attackers to use non-standard encryption tools.

DLP clearly can't detect and prevent all data exfiltration by an intelligent attacker, but it does reduce the risk and there's no excuse for letting them get away with plain text and standard network channels.

About the author:

Rich Mogull has more than 17 years experience in information security, physical security, and risk management. Prior to founding independent information security consulting firm Securosis, Rich spent seven years at research firm Gartner Inc., most recently as a vice president, where he advised thousands of clients, authored dozens of reports and was consistently rated as one of Gartner's top international speakers. He is one of the world's premier authorities on data security technologies.