How to use data loss prevention tools to stop data exfiltration

We normally think of data loss prevention (DLP) as something to limit employee errors, insider risks and poor data-management business processes, not external attacks. But in some of the recent, massive, financial data breaches (such as Heartland Payment Systems) it appears that DLP would have detected, if not stopped, the attacks.

While definitive information hasn't been released, sources are reporting that the perpetrators penetrated the networks (possibly using malicious software), installed sniffer software somewhere in the transaction pipeline, and exfiltrated the data over the network without encryption or any other obfuscation.

Exfiltrating stolen data over the network isn't anything new; if you think about it, the only alternative is to drive to the victim's location and physically retrieve it. In the 2005 CardSystems breach, the attackers used nothing more complex than FTP to retrieve their stolen data. Although malicious attackers have a myriad of options to export their ill-gotten gains, as recent events seem to indicate, they are just as likely to rely on the most basic of network channels.

This is exactly the kind of risk DLP is designed to mitigate, but it is only effective when configured properly and combined with additional security controls.

The first step is to ensure that your DLP has access to any outbound connections that might originate from your transaction processing network. If all your Internet traffic goes through established

    Requires Free Membership to View

gateways this isn't a problem, but some organizations connect their transaction network through dedicated Internet pipes that won't be monitored by anything on the standard enterprise gateway. Since the transaction network also probably connects to your regular business network, it's important to put network monitors on both gateways.

Although all major network DLP solutions can sniff all possible network traffic, some users restrict their tools to only certain kinds of traffic, or only protocols running on standard ports. Attackers are very likely to use unusual combinations, so you shouldn't restrict your DLP tool and may need to add extra resources to keep adequate performance.

DLP tools only block traffic when combined with a network proxy (some use TCP resets, but that has limited usefulness). Thus it's crucial to properly manage your egress filtering so the DLP solution can block as much as possible, and the rest of your network security makes it extremely difficult for attackers to use unmonitored channels. To monitor SSL communications, you'll also need a gateway that proxies SSL connections.

Finally, some DLP tools also alert when they detect encrypted files. This won't catch all the malicious transmissions, but it will force the attackers to use non-standard encryption tools.

DLP clearly can't detect and prevent all data exfiltration by an intelligent attacker, but it does reduce the risk and there's no excuse for letting them get away with plain text and standard network channels.

About the author:

Rich Mogull has more than 17 years experience in information security, physical security, and risk management. Prior to founding independent information security consulting firm Securosis, Rich spent seven years at research firm Gartner Inc., most recently as a vice president, where he advised thousands of clients, authored dozens of reports and was consistently rated as one of Gartner's top international speakers. He is one of the world's premier authorities on data security technologies.

This was first published in April 2009

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.