By Kim Khor.
While organisations might be hard pressed to avoid the internet and other connections to their IT network and data, it is possible for individuals within an organisation to choose to observe secure behaviour, such as not posting private details on websites.
That said, organisations mostly need to be connected and nowadays, the problem of data loss is a constant threat.
The concept of Data Loss Prevention (DLP) must address the changing threat landscape. In the past, employing effective DLP has been expensive and hard to measure. Greater maturity in IT security products means that DLP technologies are more cost-effective to use and offer greater visibility of results and further possible improvements.
However, the marketing jargon makes it difficult to marry up real security leverage with the large range of product types.
A sound DLP implementation addresses the risks of both inadvertent data loss and malicious exfiltration.
If all laptops and thumb drives within an organisation were effectively encrypted, we would not have seen many of the high profile news items about data loss. Similarly, if all intrusion prevention and detection systems were keeping up with business, many of the big hacker stories would never have occurred.
Finally, good DLP efforts also empower incident responders, investigators and law enforcement by providing good quality diagnostic information and viable evidence that would not otherwise be available. Many investigations have failed due to a lack of useable evidence from the computer network.
Tools And Techniques
The basic elements of DLP build on the rudiments of IT security. An organisation needs a certain level of maturity in place to take advantage of these concepts. Here, the rudiments include standardisation, good access control, asset management, application design, policy, user awareness and data classification.
The main concept of DLP is the sensible arrangement of elements in your system to reduce the risk of loss. For example, if you store the company secrets in the cloud, encrypt them. This configuration philosophy generally follows the same principles as physical security. So here we will just concentrate on the tools available to you.
Three main technical elements of DLP are encryption, Deep Packet Inspection (DPI) and Deep Packet Capture (DPC).
Encryption should be used to obscure data, such as on a laptop or thumb drive, as well as important internal repositories, such as the engineering blueprints server. You will need a centralised management system of some kind. Ad hoc encryption is quite a time-waster.
You can think of DPI and DPC as listening in on a computer network conversation (inspection), and recording your eavesdropping (capture).
Commercial products can use any of the terms in the glossary to describe themselves. While they sound different, each of them may actually do all the necessary things to form a competent DLP resource in your environment.
The great opportunity for security is in combining DPI and DPC to create repositories of potential evidence and new ways to analyse and respond. The older concepts of Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are technologies that do much of what we want. It is just that they have traditionally been expensive to run competently, requiring constant specialised maintenance.
These systems are maturing and coalescing into a new breed of cheaper and smarter technologies. While some approaches retain the old names, new terminology is also emerging. One such example is Application Performance Management (APM).
APM systems capture network traffic (DPC) for review and diagnosis. They use DPI to interpret the content of the network ‘conversations’. They automatically look for opportunities to optimise the performance of the network. One such method is by identifying undesirable traffic that consumes resources.
The undesirable traffic might be causing a slow-down. That symptom might be caused by a single network conversation hogging resources. The APM will flag this fact, possibly suggest a course of remediation, and possibly react by itself to block the offending conversation.
This situation could be a brute force attack – a break-in attempt. The APM system has shown its ability to perform a ‘smart’ security function. Probably, only a human analyst would otherwise have detected this condition.
If it does turn out to be an attack, the APM recordings are a wonderful resource for the investigation and planning new protective measures. It may even automate the collation and production of evidence.
APM is just one example of more mature technologies that may serve more than one purpose. This terminology example was chosen for its obvious cross-purpose, but many products called DPC or IPS and so on can perform the same functions. It is just that they are marketed towards different people so they emphasise various strengths and use different language.
For both proactive and reactive security, DLP technology often combines well with other repositories. For example, looking at system logs and swipe-card logs, along with DLP-captured network traffic from the same time period, can provide another dimension to your analysis.
Consider where else you have good analysis fodder, particularly time-based information. Having such combinations prepared before an incident occurs can create an enormous advantage in the time it takes to diagnose, plan a response and execute. Producing concise reports and parcels of evidence is also much easier.
Products that provide for collection, repositories and analysis capabilities in this way have become known as Security Information and Event Management (SIEM) systems. Again, the same functionality can be found in other forms, such as some data mining software, debugging software, or statistical analysis systems.
Security of the DLP itself is a new issue, as a DLP repository probably contains interesting data. So you cannot leave it vulnerable any more than the assets you set out to protect initially.
Also, this storage may violate your PCI/DSS or other compliance obligations where you are not allowed to store controlled information outside controlled storage.
Where private information is captured and stored you may need to segregate the private information and put it through normal privacy controls. Sometimes contract or policy wording can have a large impact on your authority over various data. Consider your data classification schema and your IT disaster recovery program for more ideas to predict such hiccups.
Investigations are often hampered by a lack of diagnostic information; particularly information in transit. By laying DLP foundations you can furnish your incident response, security intelligence, and evidence production activities with great resources.
In the proactive direction, your improved knowledge of the network, users and bad guys enables you to better predict the future. You can:
- Better optimise performance and cost for security as well as business operations generally
- More easily identify old resources that should be retired – save costs and reduce attack surface
- Better understand the bad guys and predict their behaviour
- Better understand your users’ motivation and behaviour in order to design awareness training and guide policy development.
DLP technology offers great potential to both IT security (optimise defence and investigations) and other parts of the business (for service optimisation, cost control) and hence, is potentially a shared resource. If you already have an APM system in place, it could be in IT operations, or software development. Do not buy two things to do the same job. Try to collaborate. For some, this kind of collaboration is one of the biggest opportunities in this discussion.
Try to develop an understanding of what things in your environment contain or transmit data worth protecting. Talk to others internally. Use references such as technical standards and guidelines. Talk to your external advisors. Develop a simple list of your needs, and prepare solution evaluation criteria. Then you can match up your needs to the marketing jargon.
You can have greater maturity in your systems. Systemise monitoring and diagnosis. The current Data Loss Prevention technologies provide greater coverage and automation with reduced entry and maintenance costs. This is simply good housekeeping in the information age.
Kim Khor is a computer forensics expert. He consults on network security, incident response, risk and compliance, investigations, and electronic evidence management in the Asia Pacific region. He can be contacted at firstname.lastname@example.org
Data Loss Prevention – a configuration or philosopy that addresses the risk of data loss by combining multiple security technologies.
Deep Packet Inspection – the act of analysing computer network traffic in order to understand and interpret the contained information.
Deep Packet Capture – the act of recording and storing computer network traffic for later review.
Application Performance Management – a process of analysing computer network traffic for troubleshooting and performance optimisation. APM makes use of DPI and DPC techniques. This might be applied to a web server for example, to guard against slow performance for users.
Intrusion Detection System – inspecting network traffic and other artifacts for indications of intrusion.
Intrusion Prevention System – when inspection shows a positive indication of intrusion, an automatic adjustment of the system occurs to block the detected intrusion technique. Also known as Intrusion Detection and Prevention System.
Security Information and Event Management – a system that collates various event logs, and other time-based information from around the IT network, and provides a boiled down view of only relevant information for review or investigation timelines.