The Control Policy Group

Data security the way you run your business

Data loss prevention technologies

May 15th, 2008 | Category: Network security,Risk management

Abstract

Data loss prevention is a rapidly emerging network security technology area that has matured from simple regex-based Web / email content filtering products into products such as Fidelis Security Systems XPS that perform deep inspection of documents such as Microsoft Word and Adobe PDF with high levels of precision and recall.

Motivation

Network content monitoring is generally used for monitoring of employee or students surfing and filtering out violence, pornography and drug-related content.This sort of Web content filtering became “mainstream” by 2005 with wide-scale deployments in schools and larger businesses by commercial closed source companies such as McAfee and Bluecoat and Open Source products such as Censor Net and Spam Assassin.Similar signature-based technologies are also used to perform intrusion detection and prevention.

However, a new class of content monitoring products has emerged that is aimed squarely at protecting firms from unauthorized “information leakage”, “data theft” or “extrusion”. The motivation for using these products is economic not behavioral; transfer of digital assets by trusted insiders or trusted systems can cause much more economic damage than viruses to a business. Unlike viruses, once a competitor steals data you cannot reformat the hard disk and restore from backup. Companies often hesitate from publicly reporting extrusion events because it damages their corporate brand, gives competitors an advantage and undermines customer trust.

There are two potential “internal customers” for content monitoring in a company – business management (risk management and/or internal audit) and IT infrastructure management.

Senior business management wants to protect their brand by protecting their information assets from criminals, competitors and trusted insiders.There seem to be three schools of thought on this with CxO’s; one common approach is to ignore the problem and brush it under the carpet of compliance monitoring. Another approach is to monitor asset flows without telling employees or the whole world. The smart CEO seems to like an extrusion prevention system as a deterrent and as a way of enhancing the brand (“your assets are safer with us”).Passive content monitoring of asset flows in the network that operates independently of existing I.T systems can be an effective auditing tool for threats to digital assets in any case.Employees and hackers cannot detect a Layer 2 Sniffer device and a Sniffer is immune to configuration and operational problems in the network. If it can’t be detected on the network than school of thought number 2 has plausible deniability.

Firewalls are not enough

Many firms now realize that a firewall is not enough to protect digital assets inside the network and look towards incoming/outgoing content monitoring. This is because:

  1. The firewall might not be properly configured to stop all the suspicious traffic.
  2. The firewall doesn’t have the capability to detect all types of content, especially embedded content in tunneled protocols.
  3. The major of attacks and extrusions are not on the IT infrastructure but on the data itself.
  4. Most hackers do not expect creative defenses so they assume that once they are in, nobody is watching their nasty activities.
  5. The firewall itself can be compromised. As we have more and more Day-0 attacks and trusted insider threats, so it is good practice to add additional independent controls.

Detection, Prevention and Security Management

Detection

Sophisticated incoming and outgoing content monitoring technologies basically use three paradigms for detection:

  1. AD- Anomaly Detection – describes normal network behavior and flags everything else
  2. MD- Misuse Detection – describes attacks and flags them directly
  3. BA – Burglar alarm – describes abnormal network behavior (“detection by exception”)

In anomaly detection, new traffic that doesn’t match the model is labeled as suspicious or bad and an alert is generated. The main limitation of anomaly detection is that if it is too conservative, then it will generate too many false positives (a false alarm) and over time the analyst will ignore it. On the other hand, if a tool rapidly adapts the model to evolving traffic change, then too little alerts will be generated and the analyst will again ignore it.

Misuse detection describes attacks and flags them directly, using a database of known attack signatures and constantly tries to match the actual traffic against the database. If there is a match, an alert is generated. The database typically contains rules for:

  1. Protocol Stack Verification– RFC’s, ping of death, stealth scanning etc..
  2. Application Protocol Verification – WinNuke , invalid packets that cause DNS cache corruption etc.
  3. Application Misuse – misuse that causes applications to crash or enables a user to gain super user privileges; typically due to buffer overflows or due to implementation bugs.
  4. Intruder detection. Known attacks can be recognized by the effects caused by the attack itself. For example, Back Orifice 2000 sends traffic on default port is 31337
  5. Extrusion detection. Detect unauthorized network transfer of data according to the content itself – for example by file types, compound regular expressions, linguistic and/or statistical content profiling. Extrusion detects functions at a much higher level than an IDS/IPS – since it needs to understand file formats and analyze the actual content such as Microsoft Office attachments in a Web mail session as opposed to doing simple pattern matching of an http request string.

Using a burglar alarm model, the analyst must have deep understanding of her network and what should not happen with it. She builds rules that model how the monitored network should work, in order to generate alerts when suspicious traffic is detected. The richer the rules database, the more effective the model. The advantage of the burglar alarm model is that a good network administrator can leverage knowledge of servers, segments and clients (for example a Siebel CRM server which is a client to a Oracle database server) in order to focus-in and manage-by-exception.

Prevention

Anomaly detection is an excellent way of identifying network vulnerabilities but a user cannot prevent data breach events based on general network anomalies such as usage of anonymous ftp. When it comes to prevention there is also a fundamentalproblem with misuse detection. If misuse is detected then unless the event can be prevented (either internally with a TCP reset, blocking inline or by notifying the router or firewall) – then the usefulness of the devices is limited to forensics collection. An additional hurdle to overcome in the area of prevention of data breach events is performance. The widespread usage of load balancers and multiple IDS servers will not work since packets that compose a client-server application session may be spread over multiple servers and it will be impossible to prevent data leakage since no single server has a complete picture of the entire session.

Management – event analysis and reporting

A SIM (or security information management) system consolidates reporting, analysis, event management and log analysis.There are a number of dedicated tools in this category, Net Forensics is one, but the direction appears to be that the content monitoring system will include its own analytical database of events due the specialized nature of content monitoring and filtering. Note that the management sub-system itself does not perform detection or prevention functions – it manages and receives reports from other system components. A typical architecture has a central SIM (management console) and multiple / distributed sensors that feed events (not raw traffic) into the SIM.

Comments are off for this post

Comments are closed.