What a simple idea. It doesn’t matter how they break into your network or servers – if attackers can’t take out your data, then you’ve mitigated the threat.

Data loss prevention is a category of information security products that has matured from Web / email content filtering products into technologies that can detect unauthorized network transfer of valuable digital assets such as credit cards. This paper reviews the motivation for and the taxonomies of advanced content flow monitoring technologies that are being used to audit network activity and protect data inside the network.

Motivation – why prevent data loss?

The majority of hacker attacks and data loss events are not on the IT infrastructure but on the data itself.  If you have valuable data (credit cards, customer lists, ePHI) then you have to protect it.

Content monitoring has traditionally meant monitoring of employee or student surfing and filtering out objective content such as violence, pornography and drugs. This sort of Web content filtering became “mainstream” with wide-scale deployments in schools and larger businesses by commercial closed source companies such as McAfee and Bluecoat and Open Source products such as Censor Net and Spam Assassin. Similar signature-based technologies are also used to perform intrusion detection and prevention.

However, starting in 2003, a new class of content monitoring products started emerging that is aimed squarely at protecting firms from unauthorized “information leakage”, “data theft” or “data loss” no matter what kind of attack was mounted. Whether the data was stolen by hackers, leaked by malicious insiders or disclosed via a Web application vulnerability, the data is flowing out of the organization. The attack vector in a data loss event is immaterial if we focus on preventing the data loss itself.

The motivation for using data loss prevention products is economic not behavioral; transfer of digital assets  such as credit cards and PHI by trusted insiders or trusted systems can cause much more economic damage than viruses to a business.

Unlike viruses, once a competitor steals data you cannot reformat the hard disk and restore from backup.

Companies often hesitate from publicly reporting data loss events because it damages their corporate brand, gives competitors an advantage and undermines customer trust no matter how much economic damage was actually done.

Who buys DLP (data loss prevention)?

This is an interesting question. On one hand, we understand that protecting intellectual property, commercial assets and compliance-regulated data like ePHI and credit cards is  essentially an issue of  business risk management. On the other hand, companies like Symantec and McAfee and IBM sell security products to IT and information security managers.

IT managers focus on maintaining predictable execution of business processes not dealing with unpredictable, rare, high-impact events like data loss.  Information security managers find DLP technology interesting (and even titillating – since it detects details of employee behavior, good and bad) but an  information security manager who buys Data loss prevention (DLP) technology is essentially admitting that his perimeter security (firewall, IPS) and policies and procedures are inadequate.

While data loss prevention may be a problematic sale for IT and information security staffers, it plays well into the overall risk analysis,  risk management and compliance processes of the business unit.

Data loss prevention for senior executives

There seem to be three schools of thought on this with senior executives:

1. One common approach is to ignore the problem and brush it under the compliance carpet using a line of reasoning that says “If I’m PCI DSS/HIPAA compliant, then I’ve done what needs to be done, and there is no point spending more money on fancy security technologies that will expose even more vulnerabilities”.
2. A second approach is to perform passive data loss detection and monitor flow of data(like email and file transfers) without notifying employees or the whole world. Anomalous detection events can then be used to improve business processes and mitigate system vulnerabilities. The advantage of passive monitoring is that neither employees nor hackers can detect a Layer 2 sniffer device and a sniffer is immune to configuration and operational problems in the network. If it can’t be detected on the network. then this school of thought has plausible deniability.
3. A third approach takes data loss prevention a step beyond security and turns it into a competitive advantage. A smart CEO can use data loss prevention system as a deterrent and as a way of enhancing the brand (“your credit cards are safer with us because even if the Saudi hacker gets past our firewall and into the network, he won’t be able to take the data out”).

A firewall is not enough

Many firms now realize that a firewall is not enough to protect digital assets inside the network and look towards incoming/outgoing content monitoring. This is because: 

1. The firewall might not be properly configured to stop all the suspicious traffic.

2. The firewall doesn’t have the capability to detect all types of content, especially embedded content in tunneled protocols.

3. The major of hacker attacks and data loss events are not on the IT infrastructure but on the data itself.

4. Most hackers do not expect creative defenses so they assume that once they are in, nobody is watching their nasty activities.

5. The firewall itself can be compromised. As we have more and more Day-0 attacks and trusted insider threats, so it is good practice to add additional independent controls.

Detection

Sophisticated incoming and outgoing (data loss prevention or DLP) content monitoring technologies basically use three paradigms for detecting security events

1. AD- Anomaly Detection – describes normal network behavior and flags everything else
2. MD- Misuse Detection – describes attacks and flags them directly
3. BA – Burglar alarm – describes abnormal network behavior (“detection by exception”)

In anomaly detection, new traffic that doesn’t match the model is labeled as suspicious or bad and an alert is generated. The main limitation of anomaly detection is that if it is too conservative, then it will generate too many false positives (a false alarm) and over time the analyst will ignore it. On the other hand, if a tool rapidly adapts the model to evolving traffic change, then too little alerts will be generated and the analyst will again ignore it.

Misuse detection describes attacks and flags them directly, using a database of known attack signatures and constantly tries to match the actual traffic against the database. If there is a match, an alert is generated. The database typically contains rules for:

1. Protocol Stack Verification – RFC’s, ping of death, stealth scanning etc.
2. Application Protocol Verification – WinNuke , invalid packets that cause DNS cache corruption etc.
3. Application Misuse – misuse that causes applications to crash or enables a user to gain super user privileges; typically due to buffer overflows or due to implementation bugs.
4. Intruder detection. Known attacks can be recognized by the effects caused by the attack itself. For example, Back Orifice 2000 sends traffic on default port is 31337
5. Data loss detection – for example by file types, compound regular expressions, linguistic and/or statistical content profiling. Data loss prevention or detection needs to work at a much higher level than intrusion detection – since it needs to understand file formats and analyze the actual content such as Microsoft Office attachments in a Web mail session as opposed to doing simple pattern matching of an http request string.

Using a burglar alarm model, the analyst needs deep understanding of the network and what should not happen with it. He builds rules that model how the monitored network should conceptually work, in order to generate alerts when suspicious traffic is detected. The richer the rules database, the more effective the tool. The advantage of the burglar alarm model is that a good network administrator can leverage his knowledge of servers, segments and clients (for example a Siebel CRM server which is a client to a Oracle database server) in order to focus-in and manage-by-exception.

What about prevention?

Anomaly detection is an excellent way of identifying network vulnerabilities but a customer cannot prevent extrusion events based on general network anomalies such as usage of anonymous ftp. In comparison there is a conceptual problem with misuse detection. If misuse is detected then unless the event can be prevented (either internally with a TCP reset, by notifying the router or firewall) – then the usefulness of the devices is limited to forensics collection.

What about security management?

SIM – or security information management consolidates reporting, analysis, event management and log analysis. There are a number of tools in this category – Netforensics is one. SIM systems do not perform detection or prevention functions – they manage and receive reports from other systems. Checkpoint for example is a vendor that provides this functionality with partnerships.

Summary

There are many novel DLP/data loss prevention products, most provide capabilities far ahead of both business and IT infrastructure management that are only now beginning to look towards content monitoring behind the firewall.

DLP (Data loss prevention) solutions join an array of content and application-security products around the traditional firewall. Customers are already implementing a multitude of network security products for Inbound Web filtering, Anti-virus, Inbound mail filtering and Instant Messaging enforcement along with products for SIM and integrated log analysis.

The industry has reached the point where the need to simplify and reduce IT security implementation and operational costs becomes a major purchasing driver, perhaps more dominant than any single best-of-breed product.

Perhaps data loss prevention needs to become a network security function that is part of the network switching fabric; providing unified network channel and content security.

Software Associates helps healthcare customers design and implement such a unified network channel and enterprise content security solution today enabling customers to easily define policies such as “No Instant Messaging on our network” or “Prevent patient data leaving the company over any channel that is not an authorized SSH client/server”.

For more information contact us.

There are 6 key business requirements for medical device security:

1. Prevent data leakage of ePHI (electronic protected health information) via the device itself, the management system and or the hospital information system interface.
2. Ensure availability of the medical device
3. Ensure integrity of the operation and data of the medical device
4. Ensure that a networked or mobile medical device cannot by exploited by malicious attackers to cause damage to the patient
5. Ensure that a networked or mobile medical device cannot by exploited by malicious attackers to cause damage to the hospital enterprise network

Just like theft, data is leaked or stolen because it has value, otherwise the employee or contractor would not bother.  There is no impact from leakage of trivial or universally available information.  Sending a  weather report by mistake to a competitor obviously will not make a difference.

The financial impact of a data breach is directly proportional to the value of the asset. Imagine an insurance company obtaining PHI under false pretenses, discovering that the patient had been mistreated, and suppressing the information.  The legal exposure could be in the millions.  Now consider a data leakage event of patient names without any clinical data – the impact is low, simply because names of people are public domain and without the clinical data, there is no added value to the information.

But why, does data leak?

The main reason is people. People handle electronic data and make mistakes or do not follow policies. People are increasing conscious that information has value – All information has some value to someone and that someone may be willing to pay or return a favor. This is an ethical issue which is best addressed by direct managers leading from the front and by example with examples of ethical behavior.

People are tempted or actively encouraged to expose leaked/lost data – consider Wikileaks and data leakage for political reasons as we recently witnessed in Israel in the Anat Kamm affair.

People maintain information systems and make mistakes, leave privileged user names on a system or temporary files with ePHI on a publicly available Windows share.

People design business processes and make mistakes – creating a business process for customer service where any customer service representative can see any customer record creates a vulnerability that can be exploited by malicious insiders or attackers using APT (Advanced Persistent Threat Attacks) that target a particular individual in a particular business unit – as seen in the recent successful APT attack on RSA, that targeted an HR employee with an Excel worksheet containing malware that enabled the attackers to steal SecurID token data,  and then use the stolen tokens to hack Lockheed Martin.

According to Wikipedia, APT attacks utilize traditional attack vectors such as malware and social engineering, but also extend to advanced attacks such as satellite imaging. It’s a low-and-slow attack, designed to go undetected.  There is always a specific objective behind it, rather than the chaotic and organized attacks of script kiddies.

As a preface, begin with the understanding that you already have all the resources you need.

Discussions with colleagues in a large forensics accounting firm that specialize in anti-fraud investigations, money laundering and anti-terror funding (ATF), confirm what I’ve suspected for a long time. Armies of junior analysts working for the large accounting firms who have never seen or experienced a fraudulent event and are unfamiliar with the your business operation are not a reasonable replacement for careful risk analysis by the business done by people who are familiar with the business.

Step # 1- Do not do an expensive business process mapping project.

Many consultants tell organizations that they must perform a detailed business process analysis and build data flow diagrams of data and users who process data. This is an expensive task to execute and extremely difficult to maintain that can require large quantity of billable hours. That’s why they tell you to map data flows. The added value of knowing data flows inside your organization between people doing their job is arguable. There are much better ways to protect your data without writing out a 7 digit check. Here is the first one you should try out. Select the 10 most valuable data assets that your company owns. For example – proprietary mechanical designs of machines, detailed financials of a private company being acquired, and details of competitive contracts with large accounts. In a few interviews with finance, operations, IT, sales and engineering, you can nail down those key assets. After you’ve done that, schedule a 1 hour meeting with the CFO and ask her how much each asset is worth in dollars. In general, the value of a digital, reputational, physical or operational asset to a business can be established fairly quickly by the CFO in dollar terms – in terms of replacement cost, impact on sales and operational costs.

Step #2 – Do not develop a regulatory compliance grid.

There is no point in taking a non-value-added process and spend money making it more effective.

My maternal grandmother, who spoke fluent Yiddish would yell at us – ” grosse augen” when we would pile too much food on our plates. ” Grosse augen” ( or as my folks put it); is having eyes that are bigger than your capacity. Yes, US publicly traded companies are subject to multiple regulations – if the company sells to customers and stores and processes PII (personally identifiable data) they will have to deal with PCI DSS 1.1, California State Privacy Law, Sarbanes-Oxley PCI DSS 1.1 protects one asset – payment card numer and magnetic stripe, while Sarbanes-Oxley is about accounting records. Yes, there are a few commercial software products that map business processes, databases and data elements to multiple regulations; their goal is to help streamline the work involved in multiple regulatory compliance projects – eliminating redundancy where possibility using commonality.
Looking at all the corporate governance and compliance violations; cases such as Hannaford supermarkets and AOL – it’s clear government regulation has not made America more competitive nor better managed.

Step #3 – Identify the top 5 data assets in your business and valuate them

I saw an article recently that linked regulatory compliance mandate and asset cost. Definitely not true – the value of an asset for a company is whatever operational management/CFO say it is. Asset value has nothing to do with compliance but it has everything to do with a cost effective risk control plan. For example – a company might think that whole disk encryption on all company notebook computers is a good idea – but if only 20 people have sensitive data – why spend 1 million dollars on mobile device data encryption when you can solve the problem for less than 5k?

Step #4 – Do not store PII

The absolutely worst thing you can do is a project to analyse data retention and protection regulations that govern each of the sensitive data elements that need protecting, and working with legal and compliance consultants who know the relevant regulations. VISA has it right. Don’t store credit cards and magnetic strip data. It will not help the marketing guys sell more anyway – and you can give the money you save on some fancy database encryption software to the earthquake victims in Myanmar and China.

Step #5 – Monitor your outsourcing vendors

Despite the hype on trusted insiders, most data loss is from business partners. You can write a non-disclosure agreement with an outsourcing vendor and trust them, but you must verify their compliance and prevent unauthorized data leaks.

The best story I had in years was in a meeting with the VP internal audit at a medium sized bank in Israel. He took a sales call with me and I pitched our extrusion prevention technology from Fidelis Security Systems as a way to protect their customer data. He said – look Danny, we don’t need technology – we’ve outsourced everything to a very large bank and their data center security is world-class. Two weeks later, the big bank had a serious data breach event (a high school student hacked into the internal network of the bank from a public Windows-based kiosk and helped himself to some customer lists. Two months later, the small bank was reported to be looking to get out of their outsourcing contract. Don’t rely on contracts alone – use people and DLP technology to detect data leakage.

Step #6 – Do annual security awareness training but keep it short and sweet

Awareness is great but like Andy Grove said – “A little fear in the workplace is not necassarily a bad thing”. Have everyone read, understand and sign a 1 page procedure for information security. Forget interview projects and expensive self-assessment systems – what salesman in his right mind will take time to fill out one of those forms – if he doesn’t update his accounts on salesforce.com? Install an extrusion detection system at the network perimeter. Prosecute violators in real time. Do random spot checks on the read-and-understand procedure. Give demerits to the supervisors and managers if their employees don’t pass the spot check.

Step #7 – Calculate valuate at risk of your top 5 data assets

ISO 27001 and PCI DSS 1.1 checklists are great starting points but they focus on whether a particular technology, policy or control has been implemented, and not whether these controls are cost-effective security countermeasures against internal and external attackers. Use Practical Threat Analysis with a PTA risk library for ISO 27001 or PCI DSS 1.1 and you will be able to build a cost-effective risk mitigation plan based on asset values, threat probabilities and estimated damage levels.

Step #8 – Ask your vendors and colleagues difficult questions

After you’ve done a practical threat analysis of your risk exposure to attacks on sensitive customer data and IP you will be in better position than ever to know what policies, procedures and technologies are the most effective security controlss. You’ll be in an excellent position to ask difficult questions and negotiate terms with your favorite vendor. While the attitude of many companies is to hold data protection protections close to their chests, it is valuable to talk to your colleagues at other companies in the same market and get a sense of what they have done and how well the controls perform.

Step #9 – Resist the temptation to do a customer data integration (CDI) project.

Customer data is often stored in many applications and locations in a large organization. The knee-jerk reaction of IT is to do a big data integration project and get all the digital assets under one roof. There are three reasons why this is a terrible idea. (a) Most of these projects fail, overrun and never deliver promised value (b) If you do suceed in getting all the data in one place, it’s like waving a huge red flag to attackers – heah , come over here – we have a lot of sensitive data that is nicely documented and easily accessible. Companies with enterprise software systems such as SAP and Oracle Applications are three times more likely to be attacked. (c) Ask yourself – would Google have succeeded if with global data integration strategy?

Step #10 – Prepare a business care for data loss prevention before evaluating products

Despite claims that protecting data assets is strategic to an enterprise, and IT governance talk about busines alignment and adding value – my experience is that most organizations will not do anything until they’ve had a fraud or data security event. The first step to protecting customer data and IP in any sized business from a individual proprietership to a 10,000 person global enterprise is laying the case at the door of the company’s management. This is where executives need to take a leadership position – starting with a clear position on which data assets are important and how much they’re worth to the company.

Practical threat analysis is a great way to identify and assess threats to your business and evaluate the potential business impact in dollars and cents to your operation using best-practice risk models provided by the PTA Professional threat modeling tool.

This article presents a systematic method for selecting and cost-justifying data security technology to protect  intellectual property theft and abuse.

The original presentation was given at the October 2, 2009 DLP-Expert Russia meeting in Istra (just outside of Moscow)

Click here to download the presentation

We performed a Sarbanes-Oxley IT top down security assessment for a NASDAQ-traded advanced technology company. The objectives for the study were to evaluate the internal and external threats that impact the company’s information assets. Using the Business threat modeling ^(BTM) methodology, a practical threat analysis PTA threat model was constructed and a number of threat scenarios were analyzed. Data was collected using structured interviews and network surveillance (with a Fidelis XPS appliance). Assets were valuated by the CFO and the IT security operations and technologies were valuated by the CIO. The output of the study was a cost-effective, prioritized program of security controls.This program was presented and approved by the management board of the company- leading to an immediate cost savings of over $120,000/year in the information security budget.

The detailed threat model was provided to the client and is currently used to perform what-if analysis and track the data security implementation. 

Download the data security case study and download the data security report to the management.

Conclusions

1. The bulk of the security budget is currently spent on sustaining network perimeter security and system availability. Not surprisingly, these countermeasures are not particularly effective in mitigating insider threats such as lost or stolen hardware and information leakage, which now dominate the company’s risk profile.

2. In corporate IT Security operations: The two major data security systems that were purchased in 2007, Imperva and Fidelis XPS Extrusion Prevention System have not yet been fully implemented and do not provide the expected benefit. To be specific, Imperva needs to be able to produce real-time alerts on violations based on logical combinations of OS user, DB application and DB user. Fidelis needs to be deployed in the subsidiaries. Monitoring from both systems needs to become a daily operational tool for the security officer.

3. In the Asia Pacific region: Loss of notebooks to the tune of 2-3 / quarter is a major vulnerability although content abuse of the corporate network is assessed as negligible due to cultural factors.

4. In general: Publicly facing FTP servers must be monitored carefully for violations of the company acceptable usage policy. In the course of the risk assessment, we discovered strategic plans and proprietary source codes that were stored on publicly accessible FTP servers.

We designed and implemented a large scale IT infrastructure modernization project that was tasked with improving availability, scalability and security of the online diamond trading networks at diamonds.com and diamonds.net. Network DLP appliances were deployed in the US and in EMEA at the company’s hosted server farms in order to help protect sensitive customer and commercial data.

Read the Customer solution case study

Certainly, all the DLP vendors think so.  Only problem is, the PCI DSS Council doesn’t even have DLP in their standard which pretty much guarantees zero regulatory tail wind for DLP sales to payment card industry players.

I’m actually impressed that Symantec didn’t manage to influence the PCI DSS council to include DLP in the standard. An impressive display of professional integrity and technology blindness.

A while back, we did a software security assessment for a player in the online transaction space.

When I asked the client and auditor what kind of real time data loss monitoring they have in place, just in case, they have a bug in their application and/or one of their business partners or trusted insiders steals data, the answers where like “umm, sounds like a good idea but it is not required by PCI DSS 2.0″

And indeed the client is correct.

PCI DSS 2.0 does not require outbound, real time or any other kind of data loss monitoring.

The phrases “real time” and “data loss” don’t appear in the standard. The authors of the standard like file-integrity monitoring but in an informal conversation with a PCI DSS official in the region, he confessed to not being familiar with DLP.

Here are a few PCI  monitoring requirements.

None of these controls directly protect the the payment card from being breached. They are all indirect controls and very focused on external attackers – not on trusted insiders nor business partners.

1. Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).
2. If automated monitoring of wireless networks is utilized (for example, wireless IDS/IPS, NAC, etc.), verify the configuration will generate alerts to personnel.
3. Deploy file-integrity monitoring tools to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.
4. Monitor and analyze security alerts and information, and distribute to appropriate personnel.
5. Verify through observation and review of policies, that designated personnel are available for 24/7 incident response and monitoring coverage for any evidence of unauthorized activity, detection of unauthorized wireless access points, critical IDS alerts, and/or reports of unauthorized critical system or content file changes.

Oh man.

I was standing in line at Ben Gurion airport, waiting for my bag to be x-rayed. A conversation started with a woman standing next to me in line. The usual sort – “Where are you traveling and what kind of work do you do?”. I replied that I was traveling to Warsaw and that I specialize in data security and compliance – helping companies prevent trusted insider theft and abuse of sensitive data.

She said, “well sure, I understand exactly what you mean – you help enforce ethical behavior of people in the organization”.

I stopped for a moment and asked her, hold on – “what kind of business are you in”? She said – “well, I worked in the GSS for years training teams tasked with protecting high echelon politicians and diplomats. I understand totally the notion of enforcing ethical behavior”. And now? I asked. Now, she said, ” I do the same thing, but on my own”.

Let’s call my new friend “Sarah”.

Sarah’s ethical approach was for me, a breath of fresh air. Until that point, I had defined our data security practice as an exercise in data collection, risk analysis and implementation of the appropriate technical security countermeasures to reduce the risk of data breach and abuse. Employees, competitors and malicious attackers are all potential attackers.  The objective is to implement a cost-effective portfolio of data security countermeasures – policies and procedures, software security assessments, network surveillance, data loss prevention (DLP) and encryption at various levels in the network and applications.

I define security as protecting information assets.

Sarah defines security as protecting ethical behavior.

In my approach to data security, employee behavior is an independent variable, something that might be observed but certainly, not something that can be controlled. Since employees, contractors and business partners tend to have their own weaknesses and problems that are not reported on the balanced score card of the company, my strategy for data security posits that it is more effective to monitor data than to monitor employees and prevent unauthorized transfer or modification of data instead of trying to prevent irrational or criminal behavior of people who work in the extended enterprise.

In Sarah’s approach to data security, if you make a set of rules and train and enforce ethical behavior with good management, sensing and a dosage of fear in the workplace; you have cracked the data security problem.

So – who is right here?

Well – we’re both right, I suppose.

The answer is that without asset valuation and analysis of asset vulnerabilities, protecting a single asset class (human resources, data, systems or network) while ignoring others, may be a mistake.

Let’s examine two specific examples in order to test the truth of this statement.

Consider a call center with 500 customer service representatives. They use a centralized CRM application, they have telephones and email connectivity. Each customer service representative has a set of accounts that she handles. A key threat scenario is leaking customer account information to unauthorized people – private investigators, reporters, paparazzi etc… The key asset is customer data but the key vulnerability is the people that breach ethical behavior on the way to breaching customer data.

In the case of customer service representatives breaching customer privacy, Sarah’s strategy of protecting ethical behavior is the best security countermeasure.

Now, consider a medical device company with technology that performs imaging analysis and visualization. The company deploys MRI machines in rural areas and uses the Internet to provided remote expert diagnosis for doctors and patients who do not have access to big city hospitals. The key asset transmitted from the systems for remote diagnosis is PHI (protected health information), and the key vulnerabilities are in the network interfaces, the applications software and operating systems that the medical device company uses.

In  the case of remote data transfer and distributed/integrated systems, a combined strategy of software security, judicious network design and operating system selection (don’t use Microsoft Windows…) is the correct way to protect the data.

My conversation with Sarah at the airport gave me a lot of food for thought.

Data loss prevention (DLP technology) is great  and  ethical employee behavior is crucial but they need to work hand in glove.

Where there are people, there is a need to mandate, monitor and reinforce ethical behavior using  a clearly communicated corporate strategy with employees and contractors. In an environment where users require freedom and flexibility in using applications such as email and search, the ethical behavior for protecting company assets starts with company executives who show from personal example that IT infrastructure is to be used to further the company’s business and improving customer service and not for personal entertainment, gain or gratification.

It’s the simple things in life that count.