Latest techniques and solutions
for data loss prevention
Nick Copeland
Senior Systems Engineer
1
Agenda
About Fidelis Security Systems
DLP—Risks and Requirements
DLP and Social Engineering
Products and Technology
2
Mission
Fidelis Security Systems provides the next generation of
network security enabling organizations to leverage their
sensitive information while protecting it from data leakage
and cyber attacks.
3
DLP Issues Top Concern for CSOs
Merrill Lynch CISO Survey, June 27, 2007
4
The 2008 Global Information Security Workforce Study, Frost & Sullivan, April 22, 2008
The Reality of Today’s Networks
• File Transfers
• Information
Sharing
• SAAS
• PAAS
• Cloud Computing
• Web Apps
5
• Web Mail
• IM
• Social Networking
• Skype
• Bots
• Virus
• Hackers
• Port Hopping
• Tunneling
Threats are Targeting Information
• Business Partners
Leakage
• Webmail
• Social Networking
Uneducated User
• Cloud
Theft
Malicious Insider
• Nation States
• Organized NonState Actors (e.g.,
Terrorist groups)
Exfiltration
• Organized Crime
External Threat
Actors
• Advanced Persistent
Threats
Social Networking: The Risks
Corporations use Social Networking
– Facebook 69%
– Twitter 44%
– Youtube 32%
– LinkedIn 23%
Social Networking as source of attacks – 1/3rd of companies reporting attacks
– Facebook malware infection 71.6% percent, data leakage 73.2%
– YouTube malware infection 41.2%
– Twitter privacy violations (leakage) 51%.
Social Networking as source of financial loss – 1/3rd of attacks
– Facebook 62%
– Twitter 38%
– YouTube 24%
– LinkedIn 11%
Source: Security Week
7
DLP and Social Engineering
As attacks become more custom and targeted, “what’s getting out?” is
becoming a key element of defense in depth
Example #1: Phone call requesting sensitive information
Example #2: E-mail impersonating trusted individual
Example #3: Rogue CD or USB flash drive
8
Example #1: Phone call requesting sensitive information
Social Engineering preparation:
– Visits agency web site, www.organization.gov to gather
information
– Searches Social networking sites (e.g., Facebook,
LinkedIn) to find a victim
Researches contacts and network too
The attack:
– Calls victim, spoofs Caller ID
– Represents himself as a Government Contractor, subcontracting a big Prime at the agency
– Requests sensitive information to be e-mailed
– Provides professional sounding e-mail,
don.smith@newtongovsol.com
www.newtongovsol.com has a basic, but professional looking
web site
The response:
– Configured to prevent leakage of agency sensitive
information
– E-mail prevented
– Forensic details capture and CERT notified
9
Example #2: E-mail impersonating trusted individual
Social Engineering preparation:
– Researches target from Congressional testimonies
– Researches IT outsourcing contract awards
– Purchases custom targeted malware program from other
hacker online
The attack:
– E-mail victim, spoofed from outsourced help desk
employee
– Contains attachment to “update computer system
inventory”
– When executed, searches machine for certain file types
– FTPs files out of the network to bad guys server
The response:
– Configured to prevent leakage of agency sensitive
information
– FTP session terminated
– Forensic details captured and CERT notified
10
Example #3: Rogue CD or USB flash drive
Social Engineering preparation:
–
–
–
–
Finds list of employees from trade show attendee list
Purchases malware from hacker online
Creates a very attractive presentation
Combines presentation and malware on a CD-ROM
The attack:
– Mails a professionally labeled CD-ROM: “Secrets to
Career Advancement in the US Federal Government”
– When run, a PowerPoint-like presentation plays showing
information on “How to become an SES”, “Impressing
both Political Appointees and Long-time Government
Employees”, ….
Lots of builds and graphics—makes the hard drive spinning
seem normal
– Installs keylogger while presentation plays
– Relays all typing via SSH connection on non-standard
ports to a server in a non-ally nation
The response:
11
–
–
–
–
–
Configured to detect port-hopping/tunneling
Configured to detect transfers to rogue nations
Configured to detect rogue encryption
SSH session terminated
Forensic details capture and CERT notified
Example #4: Personal Financial Gain
Social Engineering preparation:
– Facebook account is targeted for attack
– The hacker gains credentials to the account
often via a dictionary or spear-phishing.
The attack:
– login and send their requests as if they were the user.
– Inform friends of traveling to a foreign country,
robbed
– Need to quickly send money via Western Union
– Desperately needed cash to be able to get back home
The response:
– Don’t be fooled
12
Example #5: Partner relationship requesting sensitive information
Social Engineering preparation:
– set up an account as corporate contractor.
pick one of the large system integrators.
– create some other fake accounts in that area
– Mount a website reference, simple, but professional
– build a wiki page on the company
The attack:
– Message the individual under target
– learn things from employee (or other system integrator)
– contact other persons involved in a project
individually data might not be useful
aggregate data and the sensitive information comes
together
– put together pictures of information that I shouldn't have
had access to
The response:
– Vocabulary violation for discussing business on
networking site
– List of recognized partners for communications
13
Example #6: ghosting as corporate executive
Social Engineering preparation:
– Create an account of an executive of your company
– Create links to any existing employees, executives
The attack:
– Message the subordinate under target
– Refer them to employee quizsite "How Great of an
Employee are you?"
"how long have you been a corporate employee",
"what office you work in",
"what contractors you do business with - rate them",
"which people do you do business with - rate them",
"how much spending you oversee",
“where do you get the best results”,
– When the user is done and submits the quiz, they get a
score of "Fabulous Employee“
– Walk away with leads on where to go next to extract data.
The response:
– Vocabulary violation for discussing business
– List of recognized partners for communications
14
Fidelis’ Solution for DLP
The Solution: Session-Level Network Security
Fidelis XPS Patented Deep Session Inspection™ Platform:
Port-Independent Session-Level Visibility and Control
Fidelis Extrusion Prevention System®―Fidelis XPS™
Comprehensive Information Protection
•
•
•
•
Content protection
Application activity control
Encryption policy enforcement
Threat mitigation
Deep Session Inspection™ Platform
• Comprehensive visibility into content
and applications
• Prevention on all 65,535 ports
• Wire-speed performance
Network Appliance
• Fast to deploy = quick time-to-value
• Easy to manage
• Enables zones of control
The Power to Prevent:
It’s the Next Generation
Policy Engine: Power of Context
In addition to pre-built policies, customer-specific policies can
easily be built using Fidelis XPS’ powerful policy engine.
Policy = group of one or more rules
Rule = logical combination of one
or more triggers delivers context
Trigger > Content
Trigger > Location
Trigger > Channel
Sensitive information
defined in content
analyzers
Sender and recipient
information
Details about the
information flow
1. Smart Identity Profiling
2. Keyword
3. Keyword Sequence
4. Regular Expressions
5. Binary Signatures
6. Encrypted Files
7. File Names
8. Exact File Matching
9. Partial Document Matching
10.Embedded Images
18
1.source IP address
2.destination IP address
3.Geographical Data–the country in
which the IP address is registered
4.Username
5.LDAP directory attributes
1.Application / protocol
(port -independent)
2.Application-specific Attributes
(e.g., user, e-mail address, subject,
filename, URL, encrypted, cipher,
and many more)
3.Port (Source / Destination)
4.Session length / size
5.Day of week / Time of day
6.Session duration
7.Decoding path
Social Network whilst Mitigating Risk
Technical and Business Controls
Ensure employees code-of-conduct policies covers social networking
– Who can speak on behalf of the company
– What can employees use social network for
Train employees on roles and risks of social networking
Create official profiles for corporate executives
– Even if they will not actually be used
– Request sites block executives account
Implement technical controls that address how social network is used
Social Networking is here to stay
– Security Policy needs to address how it is used
19
As
network
usage
and users
tobe
grow,
we want
to when
make
Fidelis
can
be
recognized
ascontinue
a force
to
reckoned
with
We
The
like
product
that
Fidelis,
has
a
strong
unlike
focus
most
other
on
high-performance
anti-data
leakage
detection,
vendors,
We
had
a growingisconcern
overbut
thealso
potential
of PII and
information
sure
information
accessible
in compliance
with
the
providing
innovative
DLP
security
technologies
and
solutions
built
analysis,
its
own
and
protocol
prevention
and
document
of
traffic.
decoders
(most
others
license
proprietary
to the district
being
disclosed
without
permission.
At the
Federal
Education
Rights
and
Privacy
Act
(FERPA).
Fidelis
that
are
agile
and
cost
effective
to
protect
today’s
corporate
those
-- Burton
components)…
Group
itshave
federal
customers
including
those
in
same
time,
although
we
aisstrict
AUPTime!
in–place,
we had
limited
Thank
You
For
Your
Security
Systems’
Fidelis
XPS
an
essential
component
of
this
networks.military
The end
result You
is a company
has
outofpaced
their
Thank
For
Your
Time!
sensitive
environments
–
back
upthat
its
claims
technical
visibility
to
track,
trace
and
stop
violations
of
these
policies.
Let
Us terms
Know
You Have
Any
Questions.
strategy
to ensure
transmission
of appropriate
information.
competitors
ofIftechnology
and
corporate
growth.
Let in
Us Know
If You Have
Any
Questions.
differentiation.
---- Charles
Thompson,
CIO,
Orange
Public
Schools.
2007
Product
ofCounty
the Officer,
Year
Joseph
Renard,
Information
Security
District
of Columbia
-Frost
&
Sullivan
-- The 451 Group
Public Schools
20