“DLP-ing” In The Dark

Category: Firewall

There is this story about an old man who saw a boy looking down at the ground while circling under a lone street light on a dark street. The old man asked the child “what happened?” and the child replied “I lost a coin and I am looking for it”. The old man joined the child in looking for the coin and after quite a while of not finding a coin asked the child “where have you lost the coin?” to which the child answered “over there” pointing into the dark. “So why are you looking for the coin here?” asked the old man, and the child answered “because it’s dark over there.”

Why am I telling you this story? Because it keeps popping into my head every time I hear about network-based DLP (data loss prevention). Where is this weird association coming from you ask yourself? I think it’s because today’s DLP solutions try to solve the problem “where the light” is rather than where the problem is. You see, virtually all existing network DLP solutions look for data leakage in email traffic (SMTP), instant messenger (IM) and in non-encrypted Web browsing. That’s where the light is… The real data leakage problem isn’t there, but that does not bother DLP vendors such as Symantec and Websense. They assume that their customers are like the child in my story. However, given the small size of the DLP market – which indicates that almost no one is buying their solutions – their assumption is probably wrong.

Okay… I know. I still need to explain why data leakage is not where the light is. Before that, let me tell you another story. This time – a real one. Two years ago my company has started signing up resellers in the U.S, so instead of paying money to lawyers for their help, we called a sales guy we new in another company and asked for his reseller agreement. It just so happened that he was working for a DLP company, so he said “I cannot email you the document because our product will stop it, but if you add me as your MSN messenger buddy I will get you the document right away”, which he did.

My point in this story? Looking for data leaks in email, IM and web traffic is easy, but that does not even begin to solve the problem. These are just few applications among the hundreds of application that are capable of file transfer – peer-to-peer applications, skype, online backup services and gmail to name a few. There are many examples of organizations losing data through peer-to-peer networks, such as Walter Reed and the Tokyo Police department.

Symantec claims they can scan all TCP traffic. I’m not buying it. They do not decrypt all SSL traffic, cannot look into encrypted peer-to-peer traffic, cannot look inside tunneling applications such as Ultrasurf , cannot see into online backup solutions that encrypt the data, cannot control Skype, and so on. I expect a good DLP solution to be able to detect data leakage in all traffic, whether it is encrypted or not and whatever application is being used to transfer the data. And if the DLP solution cannot look into the data because of, for example, custom encryption, it needs to block it. Anything less than that makes it too easy to bypass security controls either intentionally or unintentionally.


1 Reader Comment

  1. The challenge in protecting confidential data or IP, is ensuring only authorised people have access to this data in the first place. However, what should be done and what is are realities of the business world. DLP is not just about being able to see into all the applications, as this is even limited in its scope, but to educate users on their responsibility to handle data. Technology is only a component of DLP to police data movement.

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42