Having your cake and eating it too!
Deploying DLP services in a Next
Generation Firewall Environment
About me …
I have been doing Information Security for a really, really
long time …
I have had the ‘opportunity’ to do many different facets
of Information Security
Firewall Design, Implementation, Configuration
Network Design, Implementation, Configuration
PKI ..
DLP ..
Pentesting and lots of different crazy things ..
What is DLP (Data Loss Prevention)?
Data Loss Prevention is a system that is designed to detect
potential data breach / data ex-filtration transmissions and
prevent them by monitoring, detecting and blocking
sensitive data while in-use (endpoint actions), in-motion
(network traffic), and at-rest (data storage). - Wikipedia
Our focus will be specific to Data In-Motion
Data at Rest is pretty easy to work with; It’s either there or
it’s not there.
DLP at its core is a simple yes/no
What type of Data would we look for?
PII (Personally Identifiable Information)
PCI (Payment Card Information)
PHI (Patient Health Information - HIPAA)
Sexy Talk (unofficial for P0RN0GRAPHY)
Terrorists
Money Launderers
Investigations
Where can your imagination lead you?
So what should we inspect with DLP?
SMTP (TCP Port 25)
The easiest protocol to inspect with DLP while in transit.
Users expect some delay/latency
Presents a great deal of options for automation
Inspect and Allow; Inspect and Block; Inspect and
Encrypt
HTTP (TCP Port 80)
The next easiest protocol to inspect
Users have a higher expectation of speed
Presents two options for automation
Inspect and Allow; Inspect and Block
So what should we inspect with DLP?
HTTPS (TCP Port 443)
The most difficult protocol to inspect
Users have a higher expectation of speed
Presents two options for automation
Inspect and Allow; Inspect and Block
Everything Else (FTP, DNS, IRC, Custom Apps)
These can be tricky
Users experience expectations will vary
Presents two options for automation
Inspect and Allow; Inspect and Block; Inspect and
Encrypt
So what causes headaches with DLP?
ENCRYPTION!
The overhead associated with encryption is a nightmare
How can you read anything if it is encrypted?
How can we decrypt traffic, inspect it, re-package the traffic,
then forward it along - while doing it in a timely fashion?
Encryption changes everything!
Traffic Analysis
2011: Less than 20% of the traffic was SSL
2013: Eric Snowden releases classified data
2014: Almost 70% of the traffic was SSL
While internet bandwidth got less expensive and more
robust.
Encryption is Expensive!
ENCRYPTION is a pain
The overhead associated with encryption is cumbersome.
Whatever your normal throughput is for HTTP, quadruple
it! Hardware can kill your budget quick.
Users have high expectations of web surfing experience.
Hardware resources with performing a Man-in-The-Middle
Interception is costly; hardware and time.
The trick to managing DLP and encryption is ….
HORSEPOWER!!!
Encryption Options
ENCRYPTION can also be stripped out and viewed
within your Palo Alto Firewall
This is (or was) a free license change to get free SSL
decryption and a cleartext stream from Palo Alto to your DLP
system.
Functions almost like a span port (it is not ICAP!)
Contact your Sales Rep for more details
Key things to remember:
The stream is read only, the ssl cannot be
blocked/dropped
Additionally, malware and virus activity will not be stopped
just because a copy of the contents were dumped to DLP
2 | ©2015, Palo Alto Networks. Confidential and Proprietary.
URL Filtering
If you are using a proxy server …
This may make it easier to work with your PAC file and your
URL Filtering in one place
If you are using a Next Gen Firewall …
Just manage it within the firewall
If you have access to both, (my preference)
I will perform standard URL filtering, along with PAC file
management on the proxy server
I will use the next gen firewall to perform URL white listing to
places like microsoft, my vendors, specific industry resources
.. ask yourself why this may be advantageous to you.
URL Filtering continued …
Remember DLP filtering is similar to URL filtering
I am only interested in specific, targeted events ..
There is not enough time to look at all traffic
Work with business units to target the ‘good stuff’
Key Things to Remember about URL Filtering
HTTP: Filter by Domains
HTTPS: Filter by IP addresses
Avoid liabilities
Using URL filtering exclude, at a minimum, the following groups
Financial URLs
Retail URLs
exclude things that will make your DLP a hacking target!
Making the DLP implementation successful …
Factors for Success:
Evaluate the culture of the company
Is the URL filtering policy liberal or strict?
Are employees used to fast internet access?
Employee age group; millennials, gen-x, baby boomers
Get Buy-In
Senior MGMT, Legal, HR
Educate employees, if publicly known
Identify Bad Processes
Go after the largest offenders (5+, 20+, 100+)
Go after habitual offenders (10/20/50/100/week)
Show Metrics
Detail your progress and reduction of violations
Making the DLP implementation successful cont.
Factors for Success:
Workflow
Evaluate your workflow, how do you plan to handle Data
Loss Incidents?
The easy part is setting up the infrastructure (believe it
or not)
The hard part is working with staff to manage a DLP
workflow to evaluate data loss incidents, work with the
business to correct broken processes, and to
investigate possible breach/data loss issues within an
organization.
Practice a methodology that is constantly improving
PEMC: Plan, Execute, Measure, Correct
Pitfalls are everywhere …
Pitfalls happen when/where you least expect it
Legal and Social Troubles
It is critical to understand basic evidence handling
Know how you will handle types of incidents in advance
Once your process is vetted, stick to it
Small Network Changes can lead to big problems
Lost Taps/Diminished Feeds
Architecture changes can drop feeds
False Positives
Tweak and Re-Tweak your FP’s; expose faulty assumptions
Politics
Sometimes you will snare a lion
Make sure that your CISO/Director has teeth to fight for you
Budgeting for DLP
Most Common Items
Hardware
Firewalls
Mail Gateways
Proxies
Server Hardware
Network Taps
Software
Software License
Support Software
Staff
Estimate at least one person starting day one (MidSize)
Over time, the work load will stabilize, but expect a surge of
findings in the beginning
Contact Info
Yes, you can contact me, but …
Remember, I have a life too (at least I try)
Do not make the mistake of thinking that I have the time to
do free consulting, I don’t
You have a quick question, send it over, but if you are in a
time crunch, call your SE, Support Line, Clergy Member.
Twitter @fatherofmaddog
If you are offended easily, please don’t follow me
www.linkedin.com/in/therealfatherofmaddog