I’ve had a few queries regarding the SANS Data Leak Prevention & Encryption Summit I’ll be keynoting next month. The questions have revolved around DLP in general, so I thought I would give a run down on the technology.

What is DLP?

DLP stands for “Data Leak Prevention” or “Data Loss Prevention”, depending on which vendor you are talking to. There are a few other names currently being bounced around (gotta love marketing people trying to make their stuff look newer and cooler ), but they are effectively the same technology. DLP attempts to log, or possibly prohibit, the transfer of sensitive information from a secure location to an insecure location.

Sensitive information usually includes data like credit card numbers or social security numbers. Most will also give you the ability to define phrases or specific files as sensitive as well. Of course how much customization you get depends on the product, but these features are pretty standard. The big difference tends to be with the ease of policy creation. Some let you use a simple, natural language while others may require you to learn a Regex type of expression language to create policies and write filters.

Think of DLP devices as intrusion detection systems for specific keywords and you’ll get the idea. In fact some established NIDS and NIPS vendors are now touting their DLP capabilities as well. You also have a number of startups that are focused specifically on the DLP market.

How does DLP work?

Currently there are three different methods of DLP deployment:

• On the wire
• On the server
• On the desktop

Some vendors support a single method of deployment while others support all three. There are strengths and weaknesses to each, which I will cover later in this FAQ.

How much does DLP cost?

Since it’s a new technology, prices are all over the board. A medium size company (50-500 nodes) can expect to pay anywhere from $30,000 to $200,000 US. These devices are by no means plug and play, so a portion of the cost includes configuring the device and customizing it for the specific environment. You should also expect a bit of lead-time in getting the device(s) deployed properly.

What are the problems with DLP?

Probably the biggest problem with DLP technology is that it can easily be defeated. It is really designed to prevent accidental data leakage, rather than a true attack. You should consider DLP an enhancement to your existing security posture, not a replacement for any previously deployed technology.

For example, deploying DLP on the wire is probably the fastest and most effective deployment. The problem is it can easily be defeated by encryption. So if I encrypt a sensitive file prior to transmission, or leverage a VPN technology (see items 5 and 4 on my Top 5 Firewall Threats) post, the network based DLP will be unable to see the passing information.

Some DLP devices can give you limited ability to work around the encryption problem. For example Fedelis will integrate with a number of proxy products to check passing HTTPS. You have to purchase a supported product however and configure it specifically to prevent end-to-end encryption of HTTPS (the proxy breaks the encrypted stream so payload can be analyzed). Even then you’ve only solved the problem over HTTPS. Encrypted data through other ports will still be an issue. Or an attacker could encrypt the file locally and then transmit via HTTPS because all the proxy can strip away is the SSL encryption.

Deploying DLP on the desktop solves some of these problems, but not all of them. For example the desktop agents I’ve looked at do a pretty good job of preventing me from transferring a sensitive file via the Internet or to a local USB drive. If you run an agent based DLP, try this:

1. Open a sensitive file
2. Create a screen capture of sensitive info (CTRL-ALT-Print screen)
3. Open Windows Paint and press CTRL-V
4. Save the file as a GIF or JPG
5. Copy to a USB drive or transfer via the Internet

If your results are similar to mine, you’ll find this very simple trick fools the agent into letting the data pass by. If you wanted to get really slick, you could add a bit of Steganography.

Exec Summary

DLP is a powerful technology that can help prevent the release of sensitive information. Currently it is better suited for preventing against accidental data leakage rather than a determined attacker. If the release of sensitive data is a serious concern, you may need to rework your current architecture in order to close the holes DLP cannot defend.