Wednesday, March 9, 2011

DLP is the next Silver Bullet

I think I really do not need to explain what DLP is, unless you have been disconnected for many years.

I was astonished when I first read this post from the Internet Storm Center. The post describes a setup of Snort running in  a bridge and inspecting the traffic between the Corporate Network and the border router (fair enough).


Then, the following rule is used as an example to catch a possible data ex-filtration.

alert ip 192.168.1.0/24 any -> any any (msg:”Data Loss from inside the network”; content:"Company X - Confidential"; rev:1)

I am not an expert in security and you do not have to trust my words, but I think that deploying a device in front of the border router and with this kind of signatures, is only going to catch the more Naive users.

A skilled attacker will encode/encrypt/partition the data and 'act' like a normal user in order to bypass this kind of rules. Therefore,  we are just having a false sense of security.

I think, the only way to detect a skilled attacker is by knowing your network and applying the ideas explained in  this book  from Richard BejtlichExtrusion Detection: Security Monitoring for Internal Intrusions

No comments:

Post a Comment