I have to agree with Allen on this. You need to have a good test plan but I also think you have to remember that DLP is no security silver bullet. It will not cure cancer but it can stop a lot of things. You just need to test to find out what it does stop and what it doesn't and find another product/solution to protect against that threat.
As other people have mentioned Vontu will not stop your user booting into a liveCD and grabbing the files but thats why you would want Whole Disk Encryption. Cheers Duncan 2009/10/23 <[email protected]> > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I’m usually pretty “good” at picking up sarcasm but I’m fairly sure > that was the actual suggestion. > > I can see the logic behind just testing for accidental DLP, most > infosec pro’s know better then to trust some DLP black box solution > to stop a really determined attacker/corporate spy. If your > looking to do checkbox security, deploy and forget is a completely > valid approach to DLP. For the sake of staying on topic I won’t > delve into that philosophical mine field. > > I will however indulge in some product testing philosophy. As a > professional your test plan needs to demonstrate both products > strength and its weakness’s. A test plan should be fair and > methodical, use an objective scoring system, sidebar opinions and > follow a written test plan. Don’t include assumptions or opinions > about a product or technology, your just there to test what works > and what doesn’t. > > For DLP you don’t just want to test if it can see a random SSN in a > plain text email. Don’t forget about the “clever” user who will > password protect a zip or excel sheet to make it “secure”, change > file extensions or screen shot customer data in your billing > system. If someone uses PGP in a year to push the client list out > of your company, you won’t regret documenting that a product cannot > protect against that. When testing a product, what’s not included > in the test plan is much more likely to haunt you later. > > If you’re a security decision maker, then game changes. You need to > really assess how this product fits into your overall security > strategy, how much of what this product offers can done with > another product in house? Most anti-spam solution’s should have > quite a few useful features to leverage. Once you have that list > of missing features, now find that TCO and THEN assess the decision > from a business health perspective. > > When your looking for long term health and real security; "only > test the product in the vendors provided scope" ends up costing > both you and your empolyer in the long run. > > - -- Allen > > > On Thu, 22 Oct 2009 17:34:19 -0400 [email protected] wrote: > >I am notoriously bad at picking up on sarcasm over email, > >especially > >lacking the appropriate <sarcasm> tag, but are you seriously > >suggesting > >tailoring the testing to only highlight the features that you know > > >work? I > >can understand wanting to demonstrate what would get caught, but > >the real > >value of testing this system is to find out where the weakness > >exist so > >that appropriate controls can be added to reduce those risks. The > >testing > >methodology should be expansive enough to use as education for the > > >idiots. > > > >On Oct 22, 2009 2:14pm, Chris Merkel <[email protected]> wrote: > >> I agree with Ron - DLP is an "idiot screen" and is useful for > >little > > > >> more. Therefore, your testing methodology should be to emulate > >idiots > > > >> and nothing more. (and educate any idiot who thinks it will > >solve your > > > >> leakage issues.) > > > > > > > > > > > > > > > >> On 10/22/09, xgermx [email protected]> wrote: > > > >> > Create a small TrueCrypt container, copy sensitive files to > >container, > >> copy > > > >> > container to usb or email container. > > > >> > > > > >> > On Thu, Oct 22, 2009 at 10:38 AM, Brian Schultz > > > >> > [email protected]>wrote: > > > >> > > > > >> >> Our security department is testing out Symantec's Vontu and I > > >am > >> playing > > > >> >> the guinea pig and have to try and get documents out of our > >company's > > > >> >> environment. I have a really basic understanding of how it > >works. It > >> has a > > > >> >> span port sitting and listening to all outgoing web traffic > >and there > >> is > > > >> >> also an agent that sits on desktops and watches to see if any > > >sensitive > > > >> >> information leaves via USB drive or e-mail. > > > >> >> > > > >> >> Does anyone have any whitepapers or info regarding how it > >actually > >> works > > > >> >> or > > > >> >> any tactics I should try? > > > >> >> > > > >> >> _______________________________________________ > > > >> >> Pauldotcom mailing list > > > >> >> [email protected] > > > >> >> http://mail.pauldotcom.com/cgi- > >bin/mailman/listinfo/pauldotcom > > > >> >> Main Web Site: http://pauldotcom.com > > > >> >> > > > >> > > > > > > > > >> -- > > > >> Sent from my mobile device > > > > > > > >> - Chris Merkel > > > >> _______________________________________________ > > > >> Pauldotcom mailing list > > > >> [email protected] > > > >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > > >> Main Web Site: http://pauldotcom.com > -----BEGIN PGP SIGNATURE----- > Charset: UTF8 > Version: Hush 3.0 > Note: This signature can be verified at https://www.hushtools.com/verify > > wpwEAQMCAAYFAkrg9QIACgkQDIjDYcBm5payLQQAkC1sn8VwxQjfOeS3GanGkRVRnHYR > h7oksxA1pFMMErX1AOa/mqGCpcE8vcowrYIPBugrI6FrINOtys9KgIP1EdEICMbh+ByJ > L7mZ09sN6jFF93YQcwe7qxcB/gdy4zZU4+zIKVVV9uYVAyyeD+kgEWu321fEcDj7hZC8 > nywkGKQ= > =XQp/ > -----END PGP SIGNATURE----- > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
