As others have stated, the only way a DLP tool can be reasonably effective is when it is one part of the overall solution. Whole disk encryption and not allowing users to install unauthorized applications would thwart better than half of the suggestions I am not too familiar with vontu but from the little work I have done with the Websense product, on the client end you can prohibit copy/paste/print operations of 'protected' data which knocks out a couple of others. You will never stop readers of security lists from bypassing DLP and other security but with comprehensive policies and a thoughtful deployment you will be able to accomplish the main goal which is making it much harder for good people to make honest mistakes.
From: [email protected] [mailto:[email protected]] On Behalf Of Duncan Alderson Sent: Friday, October 23, 2009 5:38 AM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] Bypassing Vontu I have to agree with Allen on this. You need to have a good test plan but I also think you have to remember that DLP is no security silver bullet. It will not cure cancer but it can stop a lot of things. You just need to test to find out what it does stop and what it doesn't and find another product/solution to protect against that threat. As other people have mentioned Vontu will not stop your user booting into a liveCD and grabbing the files but thats why you would want Whole Disk Encryption. Cheers Duncan 2009/10/23 <[email protected]> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm usually pretty "good" at picking up sarcasm but I'm fairly sure that was the actual suggestion. I can see the logic behind just testing for accidental DLP, most infosec pro's know better then to trust some DLP black box solution to stop a really determined attacker/corporate spy. If your looking to do checkbox security, deploy and forget is a completely valid approach to DLP. For the sake of staying on topic I won't delve into that philosophical mine field. I will however indulge in some product testing philosophy. As a professional your test plan needs to demonstrate both products strength and its weakness's. A test plan should be fair and methodical, use an objective scoring system, sidebar opinions and follow a written test plan. Don't include assumptions or opinions about a product or technology, your just there to test what works and what doesn't. For DLP you don't just want to test if it can see a random SSN in a plain text email. Don't forget about the "clever" user who will password protect a zip or excel sheet to make it "secure", change file extensions or screen shot customer data in your billing system. If someone uses PGP in a year to push the client list out of your company, you won't regret documenting that a product cannot protect against that. When testing a product, what's not included in the test plan is much more likely to haunt you later. If you're a security decision maker, then game changes. You need to really assess how this product fits into your overall security strategy, how much of what this product offers can done with another product in house? Most anti-spam solution's should have quite a few useful features to leverage. Once you have that list of missing features, now find that TCO and THEN assess the decision from a business health perspective. When your looking for long term health and real security; "only test the product in the vendors provided scope" ends up costing both you and your empolyer in the long run. - -- Allen On Thu, 22 Oct 2009 17:34:19 -0400 [email protected] wrote: >I am notoriously bad at picking up on sarcasm over email, >especially >lacking the appropriate <sarcasm> tag, but are you seriously >suggesting >tailoring the testing to only highlight the features that you know >work? I >can understand wanting to demonstrate what would get caught, but >the real >value of testing this system is to find out where the weakness >exist so >that appropriate controls can be added to reduce those risks. The >testing >methodology should be expansive enough to use as education for the >idiots. > >On Oct 22, 2009 2:14pm, Chris Merkel <[email protected]> wrote: >> I agree with Ron - DLP is an "idiot screen" and is useful for >little > >> more. Therefore, your testing methodology should be to emulate >idiots > >> and nothing more. (and educate any idiot who thinks it will >solve your > >> leakage issues.) > > > > > > > >> On 10/22/09, xgermx [email protected]> wrote: > >> > Create a small TrueCrypt container, copy sensitive files to >container, >> copy > >> > container to usb or email container. > >> > > >> > On Thu, Oct 22, 2009 at 10:38 AM, Brian Schultz > >> > [email protected]>wrote: > >> > > >> >> Our security department is testing out Symantec's Vontu and I >am >> playing > >> >> the guinea pig and have to try and get documents out of our >company's > >> >> environment. I have a really basic understanding of how it >works. It >> has a > >> >> span port sitting and listening to all outgoing web traffic >and there >> is > >> >> also an agent that sits on desktops and watches to see if any >sensitive > >> >> information leaves via USB drive or e-mail. > >> >> > >> >> Does anyone have any whitepapers or info regarding how it >actually >> works > >> >> or > >> >> any tactics I should try? > >> >> > >> >> _______________________________________________ > >> >> Pauldotcom mailing list > >> >> [email protected] > >> >> http://mail.pauldotcom.com/cgi- >bin/mailman/listinfo/pauldotcom > >> >> Main Web Site: http://pauldotcom.com > >> >> > >> > > > > >> -- > >> Sent from my mobile device > > > >> - Chris Merkel > >> _______________________________________________ > >> Pauldotcom mailing list > >> [email protected] > >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > >> Main Web Site: http://pauldotcom.com -----BEGIN PGP SIGNATURE----- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQMCAAYFAkrg9QIACgkQDIjDYcBm5payLQQAkC1sn8VwxQjfOeS3GanGkRVRnHYR h7oksxA1pFMMErX1AOa/mqGCpcE8vcowrYIPBugrI6FrINOtys9KgIP1EdEICMbh+ByJ L7mZ09sN6jFF93YQcwe7qxcB/gdy4zZU4+zIKVVV9uYVAyyeD+kgEWu321fEcDj7hZC8 nywkGKQ= =XQp/ -----END PGP SIGNATURE----- _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
