Data Loss Prevention

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
4 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
4
Video Transcription
00:00
>> Hi, and welcome to Module 2, Lesson 6.2.
00:00
In this lesson, we're going to talk
00:00
about data loss prevention,
00:00
otherwise known as DLP.
00:00
DLP simply uses the data classifications
00:00
and the markings that we talked
00:00
about in the previous lesson
00:00
to create a data protection policy,
00:00
to put a policy in place that can block user and system
00:00
access to certain types of
00:00
data depending on its classification.
00:00
As I said, data can be configured to block or monitor.
00:00
We can actually block a user or system's access to data
00:00
or we could simply allow that access
00:00
to data but we can monitor it in the background,
00:00
and this is useful if we create policy, for example,
00:00
that says you should
00:00
only interact with data a certain way
00:00
and it's just a soft policy that we get
00:00
people to sign in and sign off on.
00:00
We can create a monitoring component
00:00
in the background to make sure that people are
00:00
actually following policy instead
00:00
of creating a hard block policy.
00:00
DLP systems can be inline or agent-based,
00:00
and we'll talk about a little bit
00:00
of each of those in a minute.
00:00
This is a big one, DLP systems require
00:00
lots and lots of tuning as you can imagine.
00:00
Imagine the amount of data in the environment,
00:00
the amount of, say Word processing documents,
00:00
Word documents in an entire organization,
00:00
and how many times people and systems
00:00
interact with those Word documents every day.
00:00
If not done properly,
00:00
that's going to create a lot of noise.
00:00
You're going to have a lot of alarms if you don't create
00:00
those monitoring and blocking mechanisms thoughtfully.
00:00
My advice is to start with the most sensitive data.
00:00
Take your highest level restricted
00:00
data and put some policy in place.
00:00
I would put a monitoring policy in place first to
00:00
monitor the interaction to
00:00
understand what normal looks like,
00:00
what a normal baseline looks like,
00:00
identify any anomalies and ask questions about it if
00:00
people maybe are interacting with
00:00
that in a way they shouldn't at first.
00:00
Then once you understand what normal looks like,
00:00
then put a blocking mechanism in place against that
00:00
very restricted data first
00:00
and once you get that move down,
00:00
the chain go down the hierarchy piece-by-piece.
00:00
DLP functionality.
00:00
A DLP system can send
00:00
its policy to local agents on the workstations and
00:00
then that policy can be
00:00
executed as the workstation
00:00
tries to perform certain tasks,
00:00
or policy can interact with email systems, with proxies.
00:00
The DLP system can actually go out there and actively
00:00
scan file servers and database servers.
00:00
Maybe you don't know where you're restricted data is.
00:00
You have no idea where it lives
00:00
because people save data all over the place.
00:00
Your DLP system wants
00:00
that classification is in place can go out and look for
00:00
certain keywords within documents or if
00:00
you have the classification in place already,
00:00
it can go look for those markings.
00:00
If not, you can just tell it to go scan
00:00
the environment for anything that
00:00
looks like a Social Security number,
00:00
or a credit card number,
00:00
or some keyword that you might
00:00
have as sensitive information within your environment.
00:00
But your DLP system can go find that data
00:00
for you so you can create policy around it.
00:00
A DLP agent that gets pushed down to the local endpoint.
00:00
A couple of examples of what
00:00
an agent on the endpoint can do is let's say
00:00
we've got a user who tries to copy
00:00
a Social Security number to a USB drive.
00:00
That's something that the DLP policy can block.
00:00
They can identify that as
00:00
a Social Security number based on
00:00
the pattern and block it when it
00:00
tries to get written to a USB drive or
00:00
monitor and just let you know that it happened.
00:00
That same Social Security number sent in an email.
00:00
As the user's type in the email
00:00
and creating the email, it won't get blocked,
00:00
but when the user tries to send that email,
00:00
it won't be allowed to leave the local system.
00:00
That local agent can be in charge of
00:00
stuff that happens locally on
00:00
that system as it pertains to data classification.
00:00
An example of an inline usage of DLP is with a web proxy.
00:00
This is probably the most common one.
00:00
Let's say we've got a user here who's trying
00:00
to make a request out to the Internet.
00:00
They've got some data, maybe
00:00
it's the Social Security number.
00:00
They have that data and they're trying
00:00
to submit it to some website out there.
00:00
They're trying to let sensitive data
00:00
leave the environment by doing an HTTP PUT,
00:00
by submitting and entering that data into a form on
00:00
some website and hitting
00:00
the Send button or hitting the Submit button,
00:00
that would be an HTTP PUT request.
00:00
That PUT request gets to the proxy.
00:00
The proxy can send it to
00:00
the DLP system and DLP can check its policy and say, no,
00:00
that user is not allowed to send
00:00
Social Security numbers out of the organization,
00:00
send that decision back to the proxy and
00:00
the proxy can actually block that flow.
00:00
But what happens if
00:00
the user sends an encrypted PUT session?
00:00
What if that user is trying to exfiltrate
00:00
data and send data outside the organization,
00:00
but the session is encrypted.
00:00
Well, in that case, the proxy
00:00
is going to still do the same thing.
00:00
It's going to send the data down to the DLP system.
00:00
DLP is going to say, I don't know,
00:00
I can't read it, it's encrypted.
00:00
It's going to let the proxy know, I have no idea.
00:00
The proxy is going to say, well,
00:00
I don't have anything blocking it,
00:00
I'm going to let it go through.
00:00
It's critical that if you put
00:00
a DLP system inline in your web proxy environment,
00:00
that you do some SSL decryption with it.
00:00
The way this works is that same session hits the proxy,
00:00
this time it's going to be decrypted.
00:00
There's an SSL decryption mechanism on the proxy.
00:00
Decrypts session looks at the data inside,
00:00
sends that to the DLP system.
00:00
The DLP can read that and to clear,
00:00
it can make a decision.
00:00
Let's say this time the decision is to allow it.
00:00
Maybe it's not a Social Security number this time,
00:00
but maybe it's sensitive personal information and this is
00:00
an HR person who needs to put this into
00:00
the medical system out on the web.
00:00
Just an example. But let's say
00:00
this time the policy allows it,
00:00
DLP is then it's
00:00
going to send it back to the proxy and there's going to
00:00
be a re-encryption process because
00:00
if the data gets sent encrypted,
00:00
it needs to go out the proxy encrypted and
00:00
it'll go out and in its normal encrypted fashion.
00:00
Now, one thing to note about this is this
00:00
does cause problems with some websites.
00:00
The certificates that you have to install to do
00:00
the SSL encryption and decryption mechanism sometimes
00:00
cause issues with destination websites
00:00
because it looks like a man-in-the-middle attack.
00:00
It looks like someone tampered with the data in flight,
00:00
which technically we did.
00:00
There's some things you're going to find if you put
00:00
DLP inline in a proxy and you do SSL decryption,
00:00
you'll find that some websites, some destinations,
00:00
you're going to have to put a bypass rule
00:00
in place because that destination just
00:00
will not accept that traffic
00:00
because it thinks it's been tampered with.
00:00
That wraps up our session on DLP.
00:00
Next up we're going to talk about IAM.
Up Next