Can we use DLP against outside attack that is responsible for data leakage?
Is anybody using DLP for that? or anybody have experience of incident?
DLP main function and focus is on Intranet security.
Symantec has other solutions for requests for this. (SEP for example)
What kind of outside attack is being referred by you?
As you might know the different modules of DLP, i.e.
- DLP for endpoints- which is for endpoint desktop/laptop.
- DLP for network ie. email, web... (data in motion)
- DLP for storage (data at rest)...used for file server, NAS etc.
So, this is more about data loss or leak from inside to outside- knowingly or unknowingly.
Outside attack and theft of data should be dealt with the help of perimeter security like IPS, firewall, access control etc.
Hope this clarifies.
Let me know if you have further queries.
Hi MacBrinky and A R
You both are right but..........
If case like zero day attack, and it bypass the firewall, IPS and even SEP and if main task of that thread is to DATA leakage through FTP,SMTP,HTTP……..in that case DLP should protect that data from leakage.
Anybody have experience of same incidents or anybody has configured DLP for such incidents.
Hi Pravin ,
This is regarding ur doubt for outside attack like Zero day attack.As u might knows that ther is always possibility of attck from intenal to external and vice versa since no can provide 100% security its just matter of reduction and proactively resist.
As ur query on Zero day attack, Nowdays most of Endpoint & IDPS are not just signature based, they are also monitoring each applications and thread activity which is working on host & network w.r.t. use of resources(memory & CPU) and self learning the normal behaviour of host & network to generate alert if any abnormal or sucpecious activity found(See). still i say ther is always space for 1% security risk.
Hope u will convince with my views.
thanks & regards
You are also right........
I am speaking on that 1%.
Have you observed this kind of incidents in your organization?
Referring to your post above, I am assuming that DLP itself is not comprosied.
Attacker has managed to break all perimeter security and now wishes to leak the data through FTP, SMTP, HTTP etc. Now, since DLP is not compromised, it will stop FTP, SMTP, HTTPS with DLP for web module. SMTP will be stopped through Network prevent for email.
Therefore, DLP will definately stop data loss.
Hope this clarifies!
Yes and No, if the attacker has managed to break into your network and is on one of your servers or workstations;
Yes - if they send it out unencrypted via FTP, HTTP or SMTP your DLP system(s) can detect it. You can detect in HTTPS "if" you have SSL intercept deployed on your network for HTTPS and you are using ICAP to send it to the DLP Prevent. The DLP Web Prevent does NOT do the required SSL intercept by itself.
No - if the attacker encrypts the data and sends it out via SMTP, FTP, HTTP you will not detect it
You can enhance your protecttion using proper ACL's / FW Policies / VLAN's / etc to restrict ports and protocols available for an intruder to utilize. For high value systems you should utilize jumpboxes for inbound user access to the secured enclave in which they reside.