Deep Content Inspection On All Ports All Protocols Why Is This Critical For Dlp Solutions
-
Upload
gtbsalesindia -
Category
Documents
-
view
205 -
download
4
Transcript of Deep Content Inspection On All Ports All Protocols Why Is This Critical For Dlp Solutions
Deep Content Inspection on All Ports, All Protocols..?
Why is this critical for Data Leakage Prevention Solutions?
This document is protected under the copyright laws of the United States of America and other countries as an unpublished work. This document contains information that is proprietary and confidential to GTB Technologies Inc., which shall not be disclosed outside the recipient’s organization or duplicated, used or disclosed in whole or in part by the recipient for any purpose other than to evaluate this technology and/or document. Any other use or disclosure in whole or in part of this information without the express written permission of GTB Technologies Inc. is prohibited.
GTB Positioned as a Visionary in the 2011 Magic Quadrant for Content-Aware Data Loss Prevention
Data Security Challenge: Controlling All Outbound Traffic
Is your present Firewall,IDS or IPS doing enough..??Although some may incorporate certain DLP features, but this is only effective over a few channels for limited data types. It’s definitely not your ALL Ports, ALL Protocols DLP Solution.Analysts estimate that 90% of organizations do not adequately control outbound traffic with their Firewall, IPS or IDS...
Instant Messaging
Non-Sensitive Data
PII
Port 25
Port 7190
65,535 ports
Authorized
Unauthorized
Reality: If your last OUTBOUND firewall rule is not “deny all” or if you open ports without protocol analysis, your firewall is not controlling outbound traffic.
Firewall
How do we Achieve..???Only a Reverse Content-Aware FirewallTM can detect and prevent unauthorized outbound as well as inbound traffic in Real-Time…
All Protocols
Data Security Challenge: Controlling All Outbound Traffic
Non-Sensitive Data
Any Protected Data
Port 25
ALL Ports
A True Next Generation DLP is the one which is Capable of Accurately Detecting or Blocking Contents on ALL 65,535 ports.
Authorized
Unauthorized Co
nte
nt-
Aw
are
DL
P
Once a threshold amount of sensitive data is detected, it stops the violating transmission and/or alerts the designated security officer or administrator. This transmission can either be malicious or accidental.
Firewall
Why Firewalls Are Not a Reality for Controlling Outbound Traffic
1. Port / protocol paradigm is broken
2. Consumerization apps using standard ports in non-standard ways
3. Management challenge: All outbound ports and protocols must be pre-approved and must be maintained
4. New channels will not operate until a new firewall rule is created
5. Protocol-aware firewall or application proxy must be available for all approved ports and protocols
6. Overwhelming exception management process
7. New programs requiring the use of unconventional protocols are becoming increasingly more prevalent.
Reality: While hard firewall rule sets are standard for inbound traffic, they are extremely difficult to set and maintain for outbound traffic…
Appl
icati
on
Cont
ent
Prot
ocol
s
Port
s
Today’s challenge: Threat has evolved to Applications and Content
Gra
nula
rity
of C
ontr
ol
on O
utbo
und
Traffi
c
Block on ALL Ports
Block on ALL Protocols
Control content flowing over all
applications
Network Security solutions such as
Firewall, IPS and IDS has evolved to here Threat has
evolved to here
Sample Policies
Next Generation Data Leakage Prevention has
evolved to here…
Block application
regardless of port or
transport used
Evolution of Perimeter & Network Security
Industry Trend: Granularity of Control
Ports
Open ?
Protocols
Allow ?
AIMBitTorrentFacebook
FTPGnutella
HTTPIMAPIRC
Jabber/XMPPKaZaA
MSN IMPOP3RDP
Samba/SMB/CIFSSMTPSSH Telnet
Yahoo! Messenger
Applications
Manage
Instant Messaging
Webmail
Peer-to-Peer
Content
Inspect, Detect and Block..??
Content
Content
Content
01
80
194102310241214186350005190522263466881
4915149152
65535
Wel
l Kno
wn
Port
sRe
gist
ered
Po
rts
Priv
ate
Po
rts
Social Media Content
7
Instant Messengers Often Support Thousands of Ports
AOL Instant Messenger runs on thousands of ports (not just 5190)ICQ uses a range of port numbers, defaulting to UDP destination ports 2000-4000, but has so many options it is almost futile to try to figure them out. IRC Servers run on a wide variety of high-portsIRC servers are popular for botnet administration1
Of 6,148 samples of Malware, 324 binaries tried to contact and IRC server2
A jabber server can be configured to listen on ANY port
8
Consumer Mail Services Ready Available on Non-Standard Ports
Rogue port mail services no longer requires ability to administer a UNIX/Linux server
SMTP easily available on 21, 465, 587, 2525, 5521, 5525, 7721, 7725, 8025, etc.
POP and IMAP services are also available on non-standard ports
Many webhosting providers making webmail available on non-standard ports (e.g., 8080, 2096)
With an Linux installer and dynamic DNS ANYONE can create mail on ANY port
9
Key loggers
Keyloggers, often installed as part of malware, capture all keystrokes which could include credit card information, national identifiers (e.g., SSN), usernames and passwords
Even “commercial” keyloggers can use SMTP and FTP on non-standard ports!
Many can also capture screenshots
Many also support passive mode FTP
10
Malware does NOT use standard ports!
• Researchers studied over 448,000 responder sessions to observe the post-infection network behavior of web-based malware1
• A total of 416 different destination ports were contacted and is indication of the diverse and obscure nature of malware's post-infection network behavior. 1
• …in addition to port 80, we witnessed HTTP connections to 63 other port numbers. Similarly, we found malware communicating with IRC servers on 44 different ports. 1
11
Malware Has Evolved to Steal Information!
• Moreover, almost all of the observed FTP sessions corresponded to uploads of harvested data. The malware connected to our FTP responder, supplying a login and password, and started uploading data.1
• SMTP is one method of achieving this goal1 and 78 (of 6148 malware binaries tried to use tried to use the Simple Mail-Transfer Protocol (SMTP) protocol. 2
• Many responder sessions contained signs of data exfiltration, including browser history files and stored passwords, usually captured by keyboard loggers or browser hooks.1
• The large number of POST requests…suggests that HTTP is also employed for sending sensitive information back to data collection servers. 1
Evolution of a Rogue Channel: AIM Case Study
Desktop creates connection via proprietary protocol over non-standard port
Application Communication
Standard Countermeasure
Firewall blocks non-approved ports
OSI4
AIM:OSCAR:5190
Desktop creates connection over popular port (e.g., SMTP, HTTP, telnet) AIM:OSCAR:23
AIM:OSCAR:25AIM:OSCAR:80
Firewall inspects port for protocol compliance
OSI7
Desktop tunnels AIM connection over HTTP “Superhighway”
HTTP:80
AIM:OSCARProxy filter on Port 80 O
SI7
++
Desktop re-configured to circumvent proxy, run HTTP over non-standard port Port-agnostic inspection
HTTP: XXXX
AIM:OSCAROSI7
++
Next Generation DLP: Time to Value vs. Gen 1V
alu
e
Time
Network-Based
Application Control
• Prevent Rogue Channels• Fast Reduction Of Risk• Reduce Problem Space
• Recover Bandwidth
Content Monitoring
Prevention
Enforce Network Security Policies
Implement Content Policies
Content Compliance
Visibility
Automated Compliance on all channels
Implement Content Policies
Content ComplianceVisibility
Automated Compliance NOT available, or only for a small number of channels
GTB DLP Suite
Gen 1 DLP
14
All Structure Data All un-Structure DataAll Binary DataAll Audio,Video DataAll Engineering DataBitmap filesAll Native XMLAll Metadata Multidimensional arraysAll kinds of languages
What Kinds of Data DLP must cover
References
1. Michalis Polychronakis , Panayiotis Mavrommatis , Niels Provos, Ghost turns zombie: exploring the life cycle of web-based malware, Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats, April 15, 2008, San Francisco, California
2. Toward Automated Dynamic Malware Analysis Using CWSandbox, IEEE Security & Privacy, 2007-03-01
3. 2008 Data Breach Investigations Report, A study conducted by the Verizon Business RISK Team. © 2008 Verizon.
Data Breach Portals
• http://datalossdb.org/
• http://www.databreaches.net/
• http://www.privacyrights.org/data-breach
GTB Technologies, Inc. - Confidential Information 2012.
THE GTB DLP SUITE
One Accurate Product , One Console = Increased Efficiency,
Lowest TCO
We put the “P” back into “DLP”
For more information, please contact: GTB Technologies, Inc.
5000 Birch St., Suite 3000 Newport Beach, CA 92660
Sales: (800) 507-9926Main: (949) 783-3359
Email: [email protected] or your local representative. Web: www.gtbtechnologies.com