1 | 2015,Palo Alto Networks. Confidential and Proprietary.

Having your cake and eating it too!Deploying DLP services in a Next Generation Firewall Environment

About me I have been doing Information Security for a really, really long time I have had the opportunity to do many different facets of Information SecurityFirewall Design, Implementation, ConfigurationNetwork Design, Implementation, ConfigurationPKI ..DLP ..Pentesting and lots of different crazy things ..2 | 2015,Palo Alto Networks. Confidential and Proprietary.

2 | 2015,Palo Alto Networks. Confidential and Proprietary. What is DLP (Data Loss Prevention)?Data Loss Prevention is a system that is designed to detect potential data breach / data ex-filtration transmissions and prevent them by monitoring, detecting and blocking sensitive data while in-use (endpoint actions), in-motion (network traffic), and at-rest (data storage). - Wikipedia

Our focus will be specific to Data In-MotionData at Rest is pretty easy to work with; Its either there or its not there.DLP at its core is a simple yes/no

What type of Data would we look for?PII (Personally Identifiable Information)PCI (Payment Card Information)PHI (Patient Health Information - HIPAA)Sexy Talk (unofficial for P0RN0GRAPHY)TerroristsMoney LaunderersInvestigationsWhere can your imagination lead you?2 | 2015,Palo Alto Networks. Confidential and Proprietary.

So what should we inspect with DLP?SMTP (TCP Port 25)The easiest protocol to inspect with DLP while in transit.Users expect some delay/latencyPresents a great deal of options for automationInspect and Allow; Inspect and Block; Inspect and EncryptHTTP (TCP Port 80)The next easiest protocol to inspectUsers have a higher expectation of speedPresents two options for automationInspect and Allow; Inspect and Block2 | 2015,Palo Alto Networks. Confidential and Proprietary.

So what should we inspect with DLP?HTTPS (TCP Port 443)The most difficult protocol to inspectUsers have a higher expectation of speedPresents two options for automationInspect and Allow; Inspect and BlockEverything Else (FTP, DNS, IRC, Custom Apps)These can be trickyUsers experience expectations will varyPresents two options for automationInspect and Allow; Inspect and Block; Inspect and Encrypt2 | 2015,Palo Alto Networks. Confidential and Proprietary.

So what causes headaches with DLP?ENCRYPTION!The overhead associated with encryption is a nightmareHow can you read anything if it is encrypted?How can we decrypt traffic, inspect it, re-package the traffic, then forward it along - while doing it in a timely fashion?Encryption changes everything!

Traffic Analysis2011: Less than 20% of the traffic was SSL2013: Eric Snowden releases classified data2014: Almost 70% of the traffic was SSLWhile internet bandwidth got less expensive and more robust.2 | 2015,Palo Alto Networks. Confidential and Proprietary.

Encryption is Expensive!ENCRYPTION is a painThe overhead associated with encryption is cumbersome.Whatever your normal throughput is for HTTP, quadruple it! Hardware can kill your budget quick.Users have high expectations of web surfing experience.Hardware resources with performing a Man-in-The-Middle Interception is costly; hardware and time.The trick to managing DLP and encryption is .

HORSEPOWER!!!2 | 2015,Palo Alto Networks. Confidential and Proprietary.

Encryption OptionsENCRYPTION can also be stripped out and viewed within your Palo Alto FirewallThis is a free license change to get free SSL decryption and a cleartext stream from Palo Alto to your DLP system.Functions almost like a span port (it is not ICAP!)Contact your Sales Rep for more detailsKey things to remember:The stream is read only, the ssl cannot be blocked/droppedAdditionally, malware and virus activity will not be stopped just because a copy of the contents were dumped to DLP2 | 2015,Palo Alto Networks. Confidential and Proprietary.

URL FilteringIf you are using a proxy server This may make it easier to work with your PAC file and your URL Filtering in one placeIf you are using a Next Gen Firewall Just manage it within the firewallIf you have access to both, (my preference)I will perform standard URL filtering, along with PAC file management on the proxy serverI will use the next gen firewall to perform URL white listing to places like microsoft, my vendors, specific industry resources .. ask yourself why this may be advantageous to you.2 | 2015,Palo Alto Networks. Confidential and Proprietary.

URL Filtering continued Remember DLP filtering is similar to URL filteringI am only interested in specific, targeted events ..There is not enough time to look at all trafficWork with business units to target the good stuffKey Things to Remember about URL FilteringHTTP: Filter by DomainsHTTPS: Filter by IP addressesAvoid liabilitiesUsing URL filtering exclude, at a minimum, the following groupsFinancial URLsRetail URLsexclude things that will make your DLP a hacking target!2 | 2015,Palo Alto Networks. Confidential and Proprietary.

Making the DLP implementation successful Factors for Success:Evaluate the culture of the companyIs the URL filtering policy liberal or strict?Are employees used to fast internet access?Employee age group; millennials, gen-x, baby boomersGet Buy-InSenior MGMT, Legal, HREducate employees, if publicly knownIdentify Bad ProcessesGo after the largest offenders (5+, 20+, 100+)Go after habitual offenders (10/20/50/100/week)Show MetricsDetail your progress and reduction of violations2 | 2015,Palo Alto Networks. Confidential and Proprietary.

Making the DLP implementation successful cont.Factors for Success:WorkflowEvaluate your workflow, how do you plan to handle Data Loss Incidents?The easy part is setting up the infrastructure (believe it or not)The hard part is working with staff to manage a DLP workflow to evaluate data loss incidents, work with the business to correct broken processes, and to investigate possible breach/data loss issues within an organization.Practice a methodology that is constantly improvingPEMC: Plan, Execute, Measure, Correct2 | 2015,Palo Alto Networks. Confidential and Proprietary.

Pitfalls are everywhere Pitfalls happen when/where you least expect itLegal and Social TroublesIt is critical to understand basic evidence handlingKnow how you will handle types of incidents in advanceOnce your process is vetted, stick to itSmall Network Changes can lead to big problemsLost Taps/Diminished FeedsArchitecture changes can drop feedsFalse PositivesTweak and Re-Tweak your FPs; expose faulty assumptionsPoliticsSometimes you will snare a lionMake sure that your CISO/Director has teeth to fight for you2 | 2015,Palo Alto Networks. Confidential and Proprietary.

Budgeting for DLPMost Common ItemsHardwareFirewallsMail GatewaysProxiesServer HardwareNetwork TapsSoftwareSoftware LicenseSupport SoftwareStaffEstimate at least one person starting day one (MidSize)Over time, the work load will stabilize, but expect a surge of findings in the beginning2 | 2015,Palo Alto Networks. Confidential and Proprietary.

Contact InfoYes, you can contact me, but Remember, I have a life too (at least I try)Do not make the mistake of thinking that I have the time to do free consulting, I dontYou have a quick question, send it over, but if you are in a time crunch, call your SE, Support Line, Clergy Member.

Twitter @fatherofmaddogIf you are offended easily, please dont follow me

LinkedInwww.linkedin.com/in/therealfatherofmaddog2 | 2015,Palo Alto Networks. Confidential and Proprietary.

3 | 2015,Palo Alto Networks. Confidential and Proprietary.

Thank you for your time.

Extreme WaysMobyMoby182002kathrynspaulding@yahoo.com2011-07-06 02:39:51