CG - DLP Sucks and Why You Should Use It - John Orleans

hi how's ever doing this point really glad you could have make it out this early I know some of us some not last night so today we're talking about DLP why it sucks and why you should be using it so Who am I my name is John Orleans and I work as a financial go back to Mike worked about 20 years in nineteen ten years in InfoSec yes I do have a cissp swell bunch of lapsed certifications you know like a lot of us do and you know maybe one interesting things I I raced bicycles for a beer company in Chicago myself you if you ever follow me on twitter you'll find out that it's mostly

just junk and bicycles anyway what is GOP so if you go to Wikipedia and you type in GOP you're gonna les that's not that you get a lot of stuff that really doesn't mean a lot but what you will get is right there data loss prevention and if you click on that you go to this which is this really long boring thing that's really confusing what do pew really is it is that's all right what you really get is you'll be is a really invasive somewhat complicated software that prevents employees from sending data vation it's pretty much it and users I mean if you work in education you know you might use deal being in schools so everybody

hear me no hello no alright that's not supposed better great so I just hold this name so no we kind of know what the opie is why doesn't suck oh wait I think I said somebody had an answer what is the suck

okay so somebody said invasive hard to configure which is all true false positives all great reasons so I'm gonna get to the real like the basics wide dlp sucks first aim game

and I know apparently I just gotta hold it so it needs attention it's not a problem probably break okay so name game so we're gonna talk with data data is pretty much a gimme we don't know what the eighty means data is their information so second loss that's generally what do you know do P the L stands for loss but loss isn't really that bad a word I mean so I'm not not every loss is bad like you know you work out you lose five pounds that's good loss right you know so so so you know mark and he had to change the name who lost something else that's bad so they went leak because nobody has

good leaks right I mean if you want a house you know that there's no good leaks so all leaks are bad so we're on the right track there so okay data leak fine prevention right so data leak prevention that sounds pretty fair but the problem is is that GOP doesn't always prevent data from leaking so they had to do something else so they just said protection because protection is good right you just gotta make sure you're doing it right you're not you're doing in protection right then well we have other problems so that's one reason why I do P sucks because nobody can figure out what it means other reason promises vs. reality I'm sure we've all

gone to the vendors websites and seeing you know oh it'll do this he'll do that so let's go over that control all your data right every website has that ensure regulatory compliance which is the reason why you know your C suite said hey we really need DLP like connect thing where they said hey you know we have all these new privacy regulations GOP identify your riskiest users right you know they use be user behavior analysis there's another tool you can use to figure out what's going on with your requirement and then what they are just figure it out they just kind of throw it out there machine learning we have machine learning you know or AI right so

you know the robot will figure out what's wrong with you but really the problem is that controlling all your data will kind of you've got spent a lot of money for this control all your data and you may not want sir and regarding plants the great thing is when you install DLP the first thing it says is nothing is compliant you have to figure it out so it's a lot of work that Denver rescues users which turns out to be all of them right because everyone makes a mistake here and there and do P systems until you teach them they're really bad about it and won't machine learning come on yeah it's just not there yet so here's

the people talking about why they hate DLP is potential for disaster so DOP is in a few places the first place were a lot of company sells the endpoint agents meaning your laptops computers tablets whatever and that's great except for the fact that that's a terrible place to put software because we got another agent our machine so you know let's the loose on your machines you know messes up your browsers we you know we just like anybody else who use an endpoint Asian carp constant plays playing the the catch-up game where we will bring out a new version of the browser and then suddenly nothing works so then we're calling a manufacturer and they're like oh well nobody's reported

it yet it's almost not be a problem like no I it's the problem so so endpoint agents can cause a lot of problems and employees users hate seeing that little icon in the taskbar so if you ever do this some of them play engine make sure you take off those little tense bras I didn't so discovery systems now discovery systems are commonly used by DLP systems they'll put them they'll find all of your structured and unstructured data on your system networking network shares cloud service whatever that's fantastic until it doesn't work I've seen a few systems completely scrambled data while they're scanning because let's say a database the system is trying to scan a database and your

users are trying to use this production database and they're trying to hit the same file maybe they're using an O lock for speed and next thing you know you have corrupted data or miss cinque terre and the other thing is that these scan databases constantly so if you have it running while your users are using it you're going to slow down proxies so the proxies are interesting because a lot of companies are saying get rid of your endpoint agents you know that bad so we're gonna do is we put a proxy in we're gonna send all of your traffic all of your web traffic to this proxy and they were gonna for that on and see

whether that's DLP related or not and we're gonna go for with that but thank you you ask we provide Cheers

so there's a first person I'm unfriended today everybody else wants to be unfriended by all means go ahead [Laughter] so proxies are great but you really have to keep an eye on what's going on if your vendor is because a they might not be covering everything so you have to do your own homework you have to back them up be they can really increase latency we work with some vendors there we just threw away within days because suddenly yeah we are protected but nobody can get to any websites which apparently is a problem with your users so after all this why bother using DLP right I mean it's all I guess doing anything good for you so

let's go over the corporate reasons use cases what do you do set up DLP properly it can't meet your legal and regulatory compliance isn't to do a pretty good job of it this is a huge one that a lot of companies have we all have this everybody wants to use Gmail at work I know I'm sorry that the highest law but small everybody wants to use chill at work but we don't really want them to be attaching you know things like customer data to that Gmail so this kind of allows them to do it and then here's another one you know you have you have a scram employee well you know helps prevent them dig data helps you and your

information there private oh you know a Dropbox that you don't want people using way to stop doing that and then is that you know a lot of employees people want to use things like Facebook Instagram whatever and this is kind of some along that path of not screwing up and taking photos of let's say you know a a photo of their computer with the password posted noted to the monitor right I mean you know so and then they you know I I think we all had cases where employees leaving especially maybe in the sales department and they want to take their client data with them this is a good way to help that from happening

but really the problem is not think'll alright because an app won't accidentally email all your client lists to the customer you know where your margin statements or whatnot unless you don't have an app set program then your app may very well do this but not my problem that's app suck guys actually my job so a district on computer won't upload all of your corporate prospects up the box generally speaking but if you do go with a I make sure you ask your vendors Drive robots I mean when they rise I will send you the the Boston Robotics how they treat their robots so so really in first curity is even a problem I heard this somewhere it really

kind of struck a chord because the Rope aren't gonna really do anything unless we tell them to but humans we do terrible stupid things all the time so these are some of things they do fishing right i everyone has fishing problems everyone just you know doesn't think sometimes and sends a attachment or text out to somebody and suddenly you're like you know two hours there like that had PII eita that had you know corporate information in it that had social screen numbers that was probably not good you know malloced come to in just people you know I hear that there are people out there that kind of like looking through secure systems and seeing what they can find

so that's the problem and DLP is a human problem this is something I just picked up for because mode of the other day and this is you know a little company called Tesla and they had an engineer who stole data and he's like no no I totally did it what's the big deal cuz I didn't use it and you wanted to with a direct competitor and he's just promising and I didn't so a good deal B system may have prevented this may have not but you know at least they would have had a record of it so apparently we can't fix the problem this way all right I I I looked into it and if I do it I lose my CSP so

so we have to find other way in it very messy when you kill all the humans in the building not I wouldn't know percent experience but you know and you know and this is another you know roll do not make a copy so we here's the dirty secret its DOP will never work as intended as advertised they you know never trust the salesperson and really don't trust any deal people there period do your homework see doesn't why bother so here is the part where I had these really cool demos written and my own security system deleted them off my secure drive at work so we're gonna do is live and see if this works [Laughter]

so you know and really here's what it boils down to is your most common vector for theft that we still can't figure out no matter how good your DLP is no more help fantastic it is there's this thing right here alright you tell your employees they can't bring their phones to work when there's a camera on it which is very good and some of these cameras now have data filtering prop you know capability so they can actually take a photo and turn that into a spreadsheet for you if you do that to your employees good luck hiring any employee under 50 because you're really okay hundred sixty all right all right being fair you know but um yeah I I you

know i-i've got a 15 year old son and and keeping getting him away from his phone is grounds for full-on rebellion at the house so you know you can't you just can't do that so the other thing is if you ID LP there is an expensive all of OCR sends for up her cure recognition and what it does is it at a photo and it reads the photo and turns that photo that image into data it's not cheap and it uses this is a technical term a metric crap ton of RAM and processor so if using an OCR make sure that you deploy it in a way that either is using somebody else's resources which is fantastic there's a

lot of your vendors now will offer a cloud version which if you can just give it to them and make sure that that that data line is secure between you and them because again you know now you're sending them all the photos you have that could have PA or you keep it on in-house as we do then just make sure you have a very very very big box that's dedicated to this because it will it will slow things down they don't make users unhappy so I'm gonna show you the first easiest way to get out of this and actually I think I do have the demo available I can find my mouse oh there we go

okay thank you

there we go and it would be really good if actually this

there we go

so this is basically the easiest way to do it with if you don't have if you don't have a OCR is these two we have a bunch of data here and this P I and this is all anonymized like just randomly generated P I it's not actual real information this ships on every Windows 10 machine snipping tool fantastic great for getting screenshots so I just went to it just like anybody else in the company could take the whole window mess around a little bit save it as a JPEG and boom if you don't have OCR that person just sex-filled all the data off of it so something I have seen in the wild and it's puppies

because you know who doesn't like pictures of puppies and Borre long story

so not fun when somebody find that you know they can just take any image you've got any document they have just save it as a JPEG and you're then you lose that whole

there we go okay so other rules internet right never read the comments the best thing is that um GOP if you use Windows often doesn't either so something I learns from I don't know where but apparently in JPEGs in most systems Windows by default can't read the comments in graphics files so like huh sitting in a meeting with somebody I said well what if done I took this picture

right so anybody who's a fan of Firefly understands no messaging so here we go fruity lady bar everyone loves to eat take a look at it this is the standard windows take some information on it and

nothing right it just looks like a picture that looks fantastic this would pass GOP now the big problem with DLP is that when the OCR happens is it OCR such a heavy data intensive process that do PSF vendors have to pick one of two things secure your speed and they always choose speed so the DLP system is not going to look at the whole data stream it's only going to look at the metadata attached to it if you're lucky what it will look at is a picture it's up and say hey we've got fruity OD bar none of us has been sense of information so it lets it go up but we go through here and

I reopen that and something that makes more sense

if you guys only have heard from view you should it's awesome what it does is if I just hit give me the information that looks great but earthen view can read the comments and that's not what I'm looking for again demo gremlins so let's open this a different way because it's much more interesting if I open it up with something else I'm gonna open up with a hex editor by the way unless your employees really really really need one they should never have access to a hex editor and this is why so we're gonna open right

no that one's actually clean all right we're hoping the next

give me a second here I can't read it cuz I'm old

well here it is sorry I've just been trawling all right so if you take a look at this if you can read the right-hand side all I did was change the header in from it the comment code and that's it this has all that P I write into this I could copy and paste that into a text file CSV boom it's out GOP never saw so if you do have this what you want to do is you want to set up another tool that reads comments and it's kind of a pain abut but it's totally worth your while because most DLP systems don't newer ones they're doing this ones that are online cloud-based caz B's they do this

because they have the time to look into it

I have not I actually I did that in front of they weren't too thrilled because I you know they they were super happily proudly showing off their whole thing and I said well what happens if we do this so actually what it really did was was even worse but we can talk about that yeah so the comments aren't really read by windows other things can read the comments the system can read the comments it just by default windows does not and because when is it not for some reason all the DW vendors said so do P want read it either don't know why so and you know two of the products that we looked at when we were testing DLP

vendors actually could read the comments they returned to off because they wanted it to be fast so we did it was we actually said let it go through and then we'll maintain it and read it afterwards as structured data and if we find out that you were doing Knoxville then you just go to jail right the data's gone but at least we have the satisfaction of knowing that we have a case against the person and you know you can also tell system to disable comments it's not easy to do but if you were on a Windows ie D environment you can actually disable comments through well through group policy so here's what I actually did in

the meeting and because they use a hex editor obviously witchcraft so I already talked about OS ER and data equals slow therefore it's either OCR or data why not change extension now this is actually where something that we're companies are very good if you take a xlsx and just rename it as JPEG it doesn't work system figures it out and how it figures it out is that it's in the header so honestly what we did was we went through and we actually changed the header from an Excel spreadsheet to a JPEG and then put in all the data and we did this huge amount of work to make it look really fancy and it worked great

and then we look for the lowest common denominator which was just taking a picture of it but you know so yeah if you want to play with the headers Google it I can show you but it takes a lot of time it's tedious and painful but headers are pretty easy to manage don't allow your users use to have hex editors unless they absolutely them in that way you don't want to have to mess around with this very much so know that that DLP is not root Hey what we want it because the c-suite said it was skirt heard it was great and you know if you ever go through a regulator or you know fun hot with three-letter agencies you

discover that having DLP and working DLP is one of the things that really gets you a lot of points with a lot of these security surveys oh if you decided to use TLP you need to restock your project with this it you know going with is that deal

how're we doing how does it know or I could just

first all right is it good okay go go so so weary scope the whole thing and DOP is not gonna stop professional but it will stop at depths exa no loss and amateurs which is 99.9% of what you're gonna see DOP stopping all the time so if you have an outside intruder what tools if you had actors there a bunch of other tools DOP is not for people who really really really want to get your data DOP is best for this accidental loss you've to decide whether you're gonna do something about it or just watch it so this is like the mall cop versus the TAC cop right you know that you know the police off from the street

they're supposed to act before a crime is committed cop is Bill so just to watch what happens and then tell somebody else later on so a lot of deal comes end up in this file this secondary spreads right at their first base because people don't like getting blocked messages and they call in support all the time is saying why can't I send this picture of puppies to my crane so that's the whole prevention versus action if you prevent it it's more safe but you have you have to create a plan after you get this because obviously everything goes out the window so we need to check with information security policies and you know that might not seem like a big deal but it

really is if you don't tell your employees this is what you're going to do you might have a lot of problems when you do it and it might not just be social you might actually get lawsuits and such especially if you're not the US for EU based there are a lot of private laws that are in place that really you have to be very careful about how you deploy DLP in those situations

but you really have to decide what's really important what's kind of important what's not important what is totally not like totally okay to go and you have to make your decisions accordingly oh you know confidential verses do not distribute verses top-secret verses photos puppies and then after you take your policies and you check it check all this you really need to kind of look at my defined policies for these different areas and really can I focused on this trusted vs. untrusted and on network versus off network and then recently because of cloud because everybody's going to the cloud right that we have two different kinds of cloud and we don't really consider you know what we on we know

it's not all cloud but anything Network mistrust it which we cover like a Cass B and a lot of his untrusted things like Dropbox snapchats tik-tok all that so we have to take a look at where our trust is and last one is the

a vision system that people can lodge a complaint lodge an exception it goes for us it goes through legal and IT and the business unit before it goes back to in play but it's effective and most people will just say well it's not important enough for legal but some people do and that way there's a lot of people making decisions on what's going on you should be making decisions on what's what do you manage your project this is super make sure the c-suite wants it in some case you might have them use it first which we try to do as much as possible that way when a mid-level manager complains about it they go it's been

using this for six months just like software element you need to write your tests make everything it's criteria milestones for us we use Kanban like crazy but uh was this works for you so building an amenity this is kind of a weird one until when we roll out DLP first we actually rolled up ended rolling out DLP right at the end of October and at the end of October I don't know if you guys are aware but a paper parently people do a lot of shopping around the end of October you know middle of November I'm sorry it was middle of November don't need to play it and right at the end of November is when

everyone does a lot of shopping so what we did is the first thing we built was a block so it did is a not on a non HGPS field on any website if you put in your social security number or a credit card it tells you hey this fields not secure are you sure you want to do this and we let them do it though and we immediately got calls from people saying thank you for this cool thing like what does that mean it's like well you were about to sentence you know your credit card number to somebody on an on security one before we start putting any controls in place people started seeing that

something they wanted in their house and recruiting pirates take your most painful worst pain in the ass users I'm sorry most challenging most vocal tune with what the business need and Sarah you know the people in the ivory tower need recruit them have them test your product get feedback from them but it's not always good this is where the fun the product fails we had a product we loved we're testing it for months fantastic and then suddenly shut up crashing browsers and it's really a lot of fun when you get calls from you know senior managing directors the CEO CFO saying why can't I then name your browser so a lot of fun so POC vs. bake-off vs. RFC obviously

proof of concept is the most involved I'm gonna take a lot of your time you have to have a product you really like Bake off's are okay but you really can't focus on it and then RFC's are garbage if you buy something without testing it you know I mean how many of us buy a car without testing first same thing and then culture fail you know you're always going to have a situation where people just hate it and if they hate it and don't want it and management agrees then you just have to give it up you can't love it so much you can't give it up and then really this one I probably should first is

communication oh it's projects we had every project is available at all times so with anybody involved can see the milestone what's going on and the trouble tickets associated with the project and their own trouble tickets so they can see if their trouble ticket is important or not and they can see the pool of troubles I was like is there a pair so they go oh why lodges things two months ago but they've got other bigger issues so I'm not even gonna bother so Kai nice and then mobs versus bosses to the whole buy-in from the top if the bosses are using it then the mobs don't really get much per se but no matter what do P still sucks it's gonna suck to

park to deploy but if you keep your and you focus on the basics you really kind of think about your users and how much they're gonna deal with it it's a lot easier to use and you know I do sit down at a regular basis and say I'm sorry guys we have to use this then you have to do all this other documentation you show them what documentation they have to do if they don't want to use DLP its required for it by you or UK California or New York Illinois they they take a look at anything I own deal that they go well then here's your solution and if you can find a pen the

other thing is I always tell everybody if you can find a better solution I want to hear it because I hate this too so I want to thank sure they hide it for me they did want me to say at the very beginning which I totally forgot that um that I am giving this presentation solely as an individual views commentary is no way reflected over the who's believed in commentary about casual measure financial holdings men's will financially UK as a for Europe or any other subsidy or SD there off so if I miss anybody I you know sorry I would like to thank the DLP products of several vendors whose products I have now broken perfect GPR NYC our CPA if

you don't know what these mean should um they're very boring painful but they are the privacy regulations that are really pushing GTR forward and they're really the other help you as individuals so in bases for your companies and hopefully with hopefully not and of course I'd like to thank all hurt because I was affecting like three people to come in and that basic it drink all my booze and leave so this is pretty good so you want to go to that if you want to get a hold of me beer bikes bacon is my Twitter handle and I'll be around all day you know feel free hang out I will not make you drink the Lord unless you really

don't want to be my friend and the the Tesla do P fail its Gizmodo it's a really kind of interesting read because it's a lot of a lot of future content in there so if anybody has any questions I'd be happy sure our my experience is that the process behind the management of the incident so basically false or false positives is there is the most commerce or more most effort lies in there because you can't just give it to a helpdesk team you have to have legal or compliance people you have to have business savvy people to analyze what what the case is about and you have to have the security people on board so

that makes it an a very expensive team that you could bother with with a lots of false positives these are the experience I have I'm from Switzerland so Europe so maybe we have tighter tighter requirements for privacy laws so uh and I'm really glad you brought that up um is it a false positive really that is the huge huge huge pain in the ass for for IT staff and security staff for the false positive if you don't know what false positives are it's that DLP is usually pretty terrible because the DLP of vendors don't want to get involved in accidentally letting information out so they make these rules so loose that they stop everything everything everything so

what you get is you get metadata that things is a Swiss passport number you get has nothing to do with anything so you really have to go through and really kind of nail down your profiles and your rules if you know how to use regex you're gonna be really really really in a good place to work on DLP there's so many so many terrible things about about the false positives that you get and you don't want to lurk fatigue because that's what we all get right now suddenly your email box just blew up or night because somebody sent out just a protocol so we need to do is you know scale this back no we only we log all of

these false positives we don't do anything about them we do is that when we have a behavior that shows more and more data that raises the information with the level of a severe even the incident from low it's a medium high or critical so we only take action on the mediums and highs and critical lows which are just a few things here and there we just want and we use that as a discovery mechanism if we do find out somebody stole data later on let me go back and we do peer I'll go through and take a look at some of these logs and make sure that we're not letting things in the depress but really you need to

figure out what your your thresholds are for medium and high and only work on those are you blocking a USB or just monitoring some do block USB for most employees the traffic leaving the system because we I told you not to use endpoint agents we're using endpoint angels so the endpoint agent actually monitored all the traffic via system it's through a USB port there's a full log of that and that full log every week goes to our compliance department who would then we'll go through but if we see something obvious a lot of data we do they're all flare-up and we do get alerts but we do but for you know 99% company they're not allowed to use USB

at all but for those few that are and it's I think it's like 10 people those people everything they do is monitor so I think we have time for one more

so how do you respond to a dealer like you best you was looking at that or signals across us here right now I see looking at the person who manages the most the do people really have a whole lot of human resources to throw at the problem which if you do if you have a lot of bodies that's great but if you don't then you have to be smart about it so what I have is I have a daily report that I get that shows everything that happened yesterday and I go through that and clear that cue every day I've gotten it down to the point that I only been 20 so it's not bad if there's something huge it happens

though I get an email or immediately and have to take care of that immediately we we do have an automated system we do forward problems the sim but the sim is just there I mean I I you know I have false positive as well so somebody else bad as well every day but that's less than five minutes a day of his time okay so I think I think we're done if anybody has any more questions or wants a chat afterwards again I'll be hanging around I'm the only person in this building does not work here wearing a suit so I should probably be ready easy so

[Applause]