Deep Content Inspection on All Ports, All Protocols..?

Why is this critical for Data Leakage Prevention Solutions?

This document is protected under the copyright laws of the United States of America and other countries as an unpublished work. This document contains information that is proprietary and confidential to GTB Technologies Inc., which shall not be disclosed outside the recipient’s organization or duplicated, used or disclosed in whole or in part by the recipient for any purpose other than to evaluate this technology and/or document. Any other use or disclosure in whole or in part of this information without the express written permission of GTB Technologies Inc. is prohibited.

GTB Positioned as a Visionary in the 2011 Magic Quadrant for Content-Aware Data Loss Prevention

Data Security Challenge: Controlling All Outbound Traffic

Is your present Firewall,IDS or IPS doing enough..??Although some may incorporate certain DLP features, but this is only effective over a few channels for limited data types. It’s definitely not your ALL Ports, ALL Protocols DLP Solution.Analysts estimate that 90% of organizations do not adequately control outbound traffic with their Firewall, IPS or IDS...

E-Mail

Instant Messaging

Non-Sensitive Data

PII

Port 25

Port 7190

65,535 ports

Authorized

Unauthorized

Reality: If your last OUTBOUND firewall rule is not “deny all” or if you open ports without protocol analysis, your firewall is not controlling outbound traffic.

Firewall

How do we Achieve..???Only a Reverse Content-Aware FirewallTM can detect and prevent unauthorized outbound as well as inbound traffic in Real-Time…

All Protocols

E-Mail

Data Security Challenge: Controlling All Outbound Traffic

Non-Sensitive Data

Any Protected Data

Port 25

ALL Ports

A True Next Generation DLP is the one which is Capable of Accurately Detecting or Blocking Contents on ALL 65,535 ports.

Authorized

Unauthorized Co

nte

nt-

Aw

are

DL

P

Once a threshold amount of sensitive data is detected, it stops the violating transmission and/or alerts the designated security officer or administrator. This transmission can either be malicious or accidental.

Firewall

Why Firewalls Are Not a Reality for Controlling Outbound Traffic

1. Port / protocol paradigm is broken

2. Consumerization apps using standard ports in non-standard ways

3. Management challenge: All outbound ports and protocols must be pre-approved and must be maintained

4. New channels will not operate until a new firewall rule is created

5. Protocol-aware firewall or application proxy must be available for all approved ports and protocols

6. Overwhelming exception management process

7. New programs requiring the use of unconventional protocols are becoming increasingly more prevalent.

Reality: While hard firewall rule sets are standard for inbound traffic, they are extremely difficult to set and maintain for outbound traffic…

Appl

icati

on

Cont

ent

Prot

ocol

s

Port

s

Today’s challenge: Threat has evolved to Applications and Content

Gra

nula

rity

of C

ontr

ol

on O

utbo

und

Traffi

c

Block on ALL Ports

Block on ALL Protocols

Control content flowing over all

applications

Network Security solutions such as

Firewall, IPS and IDS has evolved to here Threat has

evolved to here

Sample Policies

Next Generation Data Leakage Prevention has

evolved to here…

Block application

regardless of port or

transport used

Evolution of Perimeter & Network Security

Industry Trend: Granularity of Control

Ports

Open ?

Protocols

Allow ?

AIMBitTorrentFacebook

FTPGnutella

HTTPIMAPIRC

Jabber/XMPPKaZaA

MSN IMPOP3RDP

Samba/SMB/CIFSSMTPSSH Telnet

Yahoo! Messenger

Applications

Manage

Instant Messaging

Webmail

Peer-to-Peer

Content

Inspect, Detect and Block..??

Content

Content

Content

01

80

194102310241214186350005190522263466881

4915149152

65535

Wel

l Kno

wn

Port

sRe

gist

ered

Po

rts

Priv

ate

Po

rts

Social Media Content

7

Instant Messengers Often Support Thousands of Ports

AOL Instant Messenger runs on thousands of ports (not just 5190)ICQ uses a range of port numbers, defaulting to UDP destination ports 2000-4000, but has so many options it is almost futile to try to figure them out. IRC Servers run on a wide variety of high-portsIRC servers are popular for botnet administration1

Of 6,148 samples of Malware, 324 binaries tried to contact and IRC server2

A jabber server can be configured to listen on ANY port

8

Consumer Mail Services Ready Available on Non-Standard Ports

Rogue port mail services no longer requires ability to administer a UNIX/Linux server

SMTP easily available on 21, 465, 587, 2525, 5521, 5525, 7721, 7725, 8025, etc.

POP and IMAP services are also available on non-standard ports

Many webhosting providers making webmail available on non-standard ports (e.g., 8080, 2096)

With an Linux installer and dynamic DNS ANYONE can create mail on ANY port

9

Key loggers

Keyloggers, often installed as part of malware, capture all keystrokes which could include credit card information, national identifiers (e.g., SSN), usernames and passwords

Even “commercial” keyloggers can use SMTP and FTP on non-standard ports!

Many can also capture screenshots

Many also support passive mode FTP

10

Malware does NOT use standard ports!

• Researchers studied over 448,000 responder sessions to observe the post-infection network behavior of web-based malware1

• A total of 416 different destination ports were contacted and is indication of the diverse and obscure nature of malware's post-infection network behavior. 1

• …in addition to port 80, we witnessed HTTP connections to 63 other port numbers. Similarly, we found malware communicating with IRC servers on 44 different ports. 1

11

Malware Has Evolved to Steal Information!

• Moreover, almost all of the observed FTP sessions corresponded to uploads of harvested data. The malware connected to our FTP responder, supplying a login and password, and started uploading data.1

• SMTP is one method of achieving this goal1 and 78 (of 6148 malware binaries tried to use tried to use the Simple Mail-Transfer Protocol (SMTP) protocol. 2

• Many responder sessions contained signs of data exfiltration, including browser history files and stored passwords, usually captured by keyboard loggers or browser hooks.1

• The large number of POST requests…suggests that HTTP is also employed for sending sensitive information back to data collection servers. 1

Evolution of a Rogue Channel: AIM Case Study

Desktop creates connection via proprietary protocol over non-standard port

Application Communication

Standard Countermeasure

Firewall blocks non-approved ports

OSI4

AIM:OSCAR:5190

Desktop creates connection over popular port (e.g., SMTP, HTTP, telnet) AIM:OSCAR:23

AIM:OSCAR:25AIM:OSCAR:80

Firewall inspects port for protocol compliance

OSI7

Desktop tunnels AIM connection over HTTP “Superhighway”

HTTP:80

AIM:OSCARProxy filter on Port 80 O

SI7

++

Desktop re-configured to circumvent proxy, run HTTP over non-standard port Port-agnostic inspection

HTTP: XXXX

AIM:OSCAROSI7

++

Next Generation DLP: Time to Value vs. Gen 1V

alu

e

Time

Network-Based

Application Control

• Prevent Rogue Channels• Fast Reduction Of Risk• Reduce Problem Space

• Recover Bandwidth

Content Monitoring

Prevention

Enforce Network Security Policies

Implement Content Policies

Content Compliance

Visibility

Automated Compliance on all channels

Implement Content Policies

Content ComplianceVisibility

Automated Compliance NOT available, or only for a small number of channels

GTB DLP Suite

Gen 1 DLP

14

All Structure Data All un-Structure DataAll Binary DataAll Audio,Video DataAll Engineering DataBitmap filesAll Native XMLAll Metadata Multidimensional arraysAll kinds of languages

What Kinds of Data DLP must cover

References

1. Michalis Polychronakis , Panayiotis Mavrommatis , Niels Provos, Ghost turns zombie: exploring the life cycle of web-based malware, Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats, April 15, 2008, San Francisco, California

2. Toward Automated Dynamic Malware Analysis Using CWSandbox, IEEE Security & Privacy, 2007-03-01

3. 2008 Data Breach Investigations Report, A study conducted by the Verizon Business RISK Team. © 2008 Verizon.

Data Breach Portals

• http://datalossdb.org/

• http://www.databreaches.net/

• http://www.privacyrights.org/data-breach

GTB Technologies, Inc. - Confidential Information 2012.

THE GTB DLP SUITE

One Accurate Product , One Console = Increased Efficiency,

Lowest TCO

We put the “P” back into “DLP”

For more information, please contact: GTB Technologies, Inc.

5000 Birch St., Suite 3000 Newport Beach, CA 92660

Sales: (800) 507-9926Main: (949) 783-3359

Email: info@gttb.com or your local representative. Web: www.gtbtechnologies.com