Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Stay out of the kitchen: A DLP Security Bake-off (IT-Defense 2015)

Zach Lanier
February 05, 2015

Stay out of the kitchen: A DLP Security Bake-off (IT-Defense 2015)

Despite a plethora of data security and protection standards and certifications, companies and their systems are still leaking information like a sieve. Data Loss Prevention (DLP) solutions have often been touted as the "silver bullet" that will keep corporations from becoming the next headline. With deployment models ranging from a fat agent on an endpoint, to a blinky-lights box surveilling all network traffic, to some unified threat management gateway with DLP secret sauce, these solutions are ripe for bypass - or worse.

This talk will discuss our research into a handful of DLP solutions, including their capabilities and their shortcomings. We will demonstrate flaws in administrative and programmatic interfaces and the inspection engines themselves.

Zach Lanier

February 05, 2015
Tweet

More Decks by Zach Lanier

Other Decks in Technology

Transcript

  1. Stay out of the kitchen:
    A DLP Security Bake-off
    IT-Defense 2015

    View full-size slide

  2. Introduction
    • Our research is on-going and
    results herein are not
    exhaustive
    • Note the “security” qualifier
    before “bake-off” — this isn’t
    just a feature comparison
    • Read: we went down the "bug
    hunting" rabbit hole
    • Obligatory disclaimer: views in this
    presentation may not be those of my
    employer, blah blah blah
    2

    View full-size slide

  3. About Me
    • Senior Research Scientist,
    Applied Research, Accuvant Labs
    R&D
    • Old net/web/app/mobile pen
    tester type
    • Co-author of "Android Hacker's
    Handbook" (Wiley, April 2014)
    3
    (Kelly Lum of Tumblr, who was unable be at IT-Defense, was involved with the
    research & original presentation)

    View full-size slide

  4. AGENDA
    • DLP overview
    • Targets/products in scope
    • Components breakdown
    • Assessment criteria/Methodology
    • Findings (by target)
    • Conclusion / Q&A
    4

    View full-size slide

  5. DLP OVERVIEW
    5

    View full-size slide

  6. What is DLP?
    • “Data Loss/Leakage
    Prevention”
    • Identify “sensitive stuff”, keep it
    from leaving the company
    • Various approaches:
    • Network monitoring/sniffing
    • Mail/messaging inspection
    • Endpoint agent
    • Real-time monitor
    • Filesystem/DB/CMS/
    etc. crawler
    6

    View full-size slide

  7. Why DLP?
    • Used to be a hot-button
    topic
    • Panacea to solve all data
    leakage woes
    • “Keeps honest people from
    doing dumb things”
    • Data breaches and “files
    falling off the back of a
    digital truck” spurred DLP
    7

    View full-size slide

  8. Why WE chose to look at DLP
    • Curious about attack surface, reliability, etc.
    • Like other security products, DLP agents/appliances often
    have high privileges or are “ideally” situated (i.e. see all
    the traffic)
    • Testing the “security of security products” is always
    interesting
    • Big vendor buys small vendor, integrates then shelves
    them…meaning security is often overlooked

    8

    View full-size slide

  9. Previous Research
    • A bunch of blog posts and whitepapers by Securosis
    • “Defeating DLP”, Matasano, BlackHat USA 2007
    • “Gone in 60 Minutes: Stealing Sensitive Data from
    Thousands of Systems Simultaneously with OpenDLP”,
    Andrew Gavin, DEFCON 19
    • Many others…
    9

    View full-size slide

  10. DLP Architecture Example
    10

    View full-size slide

  11. DLP Architecture Example
    11

    View full-size slide

  12. DLP workflow example - Trend Micro
    12

    View full-size slide

  13. Rule creation example - Trend Micro DLP
    13

    View full-size slide

  14. Vendors/Products Evaluated
    15
    Vendor Product Version OS
    Trend Micro DLP Management Appliance 5.6 Linux
    DLP Endpoint Agent 5.6 Windows
    Sophos Astaro UTM Appliance 9.201 Linux
    Sophos Enterprise Console 5.2.1r2 Windows
    Sophos Endpoint Security N/A Windows
    Websense TRITON Management Server 7.8.3 Windows
    Data Protector Endpoint Agent 7.8.3 Windows, Linux, OS X
    Data Security Protector Appliance 7.8.3 Linux
    OpenDLP OpenDLP 0.5.1 Linux

    View full-size slide

  15. COMPONENTS BREAKDOWN
    16

    View full-size slide

  16. Trend Micro
    • Windows endpoint agent - monitoring and policy
    enforcement on client machines
    • Acts like a “legitimate” rootkit and hides itself
    • Network agent - virtual appliance; monitors network traffic
    • Remote crawler - for digital assets on machines not on
    corporate network
    • Management server - Linux-based virtual appliance
    17

    View full-size slide

  17. Websense
    • TRITON management server - unified management
    console; Apache Coyote on Windows, backed by MSSQL
    DB
    • Windows, OS X, Linux endpoint agents
    • File and network drivers
    • Can also monitor clipboard operations
    • Linux-based “Protector” appliance
    • Restricted “admin” shell
    • Crawler agents can index/identify sensitive documents
    18

    View full-size slide

  18. Sophos
    • Enterprise Management Console - fat/native, Windows-
    based unified management console
    • Whole lotta .NET…
    • Sophos endpoint security - antivirus + DLP + …
    (Windows, OS X, Linux)
    19

    View full-size slide

  19. OpenDLP
    • Typically Linux virtual appliance
    • Apache + a lot of Perl
    • Windows agent
    • File system crawler and document parser (PCRE-based)
    • SSHFS-based crawler
    • And some Metasploit modules (wtf?)
    20

    View full-size slide

  20. On the ubiquity of KeyView…
    • “kvoop” binary (“KeyView OOP”) showed up a lot
    • Part of KeyView Filter SDK, used for parsing and normalizing
    various data and document formats
    • Used in numerous DLP products, messaging servers, and "big data"
    platforms
    • e.g. “EPClassifier” in Websense spawns kvoop processes to handle
    documents
    21

    View full-size slide

  21. ASSESSMENT CRITERIA/
    METHODOLOGY
    22

    View full-size slide

  22. Methodology
    23
    Target Component Test(s)
    Network Appliance Parsers (docs and configuration) Invalid/mangled files
    Update/Deployment mechanism Protocol analysis; crypto/signing
    Operating System Configuration auditing
    Hardening practices
    Endpoints/Agents Parsers (docs and configuration) Invalid/mangled files
    Update/Deployment mechanism Protocol analysis; crypto/signing
    Drivers and Services Hardening practices/config
    Fuzzing (i.e. IOCTLs, network, etc.)
    Management Server Web Server/Web App LOL OWASP TOP 10
    Database Configuration auditing
    Sensitive data storage
    Operating System Configuration auditing
    Hardening practices

    View full-size slide

  23. General Findings Notes
    • Little to no hardening on (Linux) appliances
    • Many services run as root
    • Lack of exploit mitigations
    • Highly privileged endpoint agent software out of the box
    (root, LOCALSYSTEM)
    • General absence of security best practices
    • Comms encryption, webappsec101, etc.
    • Occasional bug inheritance (e.g. OpenSSL!)
    25

    View full-size slide

  24. FINDINGS - TREND MICRO
    26

    View full-size slide

  25. Trend Micro - XSS
    27

    View full-size slide

  26. Trend Micro - CSRF
    28

    View full-size slide

  27. Encryption would have been a good idea
    29

    View full-size slide

  28. FINDINGS - SOPHOS
    30

    View full-size slide

  29. Sophos: What we didn’t find
    • Majority of code implemented
    in .NET
    • Utilizes most of the MS core
    libraries, which means:
    • DB best practices
    • Contextualized Input/
    Output
    • Standardized Encryption
    Libraries
    31

    View full-size slide

  30. FINDINGS -
    SOPHOS ASTARO UTM
    32

    View full-size slide

  31. Not a whole lot…
    • Most services chroot’ed
    (eh…), drop privs
    • Web app fairly clean (just a
    few really low impact
    “issues”)
    • Tight network- and login-
    access control restrictions
    33

    View full-size slide

  32. FINDINGS - OPENDLP
    34

    View full-size slide

  33. OpenDLP - CSRF
    35

    View full-size slide

  34. FINDINGS - WEBSENSE
    36

    View full-size slide

  35. On Websense Policies...
    • Websense DLP policy objects
    include keywords, regexes, etc.
    • Regex entries are actually
    Python pickled objects
    • TRITON management server
    encrypts, bundles policies/files,
    pushes to agents and
    appliances
    37

    View full-size slide

  36. Websense Protector & Endpoint - RCE + Privesc
    38
    Our crappy

    pickle POC;

    after

    overwriting a

    “legitimate”

    policy file Reverse shell from Protector

    after policy update
    Say a local admin on
    TRITON server replaces
    “.pic” file with custom
    pickled objects…

    View full-size slide

  37. A NOTE ON DLP BYPASSES
    39

    View full-size slide

  38. Evasion is inevitable
    • Unsupported or obscure file
    formats, protocols, or
    unexpected network behavior
    • Think: fragment/datagram
    reassembly ordering
    • Obfuscated or encrypted files
    • Steganography, anyone?
    • How many of your users have
    elevated (admin, sudo/root)
    privileges?
    • e.g. disable endpoint
    agents
    40

    View full-size slide

  39. “Is your objective to improve security, or make
    your quarterly targets?” -@snowcrashmike
    • Defenses add weaknesses
    • "Caveat emptor"
    • Every new piece of
    infrastructure is additional
    attack surface
    • Security companies should
    know better
    • If a scanner can find it, what’s
    your excuse?
    • Know what/who you’re
    defending against
    • An advanced insider probably
    has own abilities
    41

    View full-size slide