APTs (advanced persistent threats) are tough to detect and stop. Typically, APT attackers break in, survey all the servers on the network, and take what they've come for long before they get noticed ... if ever.
If only there was a way to prevent that stolen data from being used when it left your network.
Guess what? There is a way, and there has been for a long time. It's called data leak protection (DLP). For more than a decade, dozens of companies have been offering DLP solutions with various degrees of success, effectiveness, scope, and scaling. Most of my customers have already implemented or are in the process of implementing one or more DLP solutions.
DLP solutions look for data that need to be protected from unauthorized viewing, typically using a scanning engine that looks for predefined data patterns (such as Social Security numbers or customer credit data) or by blocking the exfiltration of particular documents or document types sent using common applications, like email or network transfers.
Traditionally, DLP was mostly used to limit insider threats -- the rogue employee copying valuable data for personal or unaffiliated corporate use outside the organization. When you think about it, though, an APT -- which works by taking over a legitimate employee's logon credentials -- is the ultimate rogue employee.
DLP done right can significantly minimize data exfiltration damage if scoped across the data types most likely to be viewed or stolen. If your DLP solution can recognize and prevent the data from being stolen in the first place, you win big. If you can encrypt the data in such a way that even if it’s stolen it stays encrypted and inaccessible, you still win big.
How DLP can stop APTs
If an APT is logged on as the legitimate user who can normally access the data, how can DLP or anything else prevent the data from being stolen?
The answer is data encryption. If the data is stolen and is not being viewed by a legitimate user on an approved workstation and network, the data remains encrypted and cannot be decrypted. Lots of these sorts of solutions have existed for a long time and are known as information rights management (IRM) solutions.
IRM essentially wraps each protected data file, document, or email with a private encryption key computed by the creator or sender's IRM process. When a receiving or viewing user goes to open an IRM-protected document, IRM-aware applications will "dial home" to the related IRM server (linked to in the protected document) to determine if the user asking to see the data is a valid, authorized user at that moment in time -- and if so, decrypt the data. The right to view (or print or copy or download or forward) can be removed at any time for any previously authorized user.
Many vendors offer IRM solutions. Microsoft has ADRMS (Active Directory Rights Management Service), but other companies have built feature-rich DLP solutions that rely on RMS for the main DLP protection. I reviewed a favorite of mine, from Titus Labs, back in 2008. Recently, I came across another great IRM/RMS candidate.
Secure Islands and its line of IQProtector solutions are impressive. Co-founded by two Israeli brothers back in 2010, Secure Islands now has 80 employees and more than 50 customers.
Secure Islands products work by using Boolean logic-based policy statements to detect, intercept, and prevent data from leaking into the wrong hands. They expand on ADRMS's default set of protected document types (mostly Microsoft Office files) and can protect nearly any predefined application using a kernel-mode encryption driver.
Matching logic rules have all sorts of options, including content pattern matches, origination and destination locations, file types, IP ranges, group memberships, OU, and so on. What I especially like about Secure Islands’ solutions is the sheer variety of places where you can intercept data, including Exchange, mobile, SharePoint, enterprise applications, file sync (great for catching uploads and downloads), and various clouds.
Secure Islands' mantra is that it tries to intercept and protect data as close to the creation point as possible. I like that idea for a lot of reasons; in many cases, this means the data is getting protection as soon as it is created. That means fewer chances for a bad guy to steal data in an unencrypted form.
I like Secure Islands, but I'm happy with any product that can protect sensitive data as close to creation as possible. Clearly, DLP is part of the APT solution. You may not easily be able to stop or even detect APT, but with IRM-based DLP you can eliminate the usefulness of what APT criminals steal. That’s a lot better than allowing an intruder to make off with your crown jewels and leave you helpless.