DLP as a Network Fabric

By Bob Matlow

Introduction With data breaches at major corporations, government agencies and other institutions regularly making headlines, youd think there isnt much anyone can do to protect their data against theft. In reality, although a few data thefts use highly sophisticated methods, the vast majority of data thefts use fairly simple techniques to steal data from organizations that have little or no protection. This paper explains how data becomes vulnerable and how Barracuda Networks products and services create a network fabric for effective protection against losing data from simple and sophisticated threats. Data Insecurity Stealing data pays. In 2009, researchers at the University of California, Santa Barbara hijacked a criminal botnet in the wild. In just eight days, this one botnet stole 70 gigabits of financial data worth an estimated $8.3 million.i In April 2011, Sony revealed that cybercriminals had stolen personal data from 100 million PlayStation Network and Sony Online Entertainment user accounts. Stolen data included users credit card and debit card numbers. Experts estimate this data breach will cost Sony and credit card issuers $1 to $2 billion.ii According to the Open Security Foundation, there were 451,000 reported events in 2010 that involved the theft, loss, or accidental exposure of sensitive information.iii From 2005 to 2009, publicly traded companies alone reported a total financial cost from criminal data breaches to be $139 billion.iv Whether criminal or accidental, data loss has become a multibillion dollar per year problem. Medical - 15%

Government - 18% Education - 20%

Business - 48%

Figure 1: Data loss incidents by organization type. Source: Open Security Foundation DataLossdb.org Financial damage from data breaches comes from two sources: monies lost directly from bank and credit card accounts, and the time and labor that compromised organizations spend on forensic analysis of the data breach to identify the extent and exact nature of the breach and send alerts to the affected parties. Organizations that process credit card information or maintain healthcare records, financial institutions, publicly traded business entities, government agencies and many others must comply with at least one and possibly several regulations that stipulate that they must report data breaches to the appropriate agency and to victims. Clearly, safeguarding data against loss is a key cost-control issue. Yet at best, only 25% of all organizations take any specific measures to protect themselves against data loss.v The main reason more organizations dont take specific measures against data loss is the outdated notion that traditional Layer 3 network firewalls are sufficient to protect data assets. Actually, Web

DLP as a Network Fabric

application traffic, e-mail and other protocols are invisible to network firewalls making them effective attack vectors for stealing data. Also, many organizations that outsource network operations to ISPs mistakenly believe that security measures to prevent data loss are included in their service contracts. Web - 12% Fraud - 9% Stolen Computer - 7% Hack - 16% Stolen Laptop - 18% Other 32%

Figure 2: Data breach incident typesvi Source: Open Security Foundation DataLossdb.org Various types of network and storage breaches account for the majority of stolen and accidentally exposed data records resulting in the greatest financial damage. Stolen or abused credentials contributed to 16% of all breaches, and lost or stolen backup tapes and other media account for 3% of lost-record data breaches. However, Web-based attacks were the most prevalent as well as the most damaging, with these costly attacks accounting for 94 percent of all compromised datavii and costing the victim organization an average of $143,209 per theft, mostly from SQL injection attacks. By comparison, the average damage caused by malicious code attacks is $124,083 with malicious insiders causing damages of about $100,300 per theft.viii With the problem of data insecurity defined, the next step is a strategic framework for preventing data theft and accidental exposure. Data Loss Prevention Data Loss Prevention (DLP) is a formal data security practice based on identifying sensitive data and protecting it against theft or disclosure. Experts have classified three main types of DLP: Data in Motion (also called network DLP); Data in Use (client/ user DLP) and Data at Rest (data storage DLP). Gartner views integrated network and endpoint control as the ultimate goal of the DLP industry.ix According to Gartner, organizations must monitor multiple channels for inbound and outbound activity in order to prevent data loss, and use content awareness mechanisms such as e-mail security and solutions that monitor endpoints.x The following sections delve into these areas of DLP and indicate how products and services from Barracuda Networks provide solutions for DLP that in total form a seamless fabric against criminal and accidental loss of data. Data in Motion Network DLP According to Barracuda Labs, the research division of Barracuda Networks, the threat landscape changed significantly in 2010. Security threats from e-mail sources dropped in half from a volume of 52 billion spam messages detected per month to 26 million spam messages detected per month. At the same time, web-based attacks using search engines and social sites to infect users computers increased 55 percent.xi Botnets previously used for distributing e-mail spam have been repurposed to find vulnerabilities in web applications as well as for other automated attacks. Barracuda Networks network DLP solutions are engineered to actively identify and block incoming attacks that lead to data breaches. They also monitor outbound traffic for specific information such as credit card numbers, Social Security numbers, e-mail addresses and other classes of sensitive data, preventing them from being passed to the Internet.

DLP as a Network Fabric

The Barracuda Web Application Firewall is the cornerstone network DLP solution for preventing Web-based data breaches. Web applications invite traffic through Layer 3 network firewalls so clean code in the applications goes a long way towards preventing data breaches caused by user input. However, with thousands of lines of code in most applications, and since vulnerabilities are often subtle and hard to recognize, relying on clean code to prevent data breaches holds inherent risk. The Barracuda Web Application Firewall scans all input to Web applications for numerous possible threats such as SQL injections, cross-site scripting (XSS), OS command injections, site reconnaissance, session hijacking, malicious probes/crawlers, cookie/ session tampering and path traversal. All detected incoming attacks are immediately blocked by the Barracuda Web Application Firewall, which at the same time scans outbound Web traffic to prevent the release of any sensitive data DLP in its most classic form. In addition, forensic analysis of the attacks is readily available thanks to the comprehensive logging features of the Barracuda Web Application Firewall. The Barracuda Spam & Virus Firewall blocks incoming malware and spyware attacks that use e-mail as the entry point to the network, while also scanning outbound email and attachments to block both malicious (intentional) and accidental release of sensitive data. The Barracuda Spam & Virus Firewall also has an e-mail encryption service that at no extra cost lets users encrypt e-mails to prevent accidental exposure of sensitive data. Data in Use Client/User DLP The Barracuda Web Filter and Barracuda Web Security Flex are two technologies that protect desktop systems from becoming the points of entry for data thefts. Spyware is specifically designed to steal information. However, the Barracuda Web Filter as an appliance, and Barracuda Web Security Flex as a cloud-based SaaS, will both perform bi-directional spyware scanning to prevent incoming attacks from infecting systems on the network, while simultaneously scanning outgoing traffic to prevent data loss from internal systems, infected or otherwise. The Barracuda Spyware Removal Tool, part of every Barracuda Web Filter, will analyze suspect systems and remove any detected spyware found on it. The Barracuda SSL VPN provides remote users with secure remote access to network resources. Authorized remote users who are in transit, or on unsecured clients, can safely access and use network applications, files and other internal resources, all without exposing sensitive data. Secure remote access via SSL VPN also has implications for Data at Rest DLP as discussed in the next section. Data at Rest Storage DLP The two most significant areas where stored data is stolen or accidentally exposed are data backups and data stored on laptops. Presented here are strategies for preventing Data at Rest breaches. Data Backup Storage DLP The use of removable media to back up data creates several vulnerabilities. Tapes and disks are lost in transit to offsite storage locations, or are intentionally stolen. While data exposure from lost storage media is relatively rare with only 91,000 incidents reported between 2005 and 2009,xii when it does happen it often has a spectacular effect due to the large amount of data that backup tapes can hold. In 2006, Circuit City exposed 2.6 million cardholder records when backup tapes were thrown in the trash.xiii An incident involving Iron Mountain in which tapes were lost during transport resulted in a single exposure of 1.9 million records.xiv For organizations that use removable storage media such as tapes or disks, Barracuda Networks Yosemite Server Backup software encrypts the data it places on backup tapes or discs to prevent disclosures should the storage media become lost or stolen in transit or during offsite storage. For organizations that would prefer to do away with removable storage media altogether, Barracuda Backup Service provides local disk storage coupled with cloud storage, thus eliminating removable media altogether preventing possible media loss and theft during transit or at an offsite storage facility.

DLP as a Network Fabric

Laptop Storage DLP Data stored on laptops is particularly at risk. Theft of laptops causes the largest number of data exposure incidents, although not necessarily the largest total number of exposed records. Thieves usually steal laptops for resale, not for their data. However in some cases, laptops are targeted specifically for the data they hold. One solution to preventing data breaches from laptop theft is to encrypt the data stored on the laptops. Data encryption has some inherent problems, however: Some countries do not allow encrypted laptops to enter their borders. Also, some users object to the time it takes to encrypt data, or they may object to the use of data encryption in generalxv and fail to encrypt their data. A more secure and reliable solution is to not store sensitive data on laptops. Laptop users should perform their work using network applications and file shares kept inside the network perimeter, which they securely access via a Barracuda SSL VPN. In this scenario, the loss of a laptop means no data is exposed since data is not stored on the laptop. This remote-use model requires use of an SSL VPN that has strong user authentication to ensure only authorized users gain access to network applications and data files, and role-based access capabilities to limit user access to only those network resources that they need. The Barracuda SSL VPN, with its application control and up to seven layers of multifactor authentication, is often used to securely connect remote laptops to network applications, network drives and files, intranets and other resources. Access to network resources can be granted based on individual and group identities, as well as require that the remote system meets a specific configuration standard. A cache cleaner ensures that session data is removed from the remote laptop. Since the Barracuda SSL VPN connects users directly through browsers with no client software, laptops would not to violate any countrys regulations regarding encrypted laptops. Policy enforcement is automatic. Conclusion The often severe consequences of data breaches, coupled with the automated nature of cybercrime suggest that organizations must make DLP a top priority and approach DLP systematically. Barracuda Networks strategic inclusion of DLP features in the Barracuda Web Application Firewall and the Barracuda Spam & Virus Firewall for Data in Motion DLP; the Barracuda SSL VPN, the Barracuda Web Filter and the Barracuda Web Security Flex for data-in-use DLP; and Yosemite Server Backup, Barracuda Backup Service, and the Barracuda SSL VPN for Data at Rest DLP lets administrators develop a seamless DLP fabric layered throughout the network.

DLP as a Network Fabric

References
i

eWeek: as seen on 4/1/2011: http://www.eweek.com/c/a/Security/Security-Researchers-Uncover-70-GB-of-FinancialData-Stolen-by-Botnet-501015/ http://www.csmonitor.com/Business/2011/0503/Sony-data-breach-could-be-most-expensive-ever as viewed 5/17/2011 Open Security Foundation DataLossDB as viewed on 4/1/2011, http://www.networkworld.com/news/2010/012510-data-breach-costs.html Darkreading.com, http://www.darkreading.com/insider-threat/167801100/security/security-management/213300864/ index.html Ibid, Open Security Foundation: http://datalossdb.org/statistics http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf as viewed on May 18, 2011 http://www.darkreading.com/database-security/167901020/security/attacks-breaches/226200272/index.html Gartner (2007) Content monitoring/Filtering (CMF/DLP) http://eval.symantec.com/mktginfo/enterprise/white_papers/vontu_gartner_mq_cmf_%20dlp_2Q07.pdf Gartner 2009 Paul Judge, Barracuda Labs 2010 Annual Security Report, February 2011. Leaking Vault, Five Years of Data Breaches. http://datalossdb.org/incidents/421-tapes-with-information-on-over-2-5-million-circuit-city-cardholders-thrown-in-trash as viewed on 5/17/11 Ibid Leaking Vault. http://searchsecurity.techtarget.com/answer/What-are-the-best-laptop-data-encryption-options as viewed on 5/18/11

ii

iii

iv

vi

vii

viii

ix

xi

xii

xiii

xiv

xv

About Barracuda Networks Inc. Barracuda Networks Inc. combines premises-based gateways and software, virtual appliances, cloud services, and sophisticated remote support to deliver comprehensive content security, data protection and application delivery solutions. The companys expansive product portfolio includes offerings for protection against email, Web and IM threats as well as products that improve application delivery and network access, message archiving, backup and data protection. Coca-Cola, FedEx, Harvard University, IBM, LOreal, and Europcar are among the more than 130,000 organizations protecting their IT infrastructures with Barracuda Networks range of affordable, easy-to-deploy and manage solutions. Barracuda Networks is privately held with its International headquarters in Campbell, Calif. For more information, please visit www.barracudanetworks.com.
3175 S. Winchester Boulevard, Campbell, CA 95008 United States 408.342.5400 www.barracuda.com [email protected]