SecurityFocal
DLP, as you might be aware, stands for Data Loss Prevention or Data Leaks prevention. It’s a purpose-built solution to protect sensitive information from moving out. DLP solutions have been around for over a decade and a half and have come a long way, yet it’s surprisingly easy to bypass the DLP solution.
We can define the DLP solution as following:
Data Loss Prevention (DLP) is a set of tools and processes to prevent accidental or intentional leakage of sensitive information from corporate systems and assets. Some of the leading DLP solution OEMs are Forcepoint (Websense), McAfee, Broadcom (Symantec), etc.
The biggest misconception around DLP solutions that most security professionals have is that they will completely block any sensitive information from moving out. Unfortunately, that’s not true. DLP solutions since their inception have had several limitations. In this post, we will discuss some of these limitations.
Before we do that, we need to understand the types of DLP solutions and how they work.
Irrespective of the OEM of the DLP solution, we can broadly break DLP solutions down into the following three categories:
1. Endpoint DLP Solution
Endpoint DLP or Host DLP solution is an agent deployed at the system level that monitors all data moving out of the system. Based on the policy configured by the administrator, the agent will block or permit the movement of the information.
Advantages of Endpoint DLP Solution
- The biggest strength of the Endpoint DLP solution is its flexibility. Irrespective of the location the user is working from, an administrator can enforce the DLP policies. Most organizations nowadays rely on Endpoint DLP solutions to protect their remote workforce.
Disadvantages of Endpoint DLP solution
- Endpoint DLP solutions are heavily dependent on the platform and applications. For windows, of course, you can easily find a strong host DLP agent. However, MAC OS and Linux are a big pain area, with most of the DLP OEMs only supporting limited functionality primarily because of the nature of the operating systems.
- Endpoint DLP is heavily dependent on the application versions in use in the system. That means that if a new version of an application is released, it may take even a few months before the OEM releases a DLP agent version to extend the support. It gives a sufficient window of exposure to bypass the DLP solution.
- You need to deploy an Agent at the end-user level. If the agent gets corrupted, you will not have any visibility or control over the data transfer from the end user’s system.
- Advanced features like OCR or Fingerprinting are mostly not supported making it easy to bypass the DLP solution.
2. Network DLP solutions
Network DLP (Gateway DLP) is the DLP component implemented at the gateway level. Two primary channels of data leaks are Web traffic (HTTP/HTTPS/FTP) and Email traffic (SMTP); additionally, some DLP solutions have a separate discovery component to help discover and classify the data stored across the organization. So we can broadly classify it in following three components:
Web DLP Solution
Web DLP solutions protect sensitive information from moving out using Web Channels (HTTP/HTTPS/FTP) and are typically deployed at the proxy level. DLP can be integrated with an existing proxy solution using ICAP integration, or the Web Proxy may have built-in DLP capabilities.
Email DLP solution
Email DLP solutions protect sensitive information from going out using the SMTP channel. Organizations deploy DLP components in integration with the Email Server. The Email Server forwards all outbound SMTP Traffic to the DLP component. DLP then inspects the traffic and enforces the policies.
Data Discovery Solution
This DLP component adds the discovery capability to the DLP solution. It can discover and classify the information based on defined criteria (Keywords, Regular Expressions, Fingerprinting, and so on) across the organization network. Some DLP solutions, including Forcepoint and Broadcom, also offer discovery capability built into the agents.
Data discovery components also offer remediation capabilities. Remediation means that the sensitive information can be removed from any undesired locations or file shares automatically by the DLP solution. DLP can also leave a tombstone mentioning that the DLP solution has removed the sensitive data.
Advantages of Network DLP solution
- Network DLP inspects the content at the protocol level, so there is no dependency on the Endpoint Agent or application versions which makes it difficult to bypass the DLP solution.
- Network DLP supports advanced features like OCR (Optical Character Recognition) and Fingerprinting. So if someone is trying to leak information by taking the screenshots and sending them out, some gateway DLP solutions (like Forcepoint) can analyze and block the screenshots containing the data from moving out pretty much in real-time.
Disadvantages of the Network DLP solution
- Network DLP solutions are not of much use if the users are working from remote locations. It means you can only inspect Email traffic at the gateway level, and DLP can not inspect web Traffic at the gateway level. Endpoint DLP comes to the rescue here and can complement the Network DLP solutions.
3. Cloud DLP Solution
Though DLP solutions offer some controls around the Cloud platform, the only capable solution around Cloud platforms to date remains the CASB Solution.
CASB stands for Cloud Access Security Broker, a purpose-built Cloud Security solution that can enforce restrictions around sensitive information moving in or out from the Cloud Platform.
While CASB is emerging as a powerful and versatile solution to protect the Data Anywhere, it is still an evolving solution and lacks many vital capabilities.
CASB is an independent solution and some DLP OEMs like Forcepoint and McAfee also offers an integration between DLP and CASB solutions.
How to bypass a DLP solution?
Most DLP solutions were built 10 or 15 years back and were not built, keeping in mind a modern work from home, BYOD, and Cloud-first world.
Though many features and enhancements have happened over time, there are many blindspots that DLP solutions still can not overcome. Following are some of these limitations which can be used to bypass the DLP:
1. Encrypt the file before sending it out
If you encrypt the information using WinZip or WinRAR, or just password protects the file and sends it across as an Email or to a USB drive, DLP will not be able to read through the file.
However, DLP, of course, will be able to detect any encrypted file. A DLP administrator has a choice if they would like to block or allow encrypted files.
2. Use latest Firefox/Chrome versions
If you are using the latest version of any application like the latest Chrome or Firefox Browser Versions, the chances are that your endpoint DLP will not be able to protect data loss using that. You can always test it out by uploading a file to a cloud drive or send it out using your personal Gmail.
3. Take screenshots and send them across
While some of the DLP solutions support real-time OCR capability, the limitation is that it’s only supported at the gateway level (Network DLP) and not at the endpoint level. That becomes a major Blindspot for DLP solutions.
If someone is taking screenshots using a print screen or snipping tool, putting multiple screenshots in a word file, and uploading it, they can almost always bypass the DLP solution.
4. Copy data to (android) smartphones using a cable
DLP solutions are traditionally weak in controlling data transfer to an android device connected via a USB or mini USB port. Most DLP solutions can not detect or block it successfully.
5. Use Linux and MAC System or even Virtualization
If you are using a MAC system, the chances are that most of the DLP policies will not work for you. Linux is an even more giant hole in the DLP solution since most DLP solutions do not support Linux.
If you are using Windows, you can install a virtualization platform like Virtualbox, create an Ubuntu VM, and send the data out successfully, bypassing the endpoint DLP solution since it can not monitor the activities within a Virtual Machine.
6. Use SFTP/CMD to send the data across
DLP can not monitor SFTP at the protocol level. An admin needs to manually define the applications which are using the protocol (like WinSCP). However, if you are using the command line, you can easily move around the DLP solution.
DLP is almost entirely blind to whatever actions you take using the command line.
7. Use Browser Incognito/Windows Safe mode
Yes, incognito browser mode is a blind spot for most DLP solutions, and booting Windows in safe mode is another blindspot as the DLP services will not be working in safe mode. Even if they are, chances are they won’t be able to block any activity at all.
8. Use Mobile Phone/Tablet to send the data
DLP is getting older, and, at the time of its inception around 15 years back, no one could have thought that handheld devices would come so far to replace traditional computing devices.
There is no DLP solution for mobile devices, so a DLP solution can not monitor any activities on your mobile devices.
Hold on; there is a caveat; there are solutions like CASB (Cloud Access Security Broker) and MDM (Mobile Device Management), which can enforce some restrictions and monitor your actions on a Mobile device or a Tablet.
9. Use Onion Network (TOR Browser)
Onion network is notorious and is a pain for most security professionals and organizations. Just download Tor browser and open a desnitation to upload the file(s). There are very thin chances (if any) that the DLP will be able to block that. However if your antimalware or GPO blocks that, well there are still many other options.
10. Insert data in large files (>20MB)
A DLP solution can not accurately monitor any files larger than 15 or 20 MB. As the file size goes up, there is a trade-off related to system performance since the DLP endpoint uses the juice from your system to inspect the activities.
By default, most DLP solutions do not monitor files larger than 15 or 20 MB accurately.
Some DLP solutions however support a much larger file size limit, up to 150 MB.
11. Capturing system screen using Mobile or Camera
This one is a no-brainer. DLP can not see or control what is happening outside the system. So one can always use a camera or smartphone to take photos or record video of the system screen.
Well, if you think that DLP doesn’t protect you from data loss, you are right. DLP can hardly restrict someone from intentionally leaking the information. However, it doesn’t mean that DLP solutions are not for you.
As an information security professional, you must know that 100% protection is not achievable. A DLP solution can effectively reduce the risk of data loss to a very significant level.
Let’s say there are 100 incidents of data loss happening every day before you decide to implement the DLP solution. If a DLP solution could block, say, 90 of these 100 incidents, the effective risk of data loss goes down by 90%, and that’s how a DLP solution can still deliver a lot of value to your organization.
Disclaimer: The information presented in this article is for education and awareness purposes only. Leaking any sensitive data from your workplace is highly unethical and immoral.
If you try or leak any sensitive information, the chances are that you will not only lose your job and reputation but can also land behind bars for a long time.