Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Updated OpenDLP - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Updated OpenDLP

Many of our readers use Data Loss Prevention products as a mechanism to identify sensitive data-at-rest on workstations, servers, databases and similar.  Earlier today, I stumbled across an open source application known as OpenDLP.  I professionally recommend that users have a DLP product in your toolkit.  As many of the tools are commercial in nature, this product may be a excellent choice for home use (or at least when you head home for holidays and are asked to fix the family computer).

While reviewing information on the OpenDLP website, I saw that the developers released a new version of OpenDLP and a virtual machine OpenDLP that corrects a small number of glitches.

More information on this product is available at code.google.com/p/opendlp/ .  Any of our readers use this product and able to comment on how well it works, false positives and the like?

 

Scott Fendley ISC Handler

ScottF

188 Posts
ISC Handler
Ok... what gives.. what would be the objective of using DLP software in a home environment?

Trying to detect if the kids or some other family member accidentally left a copy of a credit card number in an unencrypted .TXT file or Word document, or a copy of the credit card number they e-mailed in their Outlook Express outbox?

Running a DLP scan once a year won't save them.

It seems the security use cases of DLP are pretty limited.
Now in an Enterprise environment, it makes sense,
your enterprise has sensitive documents that you want to detect if someone illicitly copied to their workstation or to an open file share...

But an Enterprise has a lot more control of the employees, and the DLP can alert to the presence of actionable evidence against the Employee
Mysid

146 Posts
I have worked with the developer of OpenDLP in a professional environment and also use it quite a bit. One use-case is during network penetration tests. Clients usually see it as a “value add” if you not only show how you breeched their environment, but also what kind of data you can find. Some clients obviously do not. I’ve even used it in environments that purport to have enterprise class DLP products in place, and end up showing what data they’re missing due to bad configurations, or a limited DLP implementation.

I have used\tested\implemented several of the top sellers of enterprise DLP products, and have found pro’s and cons with all of them. You do get pretty GUI’s and some advanced feature sets with those multi thousand dollar products that you do not get from OpenDLP, but it is very good at what it’s supposed to do: find the data you tell it to. It is up at the top of my list of tools. DLP is no silver bullet but it is a good part of any organizations security posture.

The neat thing about OpenDLP is that since it is written in C you don’t need any special framework to install the agent, and it interacts well in environments that have standard images with a bunch of other agents running. The use of canned regex’s as well as the ability to add your own makes it a powerful tool. And, since its open source I have colleagues who use it in their environment when their company won’t purchase DLP, but they want to demonstrate\discover what types of data are laying around unencrypted. Usually an eye opener when the HR department has a spreadsheet of 40k+ employees names, ssn’s and addresses sitting on the desktop…

All in the all the tools is solid, well documented and the developer gives it a lot of attention. Here’s a link to a presentation of his at Hack in the Box: http://conference.hitb.org/hitbsecconf2011ams/?page_id=1427
pipefish

3 Posts
Just had another thought: All DLP products are only as smart as the “secret sauce” behind the logic they use to classify data. OpenDLP, like other DLP products is only as smart as you make it with the use of regular expressions. I have found that a combination of regular expressions can help minimize the false positive rate. Your biggest mistake is to go in and just look for the SSN regex… that will get you plenty of hits but a lot of false positives (with OpenDLP or any other DLP product). Finding the right set of expressions and thresholds for your environment is on you, but OpenDLP makes it easy to mess around with different combinations and see what you find.
pipefish

3 Posts
DLP serves a unique place in a home environment. Most families have a treasure trove of PII on their computers and do not realize it.

An average family of 4 has a lot of potential information that would be useful to an attacker. US Citizens/Residents will have their individual SSN numbers. It is also likely that the family has 3-5 credit cards and 2-3 banking or investment accounts.

Depending on how old the computer is and their "digital hygiene" over the life span of that computer, there is potential for some valuable data that can be gleaned off the computer. Is DLP as valuable to a home user as it is with an Enterprise? It depends on if you expect DLP to be a silver bullet, or just as a tool to identify where that sensitive data may exist. You can not protect the data if you don't even know it exists on that system.

I can guarantee that my parent's home computer has tax returns and similar data on some hard drive or external backup drive which has every tax return (complete with date of birth, SSN, etc) they submitted while I was a teen and into my college years. And it is likely that there are various credit or banking account statements which contain the complete account number or similar information.

Knowing where those files are today will allow an end user to at least put the files into a TrueCrypt vault. DLP fits a niche area of intelligence gathering in this environment.


ScottF

188 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!