What is the solution to allowing backdoors?
Written by Jacob Woodfield
Introduction DLP
Data Loss Prevention has been a fundamental in Enterprise level Cyber Security for almost 30 years. In that time, we have witnessed the advancement of countless tools to enhance our ability to both detect and act on potential data breaches. Some of these are extremely niche in their ability, such as machine learning. Most however, are now relied on heavily by organisational strategies - Browser level inspection, Optical Character Recognition, Cloud-Based API integration for online storage solutions; all of these and more provide enhanced protection and control of sensitive information.
In the past ten years, we've seen the rise of Data Classification, CASBs and GDPR. Data Loss Protection is no longer the elephant in the room which we awkwardly skirt around from fear of project implementation time or costs - DLP is now a foundation for any mature security posture with even non-DLP specialist tools providing some level of DLP integration.
The issue is however that DLP has remained overall very static in its approach since its inception in the 90s. Requiring a specific reaction to a specific action. If you wish to protect credit card numbers for example, you have granularity in defining how many unique matches must trigger, where they can go without impedance and where they absolutely must not be sent, you have granularity in who is allowed to send this and who is not, but this is a manual process requiring knowledge and understanding of your individual users.
Backdoors
Very often I will be working with an organisation who wish to protect specific, potentially damaging information. I will meet with data owners and security personnel, to be told that X business unit can send this to Y location externally as part of an approved business processes. There are multiple technical aspects of allowing such nuances to happen, but broadly speaking, we will be tasked with creating "back doors" for specific users. This is an extremely common practice and almost every organisation will implement it in some form - be it the CEO whitelisted from all policies (which despite extremely impassioned protests, does still happen), an entire business unit allowed to write anything they want to USB drives... the list is extensive.
The Issue
What these back doors do not account for however is the security of the individuals we are creating them for. Taking our (admittedly extreme) CEO example, what would happen if the CEO's account were compromised? The organisation now sits with a compromised account leaking sensitive information with tools purchased, implemented and configured specifically set-up to ignore this account. Even if the organisation still allowed for DLP to create an audit of all sensitive data exfiltrated, it is still too late - this data has left the span of control of the organisation.
Is there a Solution?
So, what is the solution? If it were as simple as convincing companies not to allow back doors, this entire blog post would be moot. We could implement drip DLP and start triggering blocking enforcement after a specific threshold is met, but that still allows data to leave, and it still doesn't account for organisations who wish to whitelist all activities over a specific channel. It's an issue which requires static policies to be configured for dynamic variables - users.
The solution then, must be something automated which can change our static policies depending on the current variable.
This is where User Engine Behaviour Analytics (UEBA) comes in.
Working in the background, UEBA toolsets use tens of thousands of indicators of behaviour (IOB) to run complex algorithms and output a human-readable risk score. This risk score is assigned to each user in the organisation to highlight if a user is acting suspiciously. This could be in reference to spending more time on LinkedIn and sending out CVs, logging in at uncharacteristic hours, sending more emails externally... everything is logged, fed into the UEBA and analysed.
Of course, historically a UEBA has come with extremely complex and unique deployment challenges, requiring gargantuan hardware resources and dedicated teams to keep things running smoothly. With the rise of cloud computing and SAAS offerings however, UEBA is becoming more approachable every year.
Then there is the issue that UEBA has no real integration to DLP. I've had multiple client meetings where I've been asked if the UEBA toolset costing substantial time and resources can be leveraged into a DLP solution. Though the answer is yes, it comes with significant caveats. User scores would need to be manually checked and DLP policies would need to be manually refined with these scores in mind. Several years ago, I was working with a large manufacturing enterprise who had a "Leaver's Policy". This required a resource to manually check the UEBA service each morning and then update the AD records of users in this policy so that high flight risk users were being inspected much more closely. Not only was this a huge time-sink, it also created extreme levels of incident generation and a 99.9% false positive rate.
Could this be it?!
This is why Forcepoint's latest innovation, Dynamic User Protection (DUP) is so exciting. Providing a SAAS based UEBA, the toolset integrates quickly and seamlessly into Forcepoint's DLP solution. This allows for policies to be created which apply an action on a user's individual risk score. For example, a user with a low-risk score could be allowed to send confidential data without impedance. When that risk score creeps up, we can configure DLP to perform more restrictive actions, such as requiring user interaction in the form of pop-up warnings, to quarantining emails, all the way up to blocking the transaction entirely and autonomously emailing the user's manager.
The time has come for DLP to be more intelligent, and Forcepoint's DUP is leading the charge on this. Without the need for complex management of the UEBA solution or the hardware to run it on and with the benefits of seamless, automated integration with DLP, the possibilities of allowing users to perform their usual activities without the need for security back doors just broadened extensively.
