Data Loss Prevention

Hi,

Due to legal, privacy, cultural constraints, we are aiming to only start with http detection and monitoring.

1) I would like opinions from this forum on what is the value to just monitoring http?

2) Can Network Monitor, via ICAP session detect https traffic, and raise an alert (policy to detect https traffic) without breaking the https encryption?

K

1) We are at the moment using http monitoring to watch for competitor communications. So by just monitoring we use the statistics to see how many hits we get over time. If eccessive we take actions. This can be used in many other cases such as gambling, social sites aso.

You can also search the traffic for sensitive specific to your organisation without interrupting traffic. This is also used to get statistics.

With the statistics you can then form a better view for those not seeing the actual value of DLP (people claiming legal, privacy aso.) and over time hopefully prevention is perhibited.

2) I havn't tried this myself but if you tap/span traffic all gets throug and you can set up a policy only looking for https traffic and then add a response to send an email or even dismissing but logging it. The later one can be used tha same way described in the previous section. Statistics.

Not sure this helped or maybe i got your question wrong but thats my opinion.

/Oscar

Hi kigali,

1. We can't monitor HTTPS traffic on network because it is encrypted form.
2. We have to monitor this on web browser using endpoint agent.

and using network DLP u can monitor HTTP and FTP traffic.

This is my opinion.

Albert ~

Apologies, my second question was supposed to be, can Network Prevent be used to detect https traffic via a policy to identify source, destination, etc, without breaking the encryption and look into the content.. This is purely to gather data / statistics.

K

Hi kigali,

As per my knowledge....

Network prevent/monitor is use less for HTTPS traffic, because decryption can possible on end devices, thats way u have to use endpoint DLP(endpoint agent) for that.

Even any one sent a data using passward protected or using encryption methods; network DLP can't see deep into file, but it identify this is a 'encrypted file' or 'password protected'.

Welcome to any question.............

Albert ~

Hi Kigali,

Yes, you can monitor HTTPS traffic on network level. I think Albert is not aware of full concept and design of DLP. But by default it could not be possible. for that you need to use HTTPS proxy and route the network through ICAP protocol which will intercept data communication and decrypt the data. validate the data against policy and again it will re- encrypt with its own SSL certificate.

Regarding your 1st question , It is surely imporatant and valuable becuase nowdays everyoone knows that our mails are scaning and can be seen during investigation in mailbox. Ther are lots of HTTP/HTTPS site for personal storage are used . This keeps them safer from further facing any problem.

Regarding 2nd question

Yah, all HTTPS traffic is possible to monitor and generate the incident according to incident will be generate.But keeps in mind by defaults is does not do the same, you need to add some inteception design in DLP infra.

Regards

Kishorilal

You can achive to HTTPS contains monitoring throgh third party application integartion suported by Symantec DLP (e.g Websence Websense Web Security Gateway:)

please read below in details

 Websense Web Security Gateway contains a high‐performance Web proxy – Websense Content Gateway, that supports deep content inspection.
The Websense Content Gateway module offers:

•Automatic categorization of dynamic Web 2.0 sites
•Automatic categorization of new, unclassified sites
•HTTPS content inspection
•Enterprise proxy caching capabilities

Websense Content Gateway supports the ICAP v1 protocol for integration with third party data loss prevention (DLP) applications, such as Symantec Data Loss Prevention (formerly Vontu Data Loss Prevention), and RSA Data Loss Prevention. Data loss prevention applications deliver multi‐protocol monitoring and blocking of sensitive data leaving the network. DLP is available in various configurations, one of which utilizes a HTTP/HTTPS/FTP proxy with ICAP client such as the Websense Content Gateway for monitoring and blocking of sensitive data.

please also refere below links for other feedback and views

https://www-secure.symantec.com/connect/forums/can-we-block-https-traffic-through-symantec-dlp-network-prevent-web

The DLP Web Prevent can inspect the contents of HTTPS but not on its own. You have to use a Web Proxy that is capable of doing HTTPS intercept and supports ICAP protocol to send the traffic to the DLP Prevent. This involves the Proxy intercepting the HTTPS traffic, decrypting it and sending it to the Prevent using the ICAP protocol. The proxy then re-encrypts the traffic using its own SSL certificate and proxies it through. Using an enterprise proxy solution like BlueCoat will allow you to do this. I'm sure there are other proxies you could use also. The only issue I have seen when doing this is that you can have issues with the intercept working properly with smaller sites that use self signed certificates, such as SMB businesses. Unless the CA is a public CA the proxy will have issues recognizing the certificate validity and will break the HTTPS intercept with the client.