Encrypted Traffic is not the only blind spot, OCR is the new kid on the block, especially where egress traffic is concerned. I would say not just OCR, there are several new blind spots that have emerged, in recent years. Moreover, these blind spots are not due to a lacuna/some sort of a threat vector. This is solely due to the emergence of technology without adequate supplementary controls in place that can act as a plug for enforcement (both public and private; company owned). Remember the Communications Assistance for Law Enforcement Act (CALEA); a United States wiretapping law passed in 1994, during the presidency of Bill Clinton (Pub. L. No. 103-414, 108 Stat. 4279, codified at 47 USC 1001-1010). CALEA's purpose is to enhance the ability of law enforcement agencies to conduct electronic surveillance by requiring that telecommunications carriers and manufacturers of telecommunications equipment modify and design their equipment, facilities, and services to ensure that they have built-in surveillance capabilities, allowing federal agencies to wiretap traffic. From the E-discovery perspectives even organization are required to be compliant to it. Well, enough elaboration of the problem statement I suppose. Now let’s talk about some of the possible solutions available from the technology perspective.
Forward Trust or in simpler terms SSL Proxy is one such great technology which puts us in, a lot of ease, especially in order to be able to manage egress (internal to external) traffic. In other words we are setting up a proxy within proxy or a proxy with the advanced capability of being able to act as a legitimate man-in-the-middle (MITM) also could be referred to as an escrow for SSL. There are few technologists that also document this feature simply as a SSL gateway. No matter what the name is finalized/coined, is a great leap on its own. However the channel of encrypting malicious traffic has been the best safe house for both internal and external threat for a long time. This had almost put them into a habit of this type of a vulnerability and its usage especially for data theft. Now that with the emergence of players like Palo Alto and Bluecoat, this SSL safe house issue is slowly being mitigated. Hence, now attackers are exploring different avenues that work in a similar fashion (that provides them a safe/bunker house just while they pass the check posts – perimeter security devices. Common examples includes: encrypting a file full of PCI data and sending it to an external unauthorized party, so that the DLP SMTP Scanner cannot detect it.
Absolutely! I’m talking about the OCR technology. Instead of getting into the blind/shadow zone of SSL which obviously encrypts traffic and makes it unreadable for the devices at the egress gateway/perimeter. This is even applicable for ingress traffic too wherein the IDS/IPS capability are limited if the traffic is not plain text. Now OCR is not encryption ofcourse, but it allows the attacker to freeze the code, files, IP Data, to absolutely stand still as if it’s a statue. Then when passed the gateway and all the array of monitoring devices transform itself back in an executable/specialized application file and execute its payload.
Usually the solution is simple and same. The plan-text content is made available for analysis. For OCR this would mean that we either:
Some commentary for the DLP Solution Architecture. Symantec DLP 14.5's, Form Matching technology is a winner here! Solves a good number of OCR like use cases. But better news is that, Symantec DLP 14.5's OCR capability can natively integrate with a number of OCR technologies such as ABBY without issues. At the moment, these solutions are easily integrated with the help SDKs and integration tools.