This session will discuss success factors and potential impacts of deploying a highly complex data loss prevention solution within a next generation firewall deployment. As the need for DLP services grows and more traffic is being encrypted than ever before, what seems like a simple solution can become complex and arduous almost overnight. The talk will focus on key components; data types, encryption, advanced filtering, and rulesets needed on both the next generation firewall and the DLP system itself. Much of this talk is based on lessons learned and from deployments attempting to rollout complex DLP solutions within mid-sized to large corporate environments.

1. Having your cake and eating it too!
Deploying DLP services in a Next
Generation Firewall Environment

2. About me …
 I have been doing Information Security for a really, really
long time …
 I have had the ‘opportunity’ to do many different facets
of Information Security
 Firewall Design, Implementation, Configuration
 Network Design, Implementation, Configuration
 PKI ..
 DLP ..
 Pentesting and lots of different crazy things ..

3. What is DLP (Data Loss Prevention)?
 Data Loss Prevention is a system that is designed to detect
potential data breach / data ex-filtration transmissions and
prevent them by monitoring, detecting and blocking
sensitive data while in-use (endpoint actions), in-motion
(network traffic), and at-rest (data storage). - Wikipedia
Our focus will be specific to Data In-Motion
Data at Rest is pretty easy to work with; It’s either there or
it’s not there.
DLP at its core is a simple yes/no

4. What type of Data would we look for?
 PII (Personally Identifiable Information)
 PCI (Payment Card Information)
 PHI (Patient Health Information - HIPAA)
 Sexy Talk (unofficial for P0RN0GRAPHY)
 Terrorists
 Money Launderers
 Investigations
 Where can your imagination lead you?

5. So what should we inspect with DLP?
 SMTP (TCP Port 25)
The easiest protocol to inspect with DLP while in transit.
Users expect some delay/latency
Presents a great deal of options for automation
Inspect and Allow; Inspect and Block; Inspect and
Encrypt
 HTTP (TCP Port 80)
The next easiest protocol to inspect
Users have a higher expectation of speed
Presents two options for automation
Inspect and Allow; Inspect and Block

7. So what should we inspect with DLP?
 HTTPS (TCP Port 443)
The most difficult protocol to inspect
Users have a higher expectation of speed
Presents two options for automation
Inspect and Allow; Inspect and Block
 Everything Else (FTP, DNS, IRC, Custom Apps)
These can be tricky
Users experience expectations will vary
Presents two options for automation
Inspect and Allow; Inspect and Block; Inspect and
Encrypt

10. So what causes headaches with DLP?
 ENCRYPTION!
The overhead associated with encryption is a nightmare
How can you read anything if it is encrypted?
How can we decrypt traffic, inspect it, re-package the traffic,
then forward it along - while doing it in a timely fashion?
 Encryption changes everything!
Traffic Analysis
2011: Less than 20% of the traffic was SSL
2013: Eric Snowden releases classified data
2014: Almost 70% of the traffic was SSL
While internet bandwidth got less expensive and more
robust.

11. Encryption is Expensive!
 ENCRYPTION is a pain
The overhead associated with encryption is cumbersome.
Whatever your normal throughput is for HTTP, quadruple
it! Hardware can kill your budget quick.
Users have high expectations of web surfing experience.
 Hardware resources with performing a Man-in-The-Middle
Interception is costly; hardware and time.
The trick to managing DLP and encryption is ….
HORSEPOWER!!!

13. Encryption Options
 ENCRYPTION can also be stripped out and viewed
within your Palo Alto Firewall
This is (or was) a free license change to get free SSL
decryption and a cleartext stream from Palo Alto to your DLP
system.
Functions almost like a span port (it is not ICAP!)
Contact your Sales Rep for more details
Key things to remember:
The stream is read only, the ssl cannot be
blocked/dropped
Additionally, malware and virus activity will not be stopped
just because a copy of the contents were dumped to DLP
2 | ©2015, Palo Alto Networks. Confidential and Proprietary.

14. URL Filtering
 If you are using a proxy server …
This may make it easier to work with your PAC file and your
URL Filtering in one place
 If you are using a Next Gen Firewall …
Just manage it within the firewall
 If you have access to both, (my preference)
I will perform standard URL filtering, along with PAC file
management on the proxy server
I will use the next gen firewall to perform URL white listing to
places like microsoft, my vendors, specific industry resources
.. ask yourself why this may be advantageous to you.

15. URL Filtering continued …
 Remember DLP filtering is similar to URL filtering
I am only interested in specific, targeted events ..
There is not enough time to look at all traffic
Work with business units to target the ‘good stuff’
 Key Things to Remember about URL Filtering
HTTP: Filter by Domains
HTTPS: Filter by IP addresses
 Avoid liabilities
Using URL filtering exclude, at a minimum, the following groups
Financial URLs
Retail URLs
exclude things that will make your DLP a hacking target!

16. Making the DLP implementation successful …
 Factors for Success:
Evaluate the culture of the company
Is the URL filtering policy liberal or strict?
Are employees used to fast internet access?
Employee age group; millennials, gen-x, baby boomers
Get Buy-In
Senior MGMT, Legal, HR
Educate employees, if publicly known
Identify Bad Processes
Go after the largest offenders (5+, 20+, 100+)
Go after habitual offenders (10/20/50/100/week)
Show Metrics
Detail your progress and reduction of violations

17. Making the DLP implementation successful cont.
 Factors for Success:
Workflow
Evaluate your workflow, how do you plan to handle Data
Loss Incidents?
The easy part is setting up the infrastructure (believe it
or not)
The hard part is working with staff to manage a DLP
workflow to evaluate data loss incidents, work with the
business to correct broken processes, and to
investigate possible breach/data loss issues within an
organization.
Practice a methodology that is constantly improving
PEMC: Plan, Execute, Measure, Correct

18. Pitfalls are everywhere …
 Pitfalls happen when/where you least expect it
Legal and Social Troubles
It is critical to understand basic evidence handling
Know how you will handle types of incidents in advance
Once your process is vetted, stick to it
Small Network Changes can lead to big problems
Lost Taps/Diminished Feeds
Architecture changes can drop feeds
False Positives
Tweak and Re-Tweak your FP’s; expose faulty assumptions
Politics
Sometimes you will snare a lion
Make sure that your CISO/Director has teeth to fight for you

19. Budgeting for DLP
 Most Common Items
Hardware
Firewalls
Mail Gateways
Proxies
Server Hardware
Network Taps
Software
Software License
Support Software
Staff
Estimate at least one person starting day one (MidSize)
Over time, the work load will stabilize, but expect a surge of
findings in the beginning

20. Contact Info
 Yes, you can contact me, but …
Remember, I have a life too (at least I try)
Do not make the mistake of thinking that I have the time to
do free consulting, I don’t
You have a quick question, send it over, but if you are in a
time crunch, call your SE, Support Line, Clergy Member.
Twitter @fatherofmaddog
If you are offended easily, please don’t follow me
LinkedIn
www.linkedin.com/in/therealfatherofmaddog