Our Blog

10 new defenses that help prevent data loss and theft

Share

Wednesday, Aug 08, 2012

Last week we announced several new, important core security technologies that we added to our TRITON architecture. Websense ACE now includes 10 new defense innovations; seven are focused on outbound traffic to keep data theft and call-home communications contained, preventing theft or loss. Because so many of them are industry firsts, I wanted to take a moment to explain what many of these do and why we created them.

Truth is, the bad guys are stealing corporate data and avoiding detection using advanced techniques. In just the last year, we've seen key intellectual property and user identities stolen from corporations and government agencies, including some you would least expect-including entertainment (gaming) and security companies!

Below are a few examples of how cyber criminals are going undetected, stealing your IP and how we can stop it from happening.

  1. Criminal encryption-Once inside your systems, the bad guys have to get communications and data out. They often use proprietary encryption for communications and data files to send it out cloaked, making it unrecognizable to traditional defenses. Websense can now examine the type of encryption for outbound web requests and data files to determine if known encryption methods are being used, or are the communications and data files using proprietary (criminal) encryption techniques that are non-standard. If criminal encrypted uploads are detected, they can be blocked and a high severity alert appears providing incident details including geo-location destination.

  2. "Non Document" Data Theft-The bad guys know that DLP can stop confidential documents from leaving an organization. However, images are not easily analyzed when in motion. As a result, criminals are accessing proprietary files and using images to steal data because data loss defenses are not analyzing images when in motion through gateways.

    Websense now includes an in-motion Optical Character Recognition (OCR) defense within the web gateway to catch these attempts at stealing confidential information using images. The OCR feature is also available for end point protection and data discovery within the TRITON solution architecture. So even in a non-document form, Websense recognizes sensitive information and prohibits its misuse as data-at-rest, in-use and in-motion.

  3. "Low and Slow" Data Theft (Drip DLP)-Organizations often define how many incidents of confidential information can leave an organization per document or request. For example, sending out one customer address to a website is likely to be approved, but sending out more than 100 customer addresses to one website is not. As a result, bad guys have learned these thresholds and are stealing data under the designated allowance in a "low and slow" approach. Often it includes sending sensitive information out in pieces over time with patience and persistence.

    Websense can now recognize slow data "drip" leaks for multiple requests over a defined time period to prevent "low and slow" data theft. Administrators can define the time periods, incident levels and thresholds within web gateways for stateful (or drip) DLP.

    In addition to Drip DLP, one of the first things cybercriminals do is collect password information to expand their reach within a network. Websense can also detect password file theft, including AD/SAM database data, on outbound web requests. Criminally encrypted upload and password file data theft detection are new features included in the entry level proxy-based Web Security Gateway from Websense.

  4. Email Security Evasion-Cybercriminals know that organizations are frequently using email security services that include some sort of embedded link security scanning. They know that if they send an email with an embedded link to a website with malicious code, the email may be blocked from ever getting to the recipient. Here is how they are evading traditional email security measures:

    • They take control of a website, but don't infect the destination page yet.
    • Next, they send out emails as lures (whether mass or targeted) to potential victims, perhaps on a Friday night. Because this is a clean destination web link, it goes through the email security gateway analysis and the email now resides in the user's in-box ready to open.
    • On Sunday night, the bad guys insert malicious code or a redirect to a malware download server into the destination website. Remember, the email with the embedded web link is already in the victim's box, ready to open.
    • On Monday, the victim heads out to a favorite coffee shop before work and opens up the email and clicks on the embedded web link - leading to the now malicious website and resulting malware infection.

Our Websense Security Labs have seen this type of attack increasing on a regular basis. Websense now has the capability to mark these emails with embedded links for real-time cloud sandboxing analysis for point-of-click protection whenever and wherever the email is opened and the web link is clicked upon. For example, when a user goes to click on the email embedded web link on Monday, the original web link has been wrapped by Websense with a web link to cloud-based security services providing real-time security analysis of the original web link destination. This defense is key against spear-phishing and targeted attacks blending email and web together.

We've also upped the ante with forensic intelligence. We are able to clearly illustrate:

  • Who is being attacked (e.g. finance, engineering, person, title, etc.).
  • How the attack happened, with the option to use an online malware sandbox service to see step-by-step attack infection methods and dynamic web links and call-home requests.
  • Where the attack communications are destined with geo-location awareness for countries.
  • What data was targeted and when applicable, forensic data capture.

Websense researches the latest threats and data theft trends and anticipates tomorrow's. These methods of prevention and detection for containment are only available with Websense TRITON security solutions. With this release, the Websense TRITON solution redefines the security gateway and clearly demonstrates that we are leading the security industry in innovation, and more specifically using DLP as a defense against data theft. It provides enterprises with the deep protection, forensics and visibility necessary to prevent today's advanced attacks that lead to data theft.

And these are just a few of the additions we have implemented. You can read about them more here.

About the Author