Supercharge Your DLP from POC to Production with SIP by Brian Contos

We recently wrote a blog titled – Precise, Practical POCs.  It explored, at a high level, how the Verodin Security Instrumentation Platform (SIP) can make evaluating new security products like WAF, Endpoint, Firewall, IPS, SIEM, and DLP, especially during POCs, faster, repeatable, valuable, exacting, and less costly.  We also linked to a Verodin Office of the CISO Brief on this topic.

We received a ton of feedback requesting more specific examples – essentially showing how we do it rather than talking about it. That’s music to our ears at Verodin because we love showing off our SIP solution. While we received requests for a number of products, DLP seemed to resonate with many of you, so that’s what we’re covering: supercharging your DLP from the initial POC through production.

With Verodin SIP you can improve the entire POC to Production Lifecycle. You can pick the best DLP with Evaluation criteria. You can validate your production configuration and configuration changes with control assurances. You can optimize your DLP and its integrations with products like SIEMs. You can maximize your DLP’s ROI over time, not just in terms of the DLP technology, but the people and processes that interact with it. And, you can continuously validate that the DLP is delivering value year after year.

For this piece, let’s consider the following scenario. We are evaluating a DLP. Perhaps DLP is new to our organization and we want to pick the best one for our environment across multiple vendors. Or, we might be looking to replace a legacy solution and we want to validate that the new one can outperform the old one before we purchase.

In any case, we don’t want to waste time, money and other resources but at the same time, we want to make sure that the POC delivers value by clearly illustrating which solutions perform best, in our environment, with our people and processes, and our defensive stack such as our SIEM. That’s where Verodin SIP comes in.

Verodin SIP has a purpose-built feature called Evaluations as illustrated below. As the name implies, Evaluations allow you to evaluate various products to determine how they perform or perform against other similar products. Verodin SIP ships with integrated evaluations and you can quickly create our own.

‍

‍

In addition to pre-packaged Evaluations, you can create your own Evaluations from Verodin Actions. Actions are attack behaviors that ship with Verodin SIP. You can even create your own Actions by importing PCAPs from your own packet capture solutions or various external PCAP repositories, integrating with threat intelligence, pulling data from ISACs and other third-party sources, or writing your own. If you are interested in how PCAPs are brought into Verodin SIP to conduct evaluations, check out this blog on Weaponizing PCAPs. But for this Evaluation, let’s work with some default Verodin SIP content.

We can quickly search through the Verodin SIP content for Actions we want to use. For example, we might want to filter Actions based on any “HTTP” attack behavior as illustrated below.

‍

‍

But for our DLP evaluation, we might want to get even more specific. In this case, let’s filter attack behavior Actions specifically related to “HTTP Exfil” where there is also an “Upload of PII” as shown below. This gives us a nice set of actions that will make one of the potentially many test Evaluations for our DLP.

‍

‍

In Verodin SIP, turning multiple attack behavior Actions into an Evaluation is as simple as a couple clicks. We can add actions to an Evaluation queue one by one using the above pictured [+Queue] button on the right to select a single Action or any group of Actions to build into our Evaluation queue.

Or, we can simply click on the arrows next to [Actions (8)] at the top, within the red square, in the screenshot above to add all eight of the HTTP Exfil/Upload of PII attack behaviors to our queue. Because we want all eight Actions added to our Evaluation queue to conduct validation testing on our DLP, we’re using the arrows to select all.

As pictured below, all eight actions are now added to our queue. As we can see there are a number of exfiltration Actions. Some don’t compress the data, others zip it 1-10 times, and one uses “Various Compressions.”

‍

‍

Maybe we’re unsure of what “Various Compressions” means. We can click on that Action for a full description. As illustrated below we can see that this Action uploads a 100 row .csv file containing PII. Not only is zip compression evaluated, but this Action also includes gzip, bzip2, tar, rar, and 7zip.

‍

‍

We can also drag and drop to rearrange the order of the Actions in a logical order and name the group of Actions to “My First DLP Test” as pictured below.

‍

‍

As shown below, we save this queue as an Evaluation. We could have also saved it as an Attack Sequence, but that’s a topic for another blog. This is also where we provide a description.

‍

‍

Now the fun part – running the evaluation and seeing how our DLP, SIEM and related security controls perform from an incident prevention, detection and response perspective.

To run an Evaluation in Verodin SIP it is no different than running a single Action, Sequence, etc. We simply select a source and destination Actor. In this case, a source Actor is on an internal network zone and the destination Actor is on an external network zone. Between those zones is our DLP.

Additionally, it’s valuable to ensure that Verodin Director can communicate with the SIEM, usually over an API, to further validate how the DLP is reporting to the SIEM. Is the DLP reporting to the SIEM at all, is the log information parsed correctly, is it being correlated upon to create a meta event that someone can respond to, etc.?

As illustrated below, we can see that no part of the data exfiltration was actually blocked. This result isn’t actually that uncommon, especially before DLPs have been tuned. They often default to detection, not prevention mode.  Verodin SIP is a great solution for validating the DLP tuning and configuration changes done during POC actually work and after the DLP has been moved into production that things continue to work. Using Verodin SIP for configuration assurance has quickly become a leading use case.  With Verodin SIP when you make changes to the DLP you can quickly validate that those changes are working as desired and continue to work over time.

Back to our Evaluation. Only about 38% of the individual Evaluations in the group resulted in alerts sent to the SIEM.  This isn’t that uncommon for SIEMs as SIEM rules are rarely evaluated once they are created and it’s been Verodin’s experience that without continuous validation, more than 50% of SIEM rules either never worked or stop working in time as networks and systems morph, patches are applied and configurations are updated.

‍

‍

On the SIEM side, it’s a little good news and a little bad news. We can drill into the SIEM events as shown below. This particular system was set up with two SIEMs – Splunk ES and Qradar. The good news is that when the SIEMs received the events about 38% of the time, both SIEMs actually got the logs. That’s not always the case, so that is good news.

The bad news is that a notable event in the case of Splunk or a rule firing in the case of Qradar didn’t happen by default which means that the events for each SIEM would most likely get lost in the noise of thousands of events a second. That means nobody would actually ever respond.

‍

‍

However, there is more good news on the SIEM side. The message rows show the exact trigger that needs to be built into a search or rule to catch this activity in the future. For example, “SENSITIVE-DATA Email Addresses” and “SENSITIVE-DATA U.S. Social Security Numbers.”

 This is a really great feature within Verodin SIP as it doesn’t only tell us what’s missing.

• Verodin SIP prescribes the exact inputs we need to mitigate the risks in the future.
• This information can be added into the SIEMs, then the SIEMs can be retested to ensure that things were added correctly.
• Verodin SIP can run this validation criteria continuously – assessing the results from the DLP, SIEM, etc. to ensure that things that are working, remain working, else we are notified with an alert.

With Verodin SIP Evaluations we can evaluate new and existing solutions like DLP. We can use Verodin SIP to help tune, measure, reevaluate, and continuously evaluate. This helps ensure that we are quickly, inexpensively and thoroughly evaluating and choosing the best solutions for our environment, we are getting the optimum value from those solutions, and they are well integrated into our defensive stack such as our SIEMs at not just a point in time, but for however long they stay in operation.

With Verodin SIP you can improve the entire POC to Production Lifecycle. You can pick the best DLP with Evaluation criteria. You can validate your production configuration and configuration changes with control assurances. You can optimize your DLP and its integrations with products like SIEMs. You can maximize your DLP’s ROI over time, not just in terms of the DLP technology, but the people and processes that interact with it. And, you can continuously validate that the DLP is delivering value year after year.