Probably the biggest IT security threat to F5 Networks is typing this blog, and probably the biggest threat to your organization is reading it. OK, I don’t mean me or you, as such. We are, after all, IT professionals and wouldn’t dream of clicking on that suspicions link or using that freebie USB stick we picked up at the trade show. But the truth is people in organizations do dumb things. Even if your network is well equipped with firewalls, IPS’ and your policies are tight, people can take their laptops home with them and do dumb things. Even if your corporate policy is strict on Anti-virus and administrative lockdown, then BYOD allows people to do, yes, dumb things. In the modern workplace it’s extremely hard to prevent hostile code entering your organization. The question is, what do you do about it?
Now I’m not really a security professional. Sure, I know a few acronyms and have occasionally fumbled my way through a configuring a firewall, but I don’t consider myself an expert. I do follow the high profile events in the industry though, and it struck me there was an ongoing theme that is worth examining: It’s not what comes into your organization that really hurts you, it’s what leaves it. Credit card numbers, career ending emails, source code, it’s often what organizations lose that causes the most damage. Now I know the root cause is the bad stuff that’s got in – the malformed HTTP request, the infected laptop, misused credentials or compromised router, but if we focus all of our attention on inbound security we are missing a chance to save the day when our frontline protection fails us.
The successful hack of the US retailer Target is a great example – although there are plenty more to choose from. Ignoring all the infiltration and compromise techniques used, the real damage occurred when the customer details left the store. How was this done? Well allegedly an infected exfiltration server made outbound FTP connections to external drop servers. Did the in-store Target network allow inbound FTP from the internet? I don’t know for sure, but I’m guessing not. But outbound from a more trusted to a less trusted network? Apparently so. Examining and evaluating outbound traffic can and should be a powerful security tool in mitigating a compromise. You need control over where your infrastructure is sending data, and what’s in that data. If you can successfully control and audit these two things, then you have a good chance of avoiding a lot of the damage caused by an attack.
For servers in your production infrastructure, it might be possible to build whitelists and restrict traffic to just the places you know it should go. Here’s where a network firewall like BIG-IP Advanced Firewall Manager can help by placing strict controls on your egress traffic. In many cases, however, and especially for end user devices, you’re going to have to rely on some kind of reputation score or endpoint location to make a decision. That’s why I like technologies like F5’s IP Intelligence and Secure Web Gateway, they can look at where your traffic is going, and decide if that’s a good idea based on a near real-time threat database and a geographical IP address database. You get a good level of control without the need to maintain an exhaustive whitelist.
What about the data itself? Standalone DLP solutions are certainly available, but there are some other options. A classic DLP solution created in an iRule is the credit card scrubber this rule examines the response form a webs erver, looks for credit card numbers and removes them (or obscures the first twelve characters), simple stuff, but powerful and fairly easy to adapt to other patterns. For a more full featured solution take a look at the DataGuard feature in our web application firewall, which does the same thing but with the benefits of supporting a wider range of content, such as Microsoft® Office documents.
So while inbound security controls, monitoring software and user education are still the first line of defense, in the view of this security non-professional, outbound traffic controls need more focus - because you have a greater chance of controlling what leaves your infrastructure than what gets in.