Removable media control - lessons learned

I really should be completing my requirements doc but I keep playing with Chrome and Ubuntu, and when I see incidents like this still happening I have to write a short post on removable media control, Starcraft 2 is also now a major distraction :)

I was involved in two removable media control projects recently. One with Lumension Device Control and the other with Symantec Endpoint Protection and Encryption.

Requirements

High level essential requirements for a removable media control tool:
  • Support all removable media types at least: USB, CD/DVD/Blue-ray (including add files to encrypted re-writable), Floppy, Firewire, IDE/SCSI hard drives
  • Block use
  • Monitor files copied
  • Encrypt data or device
  • Fine grained policy based on LDAP groups
  • MAC and Linux support
  • No limit on removable media size for encryption
  • Certificate support for transparent encryption
  • Support for capture of the actual files written to removable media and storage of these in a specified location (so you can cheat and run your storage DLP scan over it)
  • Encrypt in storage (database and file encryption) and transit (TLS/SSL etc), tamper proof agent evaluated to Common Criteria EAL 4 or CSG ideally (minimum penetration tested), FIPS-140-2 compliant
  • Support for hardware encrypted devices
  • Self service and challenge response password reset
  • Can use encrypted device without needing to install any software
  • Decryption support
  • Virtualization support (both for management software) and for pass through mapped USB devices via Sunray, RDP etc
  • Agent has low memory and CPU footprint, ideally runs in own sandbox, option to stop users even with admin rights from killing process (or auto-restart) and uninstall, modify log files etc
Awesome to have:
  • Link to endpoint DLP to analyse the files copied based on central policy
Nice to have:
  • Workflow integration with Remedy, HP Service Center, Sharepoint etc so you can easily apply, review and approve access, link to helpdesk tickets for problems etc
  • Legacy OS support: DOS, NT etc
  • Soft keyboard support for password entry
  • Non Windows / AD integrated CA support for certificates
  • External syslog support for integrating logs with SIEM
  • External key logger detection support (Device Control has this but it doesn't work well due to false positives)
  • Wireless / wired network control support i.e. disable wireless when wired detected
  • Excellent searching including inside of files - ideally Google / Bing integration
  • Automated and scheduled reporting and alerts including integration with business objects and crystal reports
  • WAN compression - for transferring copy of files copied to removable media over WAN
  • Decryption without deleting files (or requiring copying to other media) - i.e. block based encryption
  • Two factor authentication for encrypted devices e.g. use SMS to phone / other OTP to unlock device, alternatively use of encrypted device as 2FA token with storage of soft token or certificate
  • Encrypt user specified portion of device (for corporate use and allow write to that only from corporate machines)
  • Good dashboards and ability to define and export security metrics
  • Detect actual file type, I can't get around monitoring by renaming .xls to .iso
  • Copy limits by file type and linked to policy defined in LDAP groups
Tool selection

Quickly which is the best tool I have used: Device Control. Reasons:
  • With Symantec you need to two agents, two sets of infrastructure, two products, two sets of training for admins (you get the idea) to do essentially what should be in a single tool - eventually I hope they integrated it SEE and SEP with their Symantec Endpoint DLP, that will give them a real competitive edge
  • Related point - it is just annoying to have to do blocking and monitoring in one product and encryption in another
  • SEE is still missing some basic features like fine grained encryption control based on LDAP groups - apparently on roadmap
  • Device Control also allows you to block wireless access when a wired network is detected - handy security control to reduce risk of bridging (like getting a free set of kitchen knives)

Both these products are actually pretty poor, especially in the nice to have features I mentioned above. If you have found something better please put it in the comments so I can recommend to my clients

Business case

Quick business case:
  • Data loss prevention - if you lose a removable device with lots of valuable data on it you don't get fined by the regulator, face data breech reporting and lose face with your stakeholders. Check data loss db for some actual £/$ incidents including the massive HMRC loss. Always take this data with a caviet though
  • Data leakage prevention - You close down one of the easiest and highest volume ways your staff can steal your information e.g. when they leave for a competitor. This is easy for senior management to understand because they are usually the biggest culprit of needing to take "personal" data. Yes there are other ways like email but people will select the most convenient, close them down one at a time or at least encrypt and monitor so you know what is being copied
Lessons learned

What we did right - with Device Control:
  • Policy to allow read for all, approval workflow for write, exception approval workflow for write without encryption (yes you still need this how are you going to load a bootable ISO from an encrypted CD?). After 3 months of use only 5% of all staff globally needed write access so I disagree with write access for all - close down the attack surface. I disagree with blocking read because you should have good enough AV and NAC and it is unnecessary pain for users
  • Integrate workflow with your corporate user access management application, allows easy manager and system owners (infosec team for non encrypted write) approval, capture of business reason and quarterly recertification with standard process (you do this right? :)
  • Have a great one time copy process e.g. I'm leaving and I need to take my "personal data" before I leave for my next awesome job. Ideally include a process for HR and Compliance to review files copied before allowing removable media to leave premises
  • Allow people time to apply for access before enabling controls (yes this is a data leakage risk but it is the lesser of two evils) - if you really want to trust but verify enable monitoring first, send the comms then enable control and encryption
  • Control floppy's - a txt file with all your client lists still fits on a floppy
  • Staged roll-out 1 location at a time - some of your endpoints will blue screen on agent installation.  Monitor for this. Having good desktop test and deployment software and processes as well as competent desktop management staff will greatly assist
  • Good user comms, training and FAQ with screen-prints on how to apply for access and do encryption on Intranet this will make it easy for you to respond to emails and calls with a simple link. I would suggest templating this email because you will need it a lot
  • Allow users to control whether a device is encrypted or not (still can't write unless approved) - nothing more annoying than plugging in your home USB drive to read some info and then finding it encrypted
  • Approve users for 3 months and re-certify don't do it each time or daily, it is just annoying and does not reduce the risk that much more
  • Defining what success looks like in a SMART way e.g. less than 10% of staff with write access, less than 1% with unencrypted write access, 100% of endpoints have software deployed (monitor this)
  • Monitoring for files copied for size, region, type (office files especially) and by person for greater than 2 standard deviations of daily average
  • Emergency access process including when not on the network via challenge response mechanism in Device Control
  • Clear criteria for approvers detailing what business reasons are acceptable and what are not. Make this as exhaustive as possible (not just examples), keep it upto-date and publish it on the Intranet
Interesting isn't it it mostly has to do with people and process not technology, something to think about Brain point narf!...

What we could have done better:
  • Forget software encryption for 80% of devices and users - just use the software to block and deploy hardware encryption devices (e.g. Ironkey or Sandisk encrypted). Only people with software encrypted devices should be people that need very large removable devices where a hardware device is not available or cost effective to provide i.e. > 64GB. Stay away from biometric hardware though it is just not good enough yet. Advantages of hardware devices:
    • A lot easier for users i.e. they don't need to encrypt / decrypt just plug in, enter password and it just works
    • More secure and robust devices (hardware encryption, tamper proof, water and fireproof, drop proof to certain degree)
    • Value add applications i.e. password value and secure browser
    • Can also store your RSA soft-token and with some certificates for use in 2FA single signon to your endpoint
    • No problems with encryption, decryption etc - it is always encrypted
    • Centralized control including with Ironkey remote off-line (via failed passwords) and on-line destruction of lost and stolen
    • Geo tracking (via dial home and DNS) 
    • Works on MAC and Linux with no problems
    • Can be a easier sell to the business if you tell them you are going to provide  them a free USB device for corporate use and it will store all their passwords (Ironkey allows you to get rid of Internet Explorer on endpoints yay! Now only if they had Chrome instead of Firefox and allowed you to store unlimited certificates and PGP keys and were cheaper :)
  • Deploy management or at least agent management servers to all physical geographic regions and local locations where you have slow or low bandwidth links (use virtualized servers to make this cheap and fast assuming you have ESX/Virtualbox/Hypervisor servers in that region) - even if you have a small number of users in that region, this will save you pulling 100GB a month across the WAN just to analyse it
  • Run endpoint DLP if possible as well or at least scan the copied files in a central location with your storage DLP - you don't really care if someone copies 7GB of ISO images, you do care if they copy 30kb of client lists
  • On that note - monitor not just a log of stuff copied but keep a copy of the actual files copied for at least 3 months (or however long your investigation processes take - use cloud storage to this cheaply
  • Give transparent user experience - use individual user certificates while on corporate endpoints to avoid users having to enter password
  • Export logs to your SIEM
  • Setup security metrics, reporting and dashboards from the start
  • Daily copy limits trigger - more than 2GB a day (or whatever your 2 x standard deviation of average copy is) should alert for review
Conclusions
Removable media control is now not an option, it has been proven to be one of the highest risk areas and is already required by many regulations such as DPA and US state data loss reporting laws and regulators like the FSA and OCC and if not already will be appearing soon in contracts with your customers (they are in your contracts with suppliers right?). Prices are coming down, it is becoming a commodity product with your endpoint AV, its cheap as hell to use SEP or other AV product you have (because you already have the infrastructure and pay the licence and support) to block and issue a few Ironkey devices, so no excuses for loosing unencrypted removable media anymore. I'm sure there are even a few open source products if don't mind not having commercial support. Good luck with your implementation make sure you run it as a proper project with a PM, a plan, requirements, design, testing, a comms and roll-out strategy etc. If you need any help with requirements or want another set of eyes on your design, architecture or product evaluation: tweet me or find me on linked in.

1 comment:

Author

Written by