Share this page!

Mick Douglas Profile picture
Twitter logo
Jan 24 10 tweets 2 min read
Have a DLP solution? Want to **REALLY** make it actually... useful?

Scan the endpoints for sensitive info. You'll get a report with the data on that host.

Work with risk and legal to assign any arbitrary point value to this sensitive info.

1
Example:
PCI data is 5 points per record
PII is 3 points per record
PHI is 10 points per record

Note: your points will be based on your orgs concern over exposure of each record type. Don't let anyone else tell you what points you should use. You're measuring your risk

2
Now calculate the total risk points per endpoint. Get ready for some shocks!

There are some tools that do this already, but now you have a fancier DLP risk report tool.

Here's what almost nobody does though... :-)

3
The daily (or weekly) DLP scan is now a core metric and has... implications.

First thing:
this risk score is a alert criticality multiplier in your SIEM. Oh, the CEO's laptop got hit? Not ideal, but they also got PM who has ALL THE DATA?!?! Jump on that first!

4
Even better though is this:

"you're getting this email as a warning. you have too much sensitive info on your endpoint. If you do not check in some data you will..."

This is what I call the "protection curve"
5
The protection curve is an increasingly strict set of defensive protections for the endpoint. As you accrue points, your system automatically gets protected more.

This makes sense because we're in *infosec* we have to protect that info!
6
An example curve may look like this:
level 1 - normal endpoint
level 2 - endpoint can only go to expected sites/trusted business partners
level 3 - no web access
level 4 - no external email
level 5 - no more data checkout until some is checked in.

customize to fit your need
7
The final perk of using DLP like this is you should also use it to drive DFIR efforts. No not alerting... the legal side.

When systems with XYZ data get hit, you have different reporting timelines. Use that to help drive the SLAs for your IR efforts.
8
Say regulation X has a mandatory breach notification time of 72 hrs. You need to be able to verify the breach, do all internal procedures for systems with this data.

Now... look at all the assets with that data. Can you do that for all of them? That fast?
9
I've been on the record for saying "DLP solutions are only good for sitting in a corner and making sad panda noises."

That's still true if you think a DLP will do what the vendor marketing team claims.

Use this thread for ways to make your DLP not suck.

Fin.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Mick Douglas

Mick Douglas Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @bettersafetynet

Mick Douglas Profile picture
Jan 17
You have network monitoring capabilities. Great! But what are you looking for?

All too often folks start focusing on individual attacks. And yes, it's important that you can catch the latest RAT from Grid Iguana (from Hacksylvania)

Don't lose sight of the big picture.
1
Monitor for DMZ outbound traffic.
Almost all DMZ systems are responding to some request from remote user. Your DMZ systems are the destination, not the source. An early indicator an attack worked is a DMZ system phoning home to the C2 network. Your machine is a source here.
2
Like all things, this isn't 100%. There will be a few DMZ systems that do originate outbound traffic... but it should be rare enough that you can detect on this alone and have a short exception list for known outbound originators.
3
Read 11 tweets
Mick Douglas Profile picture
Jan 11
I've got several DMs where folks are telling me it's hard to get logs. Yes. I agree. It's also table stakes. If you cannot get logs, hire someone who can... or get a contractor to help. Saying "it's hard" is true... but you 100% need those logs.
1
It's uncharacteristically harsh of me to say this... I don't care if it's hard for you to get those logs. GET THEM. If you cannot get them you no shot of stopping attackers.

Prevent is great, but it's not nearly enough. You must be able to detect. Logs are how you do this.
2
If your org isn't allowing you to get the logs for $reasons, maybe you need to leave. This is a no excuses thing. I cannot overstate this. I cannot believe I'm having folks argue this. I take comfort that they're embarrassed enough to only do this in DMs. They know it's bad.
3
Read 5 tweets
Mick Douglas Profile picture
Jan 11
Blue team folks... we have to talk.

It's awesome that you're logging. That's the first step. Now here's the cool stuff to look for that the vendor didn't tell you about.
1
Pay careful attention to logs that stop coming in. If it's worth logging, it's worth monitoring when the logs stop flowing. (how long a gap you'll accept is up to you, but I rarely allow for over an hour)
2
Watch out for log sources where the time changes too much. (except for daylight savings changes)

Time drift is one of the most critical things to account for in log analysis. That's a given... but...
3
Read 8 tweets
Mick Douglas Profile picture
Dec 23, 2021
Pen testers, we need to talk. Please listen up, take notes... and above all, ask questions.

A non-trivial part of my service portfolio is now reviewing the reports of other firms and either adjusting or providing missing context.

Read on for the common issues...
1
Most important: you need to give clients multiple options on how to fix something. MULTIPLE. At least 3. Telling them "fix the code" when it's from a vendor that's closed, doesn't help at all.
2
Show your work. There's a few firms that hide what they're doing. Some to the point where they just show a "ta da!" screenshot and don't explain how they did it... and frankly, that's weaksauce.
3
Read 10 tweets
Mick Douglas Profile picture
Dec 11, 2021
Just got off phone with a client. Log4j is in their network. Vendor claims patch will be available next release... which is multiple months from now.

Here's what you do if you're in this situation.

1. Keep calm. There's no need to panic.
2. Carefully read this thread.

1/?
First, it's bad. It's a remote code execution meaning any attacker will almost certainly be able to run code of their choice on your systems.

If you can, please patch it's the easiest path. But you're reading this because you can't patch (for whatever reason) OK, let's go!
2
When dealing with attacks like this you should remember the acronym IMMA.

I = Isolate
M = Minimize
M = Monitor
A = Active Defense

I'll walk you through the IMMA model for the Log4j attacks we've seen so far.

3
Read 20 tweets
Mick Douglas Profile picture
Dec 10, 2021
Boating update:
Mrs signed us up for a week long bootcamp style live aboard sailing adventure... however unlike earlier trainings we've done... this school sent us books 4 months out. With a warning... most take 6 months to do the homework. We have 4.
1
We were granted an exception since we've got prior experience. After looking at these books... I'm regretting asking for it.

There's just **so** much to learn.

I'm most worried about the night non-radio signaling & signal flags. Stuff I've never done before. :-/
2
If our paths cross over the next few months, and you hear me making odd dinging or horn sounds... I've not gone mad... I'm practicing overtaking in fog procedures. (which it's cool how nuanced the conversation can be... but like... wow it's also complex)
3
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @bettersafetynet has new unrolls!

Check out other threads from @bettersafetynet!

Read all threads by @bettersafetynet

:(