Overview of MyDLP Open Data Control System
Small lyrical introduction.
In my humble experience. People involved in IT data security are divided (among other things) into two large groups. With good funding of its activities and not very. I mean, first of all, technical equipment and specialized software.
In the context of controlling the discharge of data from internal violators - insiders, the situation is approximately as follows. There are specialized data monitoring systems, Data Leak Prevention systems. A business wants to protect data, but when it sees a price tag of several million to provide such protection, enthusiasm dies out sharply.
It goes out even more when it turns out that the system cannot provide 100% reliable data monitoring. A smart user will be able to fool the system. Business asks: “What are we for, then? Come on, my dear fellow, turn around as you like, but so that the sheep are safe and the wolves are fed. ”
As a result, IT is a security guard with power roots, releases a bunch of restraining papers, penetrating the people fiercely, they say, just try to drain. A safety technician, yesterday's admin, begins to reinvent the wheel with square wheels in order to somehow control the information. (A combination of both approaches is generally good :)
About one system that can be embedded in the bike, and it will.
Among the open data control solutions I only came across two.
This is OpenDLP and MyDLP.
Of these, MyDLP seemed more mature and functionally advanced.
MyDLP, open source data leakage prevention (control) software. There are 2 licenses to use. Free Community and Paid Enterprise. The fundamental difference between them is in the archiving of transmitted data.
If there is a trigger on the protected file, then the Community will only post Alert to the event. Enterprise will also save a copy of the file.
')
So, go to the website www.mydlp.com and pick up 2 files.
The server part is an ISO image.
The agent part is the msi file.
Installing the server side.
The server is built on friendly Ubunt. Insert the disc, Next-Next-Rebut. The server part is ready. It really is :)
We assign an ip address to the server and release it on the Internet (this is necessary for upgrades and license verification).
In case of difficulties with installation, the instruction is in the same place on the website.
www.mydlp.com/documents
Next, open any browser and go to our server.
We see a nice window.
Now we need to follow the link to secure.mydlp.com and get the Community license.
There, too, everything is obvious.
After registration (the server climbs to the Internet to check the license!), We enter the default Login and Password.
login: mydlp pass: mydlp
And we are in the server side.
To control Mail and Web traffic, you need to additionally configure the server by the gateway to your proxy and smtp servers. I have not tested this function, but it is also described in detail in the documentation.
Agent installation.
We take the agent installer 88 MB in size mydlp_0_9_104.msi and install.
The large size of the installer is explained by the fact that it includes the Erlang, Java, cygwin environments and the program components themselves, the total size of the agent directory after installation will be about 200 MB.
During installation, the installer will ask only 1 question, what is the address of the server. After this, the installation process itself is completed.
The installer can also be distributed via group policies, the server address in this case is slaughtered using a batch file along the way.
[HKEY_LOCAL_MACHINE \ SOFTWARE \ MyDLP]
"ManagementServer" = "MYDLP_SERVER".
Overview of the server part of the system.
We return to the server.
There are 7 tabs in the system: Dashboard, Policy, Objects, Options, Logs, Endpoints, Revision.
Of these, the first and the last are not of particular interest. Panel of frequently used tasks and system version.
The rest are more interesting ...
+ Policy
Here we form the rules for data control.
Left data sources and key objects of control. Right are the rules themselves. Now there are three of them.
+ Objects
Here you can see ready-made predefined data types (Word, Excel documents, etc.), create your own.
+ Options
Various settings of the polling interval of agents, the definition of users to access the server side. Here the only thing I’ll pay attention to is the need to tick the Print Monitor checkbox in order to enable the printer control globally.
The rest can not touch.
+ Logs
Actually, why all this was started. Log monitoring protected data.
You can filter by date, user, rules, ip and so on.
+ Endpoints
List of agents online and offline.
Overview of the agent.
A rather large agent is installed hard in Program Files in the MyDLP directory. The path can not be changed. Inside the directory you can see java, erlang and cygwin components. Also installed 3 services and 1 driver.
It seems that a typical open source approach is being monitored, 1 component - 1 task. :)
When you first start, the agent scans the installed printers, and creates their virtual duplicates. Without being confused at all, calling them by the following principle - (MyDlp) the name_ of your_printer. Naively puts one of the duplicates by default printer.
Consume all components in the amount of about 50 megabytes of RAM, in the malicious devouring of the processor were not noticed.
To control printers for XP, you need to additionally perform a tricky batnic (lying on the site).
Under the seven, and so everything works.
Setting up the server side.
So, in the section Policy by clicking on the Add Rule button, we can choose from 5 types of monitored channels.
Web and Mail will work if, as I wrote above, the server will be the gateway for these channels.
Endpoint Rule is the control of removable devices and the transfer of protected data to them (data obtained from the agent part).
Printer Rule – print control (data obtained from the agent part).
Discovery, the movement of protected data within the local network.
Having selected the control channel, you need to name the new rule with a unique name and it will appear in the general list.
In the screenshot above, I have 2 rules for controlling removable media and one rule for printers.
In each rule, you need to determine the Source of Control (Source) and the type of Data to be monitored (files and contents).
Sources and Data Types we have described the left side, just drag them with the mouse on our rules.
In all 3 rules I have one source - the entire network. This means collecting events from all agents regardless of their ip address.
The data type describes the data to be monitored. You can filter by type or insert regular expressions to search by content.
And finally, the available actions when the rule is triggered: Pass - skip, Block - block, Log - write to the log. Archive function - creating a shadow copy is not available.
In my case, the last 2 rules log all events indiscriminately, printing and copying to a USB flash drive of any file. These are the Printer and Remote_drive rules.
The first rule throws an alert only if there is a keyword (s) in the file copied to the USB flash drive. This rule is Secret_keywords.
To get the rules picked up by all the agents, click on the large Install Policy button in the upper right corner.
System testing
The emphasis was on the part of interest to me, namely the control of printers and removable media.
What can be said.
Control of printers looks just none. Bypass elementary. The user simply selects the original printer, not the double, and the agent will not see anything. Moreover, the agent does not see the new printers installed after its launch.
And so it works, send a document to a virtual printer - we see a record in the log.
For removable media, the situation is better.
We type keywords into the Secret_keywords rule, regular expressions can be used. The log begins to crumble the files in which these words occur. Everything else is poured into the log with the rule rule Remote_drive.
Russian words parsitsya normally, numbers and Latin, and even more so.
Accordingly, you can make groups of rules by type.
Banking data, Accounting, Summary, Scientists, etc., each with its own keywords. Then you can see what kind of topics files go on flash drives users.
Total
Of course, the system is still damp, small kosyachki fall out. However, on emerging issues, you can contact the community, or even rummage in the source and server side. I think after the completion of the file, the system is quite usable.
ps. Taking this opportunity, I want to ask Habrayuzerov to share practical experience in the use and implementation of commercial DLP solutions. On the site of vendors, as usual, one ad. About shoals and difficulties no one will tell.
In my humble experience. People involved in IT data security are divided (among other things) into two large groups. With good funding of its activities and not very. I mean, first of all, technical equipment and specialized software.
In the context of controlling the discharge of data from internal violators - insiders, the situation is approximately as follows. There are specialized data monitoring systems, Data Leak Prevention systems. A business wants to protect data, but when it sees a price tag of several million to provide such protection, enthusiasm dies out sharply.
It goes out even more when it turns out that the system cannot provide 100% reliable data monitoring. A smart user will be able to fool the system. Business asks: “What are we for, then? Come on, my dear fellow, turn around as you like, but so that the sheep are safe and the wolves are fed. ”
As a result, IT is a security guard with power roots, releases a bunch of restraining papers, penetrating the people fiercely, they say, just try to drain. A safety technician, yesterday's admin, begins to reinvent the wheel with square wheels in order to somehow control the information. (A combination of both approaches is generally good :)
About one system that can be embedded in the bike, and it will.
Among the open data control solutions I only came across two.
This is OpenDLP and MyDLP.
Of these, MyDLP seemed more mature and functionally advanced.
MyDLP, open source data leakage prevention (control) software. There are 2 licenses to use. Free Community and Paid Enterprise. The fundamental difference between them is in the archiving of transmitted data.
If there is a trigger on the protected file, then the Community will only post Alert to the event. Enterprise will also save a copy of the file.
')
So, go to the website www.mydlp.com and pick up 2 files.
The server part is an ISO image.
The agent part is the msi file.
Installing the server side.
The server is built on friendly Ubunt. Insert the disc, Next-Next-Rebut. The server part is ready. It really is :)
We assign an ip address to the server and release it on the Internet (this is necessary for upgrades and license verification).
In case of difficulties with installation, the instruction is in the same place on the website.
www.mydlp.com/documents
Next, open any browser and go to our server.
We see a nice window.
Now we need to follow the link to secure.mydlp.com and get the Community license.
There, too, everything is obvious.
After registration (the server climbs to the Internet to check the license!), We enter the default Login and Password.
login: mydlp pass: mydlp
And we are in the server side.
To control Mail and Web traffic, you need to additionally configure the server by the gateway to your proxy and smtp servers. I have not tested this function, but it is also described in detail in the documentation.
Agent installation.
We take the agent installer 88 MB in size mydlp_0_9_104.msi and install.
The large size of the installer is explained by the fact that it includes the Erlang, Java, cygwin environments and the program components themselves, the total size of the agent directory after installation will be about 200 MB.
During installation, the installer will ask only 1 question, what is the address of the server. After this, the installation process itself is completed.
The installer can also be distributed via group policies, the server address in this case is slaughtered using a batch file along the way.
[HKEY_LOCAL_MACHINE \ SOFTWARE \ MyDLP]
"ManagementServer" = "MYDLP_SERVER".
Overview of the server part of the system.
We return to the server.
There are 7 tabs in the system: Dashboard, Policy, Objects, Options, Logs, Endpoints, Revision.
Of these, the first and the last are not of particular interest. Panel of frequently used tasks and system version.
The rest are more interesting ...
+ Policy
Here we form the rules for data control.
Left data sources and key objects of control. Right are the rules themselves. Now there are three of them.
+ Objects
Here you can see ready-made predefined data types (Word, Excel documents, etc.), create your own.
+ Options
Various settings of the polling interval of agents, the definition of users to access the server side. Here the only thing I’ll pay attention to is the need to tick the Print Monitor checkbox in order to enable the printer control globally.
The rest can not touch.
+ Logs
Actually, why all this was started. Log monitoring protected data.
You can filter by date, user, rules, ip and so on.
+ Endpoints
List of agents online and offline.
Overview of the agent.
A rather large agent is installed hard in Program Files in the MyDLP directory. The path can not be changed. Inside the directory you can see java, erlang and cygwin components. Also installed 3 services and 1 driver.
It seems that a typical open source approach is being monitored, 1 component - 1 task. :)
When you first start, the agent scans the installed printers, and creates their virtual duplicates. Without being confused at all, calling them by the following principle - (MyDlp) the name_ of your_printer. Naively puts one of the duplicates by default printer.
Consume all components in the amount of about 50 megabytes of RAM, in the malicious devouring of the processor were not noticed.
To control printers for XP, you need to additionally perform a tricky batnic (lying on the site).
Under the seven, and so everything works.
Setting up the server side.
So, in the section Policy by clicking on the Add Rule button, we can choose from 5 types of monitored channels.
Web and Mail will work if, as I wrote above, the server will be the gateway for these channels.
Endpoint Rule is the control of removable devices and the transfer of protected data to them (data obtained from the agent part).
Printer Rule – print control (data obtained from the agent part).
Discovery, the movement of protected data within the local network.
Having selected the control channel, you need to name the new rule with a unique name and it will appear in the general list.
In the screenshot above, I have 2 rules for controlling removable media and one rule for printers.
In each rule, you need to determine the Source of Control (Source) and the type of Data to be monitored (files and contents).
Sources and Data Types we have described the left side, just drag them with the mouse on our rules.
In all 3 rules I have one source - the entire network. This means collecting events from all agents regardless of their ip address.
The data type describes the data to be monitored. You can filter by type or insert regular expressions to search by content.
And finally, the available actions when the rule is triggered: Pass - skip, Block - block, Log - write to the log. Archive function - creating a shadow copy is not available.
In my case, the last 2 rules log all events indiscriminately, printing and copying to a USB flash drive of any file. These are the Printer and Remote_drive rules.
The first rule throws an alert only if there is a keyword (s) in the file copied to the USB flash drive. This rule is Secret_keywords.
To get the rules picked up by all the agents, click on the large Install Policy button in the upper right corner.
System testing
The emphasis was on the part of interest to me, namely the control of printers and removable media.
What can be said.
Control of printers looks just none. Bypass elementary. The user simply selects the original printer, not the double, and the agent will not see anything. Moreover, the agent does not see the new printers installed after its launch.
And so it works, send a document to a virtual printer - we see a record in the log.
For removable media, the situation is better.
We type keywords into the Secret_keywords rule, regular expressions can be used. The log begins to crumble the files in which these words occur. Everything else is poured into the log with the rule rule Remote_drive.
Russian words parsitsya normally, numbers and Latin, and even more so.
Accordingly, you can make groups of rules by type.
Banking data, Accounting, Summary, Scientists, etc., each with its own keywords. Then you can see what kind of topics files go on flash drives users.
Total
Of course, the system is still damp, small kosyachki fall out. However, on emerging issues, you can contact the community, or even rummage in the source and server side. I think after the completion of the file, the system is quite usable.
ps. Taking this opportunity, I want to ask Habrayuzerov to share practical experience in the use and implementation of commercial DLP solutions. On the site of vendors, as usual, one ad. About shoals and difficulties no one will tell.
Source: https://habr.com/ru/post/149907/
All Articles