DLP and FSTEC recommendations on information security: intersecting parallels
On February 11, 2014, the FSTEC of Russia approved the methodological document “Measures to protect information in state information systems”. This document is used to “select and implement, with respect to non-secretive information contained in state information systems (GIS), protection measures aimed at ensuring the confidentiality, integrity and availability of information”. The regulator recommends using this document to protect information in both GIS and non-state information systems, including to ensure the safety of personal data.
The document contains recommended measures to protect information with reference to certain classes of systems, such as, for example, authentication tools, antivirus programs, IDS / IPS, etc. At the same time, the regulator does not directly indicate the need to use confidential data leakage protection (DLP) systems. However, these systems make it possible to fulfill such requirements as ensuring the confidentiality, integrity of information transmitted from the information system, registration of security events, etc.
')
So, where can we find the points of intersection of two, at first glance, phenomena parallel to each other - regulators and leakage protection? Details under the cut.
First, let's say a few words about the appointment of DLP-systems. The implementation of DLP has the following basic objectives:
By many years of experience we can say that the tasks that customers solve with the help of DLP are many, up to the most narrow and specific. We leave them outside the scope of this material, but here we consider the fundamental ones.
Despite the fact that DLP systems do not belong to mandatory means of information protection, products of this class are able to provide the necessary functionality to implement a number of measures recommended by FSTEC in the above-mentioned document.
Integrity assurance
Let us begin with the main recommendations on ensuring the integrity of the information system and information (OTsL) given in the methodological document of FSTEC of February 11, 2014.
These measures can be implemented using the file storage scanning functionality, which with varying degrees of elaboration is implemented in all advanced DLP systems. This functionality allows you to inventory the contents of both file / cloud storage and local hard drives, and on mail archives.
Scanning file storages reveals confidential data and violations of the rules for their storage using the following mechanisms (the list may vary depending on the system):
In addition, the requirements for strengthening this measure include blocking the transmission of information from the IC with unacceptable content. Almost all DLP-systems allow you to fulfill these requirements via various communication channels - from email messages to copying to USB-drive.
The second important block of FSTEC recommendations on data protection is the registration of security events - SSR. Of course, before embarking on the implementation of these measures, an organization should categorize all information assets (resources). After that, it becomes possible to perform the following measures:
Not all DLP solutions can display the fact and time of user authentication in information systems, as well as information about the rights granted to users. But the majority allows you to configure a ban on launching certain applications and control user actions when working in various information systems. In advanced DLP systems, as a rule, an extended gradation of events is implemented according to the level of their criticality, up to 4-5 levels. It is very convenient for profiling events, generating reports and collecting statistics. After analyzing the event data, the information security specialist, working with the system, decides whether an information security incident has occurred.
By storing all events in the DLP system database, retrospective analysis and investigation can be carried out when updating policies.
Let us return to the basic objectives facing the DLP systems. Upon mature reflection, it becomes obvious that to achieve them, it is not only important to collect and consolidate various kinds of logs, but also to protect the accumulated data during their transfer / processing and storage. Actually, we are talking about the very notion of non-repudiation in creating, sending and receiving information, which we described in detail in the previous article. Approach to the implementation of this measure can be from different sides. Implementations of some DLP systems imply the use of only additional commercial GIS and SKZI to ensure “non-repudiation”. Others allow the use and standard features of the operating system. Consider what you can rely on, for example, in the CentOS OS and PostgreSQL database:
Despite the fact that the FSTEC does not regulate the use of cryptographic security tools, in addition, it seems advisable to use encryption to protect the information system, its means and communication and data transfer systems (VMS) so that the DLP system itself does not become in the hands of competent IT staff object of leakage of classified information. Since the above tools are components of the OS and related software, the considered example is a private one. However, in any case, if necessary, you can always find opensource / free alternative to existing commercial means of cryptographic protection of information. But this immediately raises the question of certification of these solutions, and this is a topic for a separate conversation.
In our next article we will talk about the applicability of key DLP-systems for the constituent modules to the recommendations of the American standard NIST US.
The document contains recommended measures to protect information with reference to certain classes of systems, such as, for example, authentication tools, antivirus programs, IDS / IPS, etc. At the same time, the regulator does not directly indicate the need to use confidential data leakage protection (DLP) systems. However, these systems make it possible to fulfill such requirements as ensuring the confidentiality, integrity of information transmitted from the information system, registration of security events, etc.
')
So, where can we find the points of intersection of two, at first glance, phenomena parallel to each other - regulators and leakage protection? Details under the cut.
First, let's say a few words about the appointment of DLP-systems. The implementation of DLP has the following basic objectives:
- Preventing leaks of confidential information.
- Collecting information on incidents and violations to form an evidence base in the case of transfer of cases to court.
- Archiving user actions and retrospective analysis to detect signs of fraud.
By many years of experience we can say that the tasks that customers solve with the help of DLP are many, up to the most narrow and specific. We leave them outside the scope of this material, but here we consider the fundamental ones.
Despite the fact that DLP systems do not belong to mandatory means of information protection, products of this class are able to provide the necessary functionality to implement a number of measures recommended by FSTEC in the above-mentioned document.
Integrity assurance
Let us begin with the main recommendations on ensuring the integrity of the information system and information (OTsL) given in the methodological document of FSTEC of February 11, 2014.
".5 - Control of the content of information transmitted from the information system ( container , based on the properties of the access object, and content , based on the search for prohibited information to be transmitted using signatures, masks and other methods), and exclusion of unlawful transmission of information from the information system ".What measures the regulator proposes to use to control the content of information, and what of this can be implemented using leakage protection systems?
Illegal transfer of protected information . Identification of facts of unlawful transfer of protected information from an information system through various types of network connections, including public communication networks and response to them.This procedure is implemented using a split functional for the two DLP components depending on the communication channels used:
- Checking the information transmitted via the http / https protocols for the illegal transfer of protected data can be performed using the tools of the web proxy class systems.
- To analyze the intranet traffic when sending data from a proxy server or routers, you can monitor the transfer of files and messages over mail protocols.
Illegal write to removable media. Detection of facts of unlawful recording of protected information on unrecorded removable computer storage media and response to them.The DLP agent installed on the workstation, in addition to monitoring user actions, analyzes the contents of files and can block user attempts to copy confidential documents to USB or print. The fact that the USB drive is connected is fixed on the agent; according to the results, the information security specialist can change the policy of the DLP system by including this drive in the “black” or “white” lists.
Control of storage of protected information on servers and automated workplaces.
Identification of facts of storing confidential information on network shares (shared folders, workflow systems, databases, mail archives and other resources).
These measures can be implemented using the file storage scanning functionality, which with varying degrees of elaboration is implemented in all advanced DLP systems. This functionality allows you to inventory the contents of both file / cloud storage and local hard drives, and on mail archives.
Scanning file storages reveals confidential data and violations of the rules for their storage using the following mechanisms (the list may vary depending on the system):
- Scanning of local network nodes, shared file and cloud storage.
- Scanning mail servers to analyze the archive of emails.
- Scanning shadow copy archives.
- Actively counteracting violations of the rules for storing protected data (moving illegally stored confidential information into quarantine storage, replacing it with a notification file, copying an information security specialist to a workstation, etc.).
- Automatic classification of corporate data based on policy settings.
- Controlling the dissemination of information within the company and identifying locations for inconsistent storage of critical data.
In addition, the requirements for strengthening this measure include blocking the transmission of information from the IC with unacceptable content. Almost all DLP-systems allow you to fulfill these requirements via various communication channels - from email messages to copying to USB-drive.
Security Event Registration
The second important block of FSTEC recommendations on data protection is the registration of security events - SSR. Of course, before embarking on the implementation of these measures, an organization should categorize all information assets (resources). After that, it becomes possible to perform the following measures:
Determination of the composition and content of information about security events to be registered.
Collect, record and store information about security events during the main storage time.
Monitoring (viewing, analyzing) the results of registering security events and responding to them.
Not all DLP solutions can display the fact and time of user authentication in information systems, as well as information about the rights granted to users. But the majority allows you to configure a ban on launching certain applications and control user actions when working in various information systems. In advanced DLP systems, as a rule, an extended gradation of events is implemented according to the level of their criticality, up to 4-5 levels. It is very convenient for profiling events, generating reports and collecting statistics. After analyzing the event data, the information security specialist, working with the system, decides whether an information security incident has occurred.
By storing all events in the DLP system database, retrospective analysis and investigation can be carried out when updating policies.
Protection of IP, its means and systems of communication and data transmission
Let us return to the basic objectives facing the DLP systems. Upon mature reflection, it becomes obvious that to achieve them, it is not only important to collect and consolidate various kinds of logs, but also to protect the accumulated data during their transfer / processing and storage. Actually, we are talking about the very notion of non-repudiation in creating, sending and receiving information, which we described in detail in the previous article. Approach to the implementation of this measure can be from different sides. Implementations of some DLP systems imply the use of only additional commercial GIS and SKZI to ensure “non-repudiation”. Others allow the use and standard features of the operating system. Consider what you can rely on, for example, in the CentOS OS and PostgreSQL database:
- Encryption of a volume by sectors embedded in the core of the DM_Crypt OS.
- Database encryption - the pgcrypto module (encryption of the tables and lines of the database itself, which allows including protection against privileged users, including IT staff).
- Creating a secure connection in a cluster between the database "pg_hba.conf".
- Securing a client / server connection — TLS 1.2 and higher is actually required.
Despite the fact that the FSTEC does not regulate the use of cryptographic security tools, in addition, it seems advisable to use encryption to protect the information system, its means and communication and data transfer systems (VMS) so that the DLP system itself does not become in the hands of competent IT staff object of leakage of classified information. Since the above tools are components of the OS and related software, the considered example is a private one. However, in any case, if necessary, you can always find opensource / free alternative to existing commercial means of cryptographic protection of information. But this immediately raises the question of certification of these solutions, and this is a topic for a separate conversation.
In our next article we will talk about the applicability of key DLP-systems for the constituent modules to the recommendations of the American standard NIST US.
Source: https://habr.com/ru/post/446908/
All Articles