Security Manager's Journal: DLP tool is suddenly blind to email

We had been making good progress in demonstrating the value of our still limited deployment of data leak prevention (DLP) technology until a setback a couple of weeks ago. Ironically, the setback was due to an expansion in the use of encryption, something that I would normally embrace wholeheartedly.

Trouble Ticket

Suddenly, the data leak prevention tool can't see any Exchange mail on the network. Action plan: Figure out what's wrong, and then find a way to make the mail visible again.

Some background: We rolled out DLP earlier this year, but with resource constraints; I've been seeking more backing for this technology by proving its worth in protecting the company's intellectual property. Given a tight budget, we decided it would be most effective to deploy DLP in a limited but highly targeted way. For example, we aren't alerted about every document containing the words confidential or restricted but instead rely on a recent audit that identified specific documents containing key sensitive data. This short list of highly sensitive data includes product road maps, source code, price books, business development plans and confidential financial data.

Meeting with representatives of each functional unit, we learned that some of these documents are stored in Microsoft SharePoint libraries and others on Unix Network File Shares or Microsoft CIFS File Shares. For example, the vice president of sales told us that price books are stored within a departmental share on a Windows file server and then sent out via email to a distribution list. With that information, we were able to configure our DLP software to automatically index that file share once per day, with the index matching so tight that even a small portion of the price book that was pasted into another document or email message could be identified.

Where Did It Go?

As a demonstration for management, we copied part of the price book, which is an Excel spreadsheet, and pasted it into an email message that was then sent to a webmail account. This triggered an alert notifying us that the email contained data from the price book. Score one for DLP. But a couple of weeks ago, this demonstration started to fail, because we were unable to see any of our Microsoft Exchange email traffic.

All the other network traffic was still visible; what happened to the Exchange traffic? The Exchange administrators told us that they had recently upgraded to Exchange 2010, which uses what is called opportunistic TLS to automatically encrypt all traffic between the Exchange server and our spam-filtering mail gateway, in the cloud. In addition, we are slowly migrating our on-premises Microsoft Exchange servers to Microsoft O365, a hosted Exchange environment that also encrypts traffic.

The problem is that our DLP monitors network traffic via a SPAN port and can't see encrypted traffic. I now have to deploy proxies to decrypt the SSL packets, pass the traffic to the DLP for inspection and then re-encrypt the traffic to its destination.

When I discussed this issue with my firewall engineer, he mentioned that our Palo Alto Network (PAN) firewalls could decrypt SSL traffic. That sounded like an easy and inexpensive way to inspect our traffic, but unfortunately, the PANs aren't ICAP-compatible. ICAP, which stands for Internet Content Adaptation Protocol, is the mechanism by which unencrypted SSL traffic is passed to our DLP for inspection. That means that I'm going to have to wait until 2013 to buy another tool, unless I can find a low-cost alternative.

One option we've been thinking about is Squid, which is an open-source proxy. But being open source, Squid doesn't come with any support, so it's not a long-term solution. The one thing that's certain is that we can't continue operating blind.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at

Join in the discussions about security!

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mathias Thurman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts