Black Hat Extrusion Detection Encore: Next Wednesday, OWASP Chicago

Thomas Ptacek | August 27th, 2007 | Filed Under: Gatherings, Uncategorized

Come see Eric Monti reprise our Black Hat talk on Extrusion Detection and Content Management and Filtering systems. Next Wednesday, September 5th, at Chicago OWASP. From the abstract:

Some “Extrusion Detections” products rely on network gateway IPS/IDS approaches, whereas others work in a way more closely resembling host-based IDS/IPS. The main difference is that instead of detecting/preventing malicious information from entering a company’s perimeter, they focus on keeping assets inside.

We’ve been evaluating a number of products in this space and have run across a large number of vulnerabilities. They range from improper evidence handling, to inherent design issues, all the way to complete compromise of an enterprise, using the Extrusion Detection framework itself as the vehicle.

Capsule summary: Eric and I got a chance to test several market-leading “Extrusion Detectors”. None of them emerged unscathed. Eric will talk about the techniques and methods we used to pick these black-box systems apart, and what types of vulnerabilities we found.

Chicago OWASP is open to all comers, but you do need to RSVP to Jason Witty (jason at wittys dot com) sometime before next Tuesday. Meetings are held in the LaSalle Bank building on Madison. Check the OWASP page for more details. See you there!

3 Comments so far

  • Eric Monti

    August 27th, 2007 10:55 pm

    We covered this some at Black Hat too, but at OWASP, the talk will be focusing more on attack patterns, less on “the product space” specifically.

    See you there.

  • dre

    August 28th, 2007 12:06 pm

    Augusto Paes De Barros just blogged about data leakage prevention and honeytokens, which I thought was an interesting read.

    He poses some questions of whether honeytokens are being used, what vulnerabilities they present, and a question of why they aren’t typically built into DLP products.

    I would want to add digital watermarking and clipping services to that list. Aren’t they really good ways of doing extrusion detection? Why is every vendor answer to every security problem typically an appliance or software “scanning” tool?

  • Thomas Ptacek

    August 28th, 2007 1:17 pm

    Because the two most valuable pieces of enterprise IT real estate are inline at key network aggregation points, and host-resident in the standard desktop or server build.

    • Leave a reply