Data Exfil Blocking policy

Reply
Highlighted
L2 Linker

Data Exfil Blocking policy

Hi All,

 

We were planning to implement some egress rules to protect any king of large uploads/data exfil activities from inside network.

And when thinking through it, the first though came to my mind is to block all outgoing connections, except web-servers and some legit services like ssh etc.

But then thought, that it might get lot of pushback and complaints from the clients, as they might be using any cloud services for data back-ups of their systems, and hence the new policy would not allow them to back up to the internet, and hence I realized that the policy would need a LOT of exceptions.

 

Therefore, can't think of an efficient way to implement a stricter egress firewall policy, and turned to the awesome PA community for any thoughts to pitch in :)

 

Anyone, implementing something similar, that they would like to share?

 

PS: I know about Aperture and other integrationional plugins PA provides, but we are not there yet to use them.

 

Appreciate the help!

 

Fatema.

Highlighted
Cyber Elite

Hello,

I would say corporate policies are the place to start. A fair use internet policy is a good one as it can lay out what is and is not allowed. This should include URL filtering and data types. Luckily we have a DENY ALL allow by Exception policy so the useres have to validatwe why they need to use something. We utlize Application Filters and explicitly block and peer-to-peer, instant messaging, and Gaming. Also on the URL filtering blocking sites such as Unknown, Malware, and online storage. 

 

Unfortnatly without the backing of some executive, you might not very far. A good place to 'scare' them would be some of the canned reports in the PAN. Something like Top URL Categories and Top Application categories is usually enough to scare more exec's into allow you to block them. As someone else mentioned, use the exec's traffic if its highly suspect ;). I would tred carefully as this is highly political and I have have been on the receiveing end of some very harsh criticism in the past. So now I usually just make a request to an executive and say can you look this over for me and offer any suggestions or here is the list of all the URL categories, which ones should we block. Let them choose and office pro's and con's.

 

Not the answer you are looking for, but I hope it helps.

Highlighted
L2 Linker

Thanks! for providing some valuable thoughts.. :)

Currently we do not have explicit mentioned URLs that we would want to block, we just rely on PA's URL filtering and blocking connections to certain category of traffic, like malware, Unknown etc. 

Was just thinking on lines of, if we can block incoming then why not outgoing, and hence asked if someone explicitly definied some policies in PA for any use-cases.

Another thing I was thinking about is it will also help prevent the reverse shells after successful exploitation of client machines, and revent them to connect to any internet machine on weird ports.

 

Thanks for the info, and I will try to work through it :)

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!