This past April (4/19 to 4/21) I had the great pleasure and experience of joining the Red Team at 9^th NCCDC competition.   It was actually my 2^nd year on the Red Team and 4^th year to attend in total (I judged in 2010 and 2011).  McAfee is actually a perpetual sponsor of this event.  That being said, I have my own selfish agenda when I attend.

Joining in as part of the Red Team is, by far, on of the most educational experiences I could possibly put myself in.   Not only are you tossed into a room w/ folks like Mubix, Vyrus, Raphael Mudge, and others – but also you are on a limited schedule and from the time that the competition starts it’s heated and non-stop.

The general strategy this year was to lay down all our toys and persistence (backdoors, beacons, RATs and other tools) on Day 1.   We made very little noise, hoping that the competing teams would gain a false sense of confidence and not notice our presence on their systems.   This way on Day 2 when the chaos commences, and the teams choose to just ‘restore from backup’ or ‘revert snapshots’ and the like, they end up restoring all our persistent tools and we retain access and ownership.

DarkComet Client Console

And . . . .. . It worked!

Different individuals on the Red Team had their unique tools and methods to gain and retain access and unset the teams’ activities.   As the McAfee guy, I choose to rely on some old, tried and true (and very accessible RATs).  Most of my activities centered on the use of DarkComet and, to a far lesser degree, DNA.

RAT Remote Process View

My philosophy was driven by two primacy goals.   First, I know these things work realllllllllly well.  And with these RATs on the box, I can control and own everything.  Second, and possibly more interesting, is that if these tools work, I know that the teams are not putting any effort into installing/deploying even the most basic endpoint/host-based AV solutions.   This is especially intriguing because, as a sponsor, McAfee provided the competition with our software.   I purposely did NOT do any crypting/packing/obfuscation on the RATs I generated.   I know that McAfee (and just about all other) vendors DID detect these things.  Yet, I still managed to install and persist on most of the hosts that I deployed to (deployed via Cobalt Strike btw).

When the competition was over, I chatted with a few competitors, and mentioned this fact.  I immediately saw the gears start turning.  I could tell they had a real “Ahhhh we should have done that” moment.  Not to mention, that McAfee (and others) detect meterpreter/MSF listeners and Trojans as malware/PUPs.  Those could have been curtailed as well.

Each year, the teams have to setup, maintain, and safeguard an environment for a faux company/entity.  This year the teams were tasked with tasked with the environment of a Correctional Institute.   This includes databases for tracking the whereabouts of prisoners, an e-commerce site for a prisoner commissary, and more.  From the Red Team perspective, this gives us some of our big bets for getting points deducted from the teams.   For example if you kill/mangle/destroy the database for tracking prisoner and personnel, that’s one of the high point items.   After all, they don’t want an IT issue to allow prisoners to go unaccounted for or escape, etc.   Other hot items include public web site defacement and acquisition of PII (personally identifiable information).  For added fun, many of us defaced the web sites by posting the company’s PII for all to see.

Defaced with PII

All and all it was a fantastic experience.   I look forward to future activities with this competition.

UTSA shot a documentary this year.  I’ll post details on that once it’s released.    However, if you’d like to get some really detailed info, Hak5 released a documentary filmed at the 2012 event.   It features great interviews and ‘behind the scenes’ Red Team action.   I’m not interviewed, but you can see the top of my head in a couple shots!!

Hak5 Doc – Jim’s Head

2012 Hak5 Documentary

Additional Blogs on NCCDC 2013

• David Cowen - http://mcaf.ee/wid10
• Raphael Mudge - http://mcaf.ee/ageor
• Alex Levinson - http://mcaf.ee/limh1

NCCDC 2013 Red Team Brief - http://mcaf.ee/uodvk

Bonus:   We recently did our 2^nd AudioParasitics episode with the great Raphael Mudge.   This time we have a full and glorious video demo of Cobalt Strike in action.  We actually walk though scenarios and give you details on how some of these Red Team activities actually occur.

AudioParasitics Episode 141 (video) - http://mcaf.ee/gep69

 “antivirus protection alone barely represents a speed bump to determined hackers”

Andy Greenburg, Forbes

Surprisingly, I actually wholeheartedly agree.

“Antivirus” as Andy calls it, or blacklisting as it’s commonly known in malware protection circles is a pretty simple technique – and fundamentally flawed unfortunately. I’ll break it down to show you why.

1.            Someone gets an infected email, or visits a compromised web site.

2.            The malware is new, and thus not identified by their blacklisting technology, so it installs and they get infected

3.            Somehow some time later, this comes to the attention of their blacklisting software vendor

4.            The infection gets broken down and analyzed – a unique “fingerprint” or “signature” is created

5.            This signature gets distributed out to all the other customers of the blacklisting vendor, and also the blacklisting community

6.            Now, everyone else is protected from this particular threat

Do you see the problems? Firstly of course, it requires a sacrificial sheep – yes, no blacklisting software will detect things it does not know about, so all you have to do to be a successful hacker, is create something new.

Secondly, even when your malware gets detected, there’s a significant delay before the world catches on – much like a new strain of Flu, it can affect thousands of people before anyone realizes, and then it can take days for an appropriate remedy to be put in place. Blacklisting is the same – there’s a lead time between companies like McAfee getting a sample, and us distributing the detection and cure back to our customers. It can take days after the first infection using this old method.

Thirdly, the most damming problem, is that your blacklisting software is always on the defense, it’s always reacting to things that happened in the past – Modern programming techniques mean that creating dynamic, or “Polymorphic”code  is trivial, so everyone who gets infected might be infected by a different version of the malware – can you imagine what trouble that causes a blacklisting system? Not only does everyone get what seems to be a new piece of malware, but even when you’ve analyzed it, there’s little point telling the rest of the world about it, as each malware sample will probably only be seen once.

Maybe that explains why there’s a differing opinion on how much malware exists – anything between 70 million and 150 million examples depending on who you ask.

Blacklisting is valuable as it catches the common, repeat offender malware. The stuff that’s been circulating around for months, if not years, the old examples which keep getting recycled into the field – but as a mechanism to protect you from novel, bleeding edge threats? Not a chance.

So with that said I expect you’re waiting for me to say that there’s no point renewing your subscriptions and you might as well give in now? Thankfully not – nothing could be further from the truth.

Going back to the vendors press release, there’s a key paragraph I want to point out:

Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats. We encourage customers to be very aggressive in deploying solutions that offer a combined approach to security. Anti-virus software alone is not enough.”

There you have all my advice summed up. Blacklisting, or signature based detection is not enough – and luckily, It’s only one of the many techniques leading edge anti-malware products use to protect you.

One of the alternates, which many vendors use (though I am proud to say McAfee lead the market with) is cloud based reputation detection. We call it “File Reputation” though you may have heard it called Artemis which was our code name for the project – This is a technique where, rather than basing decisions on whether the file you downloaded in an email, or got from the web, is “known to be bad” by virtue of it being on a blacklist, we look at attributes of the file, where it came from, whether it’s signed etc, in fact around 80 different things to work out how “suspicious” we think it is, and based on that our products reach out to the McAfee cloud and start asking questions. Very quickly, in fact pretty much instantly as far as you could tell, we can determine the likelihood of anything being malicious or not, whether we’ve seen it before or not.

Better still, that “reputation” can be bolstered by looking at who else is asking questions about the same file – Malware distribution often follows predictable patterns, distribution from known bad domains, geographic peculiarities etc – all this information can be combined to make a judgment on whether your latest financial results spreadsheet which “appears” to in an email from your boss is genuine or not.

This reputation data, or “Global Threat Intelligence” as we call it, is absolutely critical and baked into pretty much every product we offer. Without GTI, you’re really not protected from novel threats. Not by half. 

My colleague Rees Johnson posted a video about McAfee’s GTI reputation engine a while ago. He gave a great example of one of our larger customers, who reported 12,000 potential virus samples to McAfee in 2011 – 7200 of which were not detected by the McAfee blacklisting engine.

We already had our cloud reputation engine in place, but that customer had not turned it on – much like it seems the NY Times were not using cloud based reputation technology from their vendor (supposition on my part of course).

As an academic exercise we turned our reputation system on, set it to the least aggressive level, and re-ran the samples.

The reputation engine, even at this most basic level immediately detected 50% more malware immediately. Turning the reputation system up to its highest level it caught it all –  100% of the samples our customer had were correctly identified.

On average the reputation engines offer protection around 127 hours in advance of the blacklists, or looking at it the other way around, 5+ days opportunity for you to  get infected without it.

If our customer had McAfee File Reputation enabled, not one of those 12,000 samples would have got through to infect their machines – they would have been 100% protected. Generally, enabling the McAfee cloud based reputation services improves the effectiveness of our products by an additional  10-30% when it comes to novel threats – even if every advanced feature of the product are enabled, there’s ALWAYS more protection.

You can imagine our customer was pretty surprised to have such power on hand, and was pretty fast to click the few buttons to enable it on all their 100,000+ machines.

“What about false positives?”- well I must confess there’s always the possibility – we average 0.0001%, or 1 in 100,000 pieces of software are misidentified. Can you live with a 1:100,000 chance of your malware protection product blocking something new? I know I can.

Let’s re-run the scenario I started with.

1.            Someone gets an infected email, or visits a compromised web site.

2.            The malware is new, and thus not identified by their blacklisting technology, so it gets checked out by the cloud reputation system

3.            It’s bad, so it gets blocked

 Game over, everyone happy, everyone safe.

And after all, “Safe Never Sleeps” is our motto.

I want to leave it here as I want to compare apples with apples, but blacklisting, and cloud reputation are not the end of the story – They are both valuable techniques to protect against threats, but still not (in my mind) the most sophisticated, nor the ones we will be using for years to come.

Alongside the simplistic blacklisting, current products have technologies which are more behavioral based – At McAfee we call it “Host Intrusion Prevention” or HIPS for short – It couples a dynamic firewall, again with global reputation knowledge, vulnerability shielding making sure malware can’t take advantages of know software flaws, and behavioral protection for commonly used attack strategies – Turning on HIPS stops malware from making changes to your systems – so again, it’s absolutely essential in preventing the novel new attacks that blacklisting is unaware of. Unfortunately, like reputation, lots of people buy this feature but never turn it on, so they really miss out on the advanced protection it offers.

Finally, I am tremendously excited by advances in whitelisting techniques – the idea of instead of trying to know about all the bad stuff, and trying to make judgment calls on unknown things, we turn that on its head and instead strive to know about the good stuff, and consider everything else bad or suspicious. You can imagine how disruptive that will be to cyber criminals who survive only because they can create new malware faster than we can identify it – all of a sudden anything new is closely watched, blocked, constrained.

Polymorphic malware would be no longer effective, “Advanced Persistent Threats” disappear, we can ignore 30 years of cumulative malware because it’s all ineffective overnight. McAfee calls this  “Application Control”, and I fully believe it’s where, as an industry, we should be moving

But in the mean time – at least turn on the advanced features of the products you bought and get the best protection you can ?

Simon.

There has been a great explosion of chatter in the last day around Anonymous’ “Operation Last Resort” (a.k.a. #OpLastResort).

The entities behind the various “official” communications around this operation have a sense of humor that we must point out (especially because if you don’t catch it, you will end up wiping your disk).

Background

In typical fashion with these events, some data suggests that the whole thing (or at least the leak) is a hoax. Regardless of what data resides in the leaked files, it is apparent that someone is having fun, via the embedded scripts in the USSC site. (See the Update section, below, for details on the Konami scripts.)

Anonymous has infiltrated specific US government systems in response to the “killing” of Aaron Swartz, who committed suicide on January 11. According to various posts and other communication channels, the operation is also tied to Barrett Brown and the law-enforcement actions against him. Ussc.gov (and others) have reportedly been compromised, and various caches of sensitive data have been exfiltrated. The first round is a .rar file (composed of multiple raw downloads). Details on how the compromise or breach took place are not clear or reliable. It is likely (though unconfirmed) that part of the initial intrusion was via SQL injection. Based on phrases in the official videos, RATS or other temporary “leakware” may have existed on compromised systems, and have been subsequently removed by the attackers. Reports suggest that the contents of this leak pertains to various U.S. Supreme Court Justices.

The file set includes an official promo video for the operation, as well as a statement:

"Still there is nothing quite as educational as a well-conducted demonstration...

Through this websites and various others that will remain unnamed, we have been 
conducting our own infiltration. We did not restrict ourselves like the FBI to one 
high-profile compromise. We are far more ambitious, and far more capable. Over the last 
two weeks we have wound down this operation, removed all traces of leakware from the 
compromised systems, and taken down the injection apparatus used to detect and exploit 
vulnerable machines.

We have enough fissile material for multiple warheads. Today we are launching the 
first of these. Operation Last Resort has begun... Warhead-US-DOJ-LEA-2013.AEE256 
is primed and armed. It has been quietly distributed to numerous mirrors 
over the last few days and is available for download from this website now. 
We encourage all Anonymous to syndicate this file as widely as possible.

The contents are various and we won't ruin the speculation by revealing them. Suffice 
it to say, everyone has secrets, and some things are not meant to be public. At a 
regular interval commencing today, we will choose one media outlet and supply them 
with heavily redacted partial contents of the file. Any media outlets wishing to be 
eligible for this program must include within their reporting a means of secure 
communications.

We have not taken this action lightly, nor without consideration of the possible 
consequences. Should we be forced to reveal the trigger-key to this warhead, we 
understand that there will be collateral damage. We appreciate that many who work 
within the justice system believe in those principles that it has lost, corrupted, 
or abandoned, that they do not bear the full responsibility for the damages caused 
by their occupation.

It is our hope that this warhead need never be detonated."

This release is the referred-to “warhead”–specifically “Warhead-US-DOJ-LEA-2013.AEE256.” The “trigger key” referred to in the video is the decryption key for the content. Anonymous also indicated that they will, at some interval, release heavily redacted previews of the decrypted content. As of this writing, these have not emerged. We have, however, seen some fake decryption keys making the rounds.

Now, back to the “humor” that I alluded to earlier in this post. Some of the releases around this operation contain the following handy instructions:

If you did not catch it, at the end that’s an “rm” with force and recursion starting at the root.

What else does this operation entail? It is said that a Twitter-Storm campaign will commence on January 25.

"BEGIN THE MESSAGE OF ATTACK on January 25th at 11:59 PM EST"

Full details on this part of the operation are detailed in some of the groups PADs. This will be an interesting operation to pay attention to during the next few days.

What will the next warheads be? When will we start to see decrypted content from any of the warheads circulating? How will various governments react?

Stay tuned.

Update, January 27

The USSC.gov site is still compromised. A special surprise (via embedded JavaScript) awaits those who  recall some of the old Nintendo/Konami codes. Through a series of keystrokes, a script will let you fly various objects around the page, view fireworks, and more.

Upon execution, the script provides some on-screen controls, and you can even control the various objects (including Nyan Cat) via the arrow keys.

This $299 tool is advertised as getting you access to this encrypted data quickly and easily…

Now, this may sound exciting, but as they say, there’s always a catch – you need a memory dump from the machine from when it was authenticated to use this tool – yes, no recovery if you find a cold machine. You have to get access to it while it’s on and the user has logged in, then, after they switch it off, you can recover the data..

Sounds familiar? Well it should, it’s exactly the same idea Passware.com released to the world back in 2010 – I even blogged about it then.

The difference is, Passware (currently) charge you just shy of $750 for their Enterprise Passware Kit.

So, exactly the same idea, just cheaper. Wow.

Let’s revisit the attack one more time just so you can be sure to explain to your worried CISO why this is as much of a non-event as it was 32 months ago.

1. The machine needs to be on, and authenticated for the attack to work
2. If the machine is off, and needs authentication to boot, the attack does not work

Point 2 is of course the important one. If you are using encryption software which does not require user authentication, say Bitlocker without a Password, TPM only mode for example, or you implemented something like EEPC with pre-boot authentication disabled, you already should know that you left the encryption key in the front door and your machines are totally insecure.

If you’re using “volume” encryption, the attack only works if you leave the machine unattended with the volume mounted.

Most McAfee customers are using full disk encryption with pre-boot authentication on, so if you just shut your machine down or hibernate it before leaving it unattended and you’ll be fine.

No one can recover keys from memory on a machine which is off…

• Mobile devices are more likely to be lost or stolen, which can leave personal and corporate data exposed.
• Mobile users require new workflows that then need to be secured. For example, uploading data to the cloud through services like Box.com.
• In addition to traditional threats, there are multiple attack channels unique to mobile devices, such as SMS and Bluetooth.
• The upgrade process for mobile operating systems often involves the original manufacturer and/or a third party vendor.
• Mobile applications can have explicit or implicit permissions, which many users do not carefully review before downloading.

So, the question remains: Is there a single mobile DLP implementation that can address all of these issues? Of course, in the security industry, the answer is never clear-cut. The truth is that there must be a combination of best practices and process controls from the network all the way down to the application level.

Here are a few recommendations from the McAfee team:

1. Network-based controls via VPN: Force everything through a controlled network web proxy.  Some security vendors have this today, but compliance via VPN alone is not enough.
2. Deploy DLP controls via OS-based and application-based containers.
3. Deploy deep technology at the firmware level; tag and taint based on data source.
4. Encrypt local storage.

To learn more about McAfee’s mobile DLP solutions, stop by and collaborate with our team at McAfee FOCUS 12 in Las Vegas on October 23^rd. During our mobile DLP session, we’ll address the data loss challenges of BYOD, managed and unmanaged devices, cloud applications and more.

To find out more and register for FOCUS 12, visit our website, and be sure to follow @focusconference and @McAfeeBusiness on Twitter for the latest updates and news from the show.

We see this type of attack over and over. Most recently LinkedIn and eHarmony were in the news with similar issues. This Yahoo breach is just the latest in a series of similar attacks that occur in multiples every day.

The attack was launched by the D33DS Co., whose release included this:

D33DS is probably correct in that latter sentence. But are their methods and motivation ethical or legal? That’s a different story. Regardless, Yahoo’s overlooking basic countermeasures against basic attacks (such as SQL injection) cannot be excused.

This is not the first time that Yahoo has been compromised in this way. During the last five years, Yahoo Local Neighbors, Yahoo Kids, Yahoo Classifieds, and others have been successfully targeted.
Ironically, there is a blog on SQL-injection prevention on Yahoo Voices. It was posted in 2009.

What else is interesting about the latest breach?

More than just @yahoo.com usernames and accounts were exposed. If there was ever a time to heed warnings about password reuse, especially across public and high-traffic social systems, this is it. Yahoo may have been the focus of this attack, but data in the dump could be used to target specific users from AOL, Microsoft, Google, Comcast, SBC Global, and others.

Here is a breakdown of associated domains that appear in the D33Ds release:

Yahoo breach Top 20 domains

I’ll leave you with several McAfee resources for understanding SQL injection:

• WebSec 101 – SQL Injection. http://www.mcafee.com/us/resources/audio/transcripts/websec101-sqlinjection-slides.pdf
• McAfee Security Scanner for Databases. http://www.mcafee.com/us/products/security-scanner-for-databases.aspx
• Threat Brief – LizaMoon. http://www.mcafee.com/us/resources/solution-briefs/sb-lizamoon-sql-injection.pdf
• White paper on Real-time Database Monitoring, Auditing, and Intrusion Prevention.  http://www.mcafee.com/us/resources/white-papers/wp-real-time-database-monitoring.pdf

Security information and event management (SIEM) systems were invented to help IT security teams within financial services companies, health care providers, defense contractors, and governments address the growing volumes of information security data. An onslaught of well-publicized data breaches followed by public outrage and a surge of regulatory mandates quickly made SIEM must-have technology.

The point product feeding binge

As corporate security officers scrambled to address these issues, virtualization bred even more data and applications that had to be secured and reported on. Companies added new security products—each bringing its own instrumentation and logging requirements. The volume of security data and real-time data streams grew exponentially until SIEM solutions bogged down. Some security teams started turning off SIEM data feeds in an effort to preserve performance. Unfortunately, each disabled data feed created another vulnerability and exposed the enterprise to greater risks.

Time for a big security data fitness plan

So how do you deal with big security data even as your business tightens its belt?

Today you need more relational information about the source, asset, user, and data to provide greater security context and situational awareness. You also need real-time correlation of this information with event flows—including scalable architecture that can keep pace with big security data’s growth.

Add Muscle, Lose Fat

Legacy SIEM solutions don’t have the power to handle big security data. Today, you need a SIEM that includes high-performance architecture to handle reams of security data and easily scales to handle future growth. In other words, you need McAfee Enterprise Security Manager (formerly NitroView). This SIEM powerhouse is specifically built for big security data with a powerful database, appliance options, and the processing power to quickly correlate billions of events and flows.

Boost Your SIEM IQ

The next generation of SIEMs must go beyond simple event analysis to share security intelligence among security components and quickly deliver actionable information. McAfee Enterprise Security Manager achieves this by immediately collecting and analyzing contextual information on events, users, and data, creating and sharing situational awareness among solution components.

• McAfee Global Threat Intelligence further strengthens dynamic threat visibility, providing around-the-clock reputation-based threat intelligence and sharing this insight through integration among solution components.
• McAfee Risk Advisor uses this shared information to help you quickly pinpoint attacks and implement countermeasures.

Achieve Balance and Agility
Big security data requires security tool integration and enterprise-wide visibility. Two-way integration with McAfee ePolicy Orchestrator (ePO) software extends visibility and control across your entire security and compliance environment.

Just like any fitness plan, SIEM requires effort and dedication. It gets easier over time and results become an excellent motivator.

The amount of data transferred via email is staggering. Many are surprised to hear that email traffic even outpaces web traffic in overall bandwidth consumption. What matters more than bandwidth consumption however, is the type of data sent around. Now that the business world has moved drastically away from paper, the confidential documents you once kept in a physical file cabinet are now living in an easily transferrable format on employee laptops. Without proper training, these files can be sent externally without any awareness of a policy violation. A simple typo in the recipient field can take your financial report from the office of the CEO to the office of your ex-coworker who now works for a competitor.

Protecting sensitive information from leaking to the public is essential to not only your business’s competitive edge, but also its financial health. In the UK, for example, the Information Commissioners Office has been issuing monetary penalties to companies that violate the Data Protection Act, including cases where sensitive personal data was mistakenly leaked. Similar laws across the globe are being implemented, and for good reason. There is simply too much data in every employee’s possession to not enforce protection. By taking proactive steps to set Data Loss Prevention policies within your Email Security, you can stay in legal compliance and not worry about accidental leakage of sensitive information from your organization via email.

Those in industries such as healthcare or legal services know that the information they transfer is almost always sensitive, and needs extra layers of protection. The ability to encrypt email throughout its entire path, from anywhere, whether you remember to or not, can be a lawsuit prevention tool in itself. In the event that any correspondence needs to be pulled for an unexpected eDiscovery request or audit, having your email archived in the cloud can save your business money and the headache of searching through physical storage for historical messages.

What if your email service simply fails? Cloud-based email security solutions can offer you lossless email continuity in the event of an outage so you absolutely never lose your ability check and send email. No business can afford to have their main communication channel compromised. Take a step back and consider your comprehensive email security needs with not just the IT department, but your entire organization’s stability in mind.

APIs share data, and that data is not always public. Some APIs, such as those from Amazon, receive billions of “calls” everyday, creating a massive lane of internet data flow. Some of the data you pull, such as the financial data I mentioned, is meant for your eyes only. This means that throughout the entire path of that traffic, you need security. Not only do you need to secure the traffic, often with data protection policies, but you also want to make sure only authorized users are the ones calling for sensitive data.

The number of enterprise API calls is increasing with the development and adoption of more IT services in the cloud. As you make the move towards cloud IT, how will you ensure your data is secure from the start?

Join us on May 10^th for a webinar presented by McAfee, Intel, and tech analyst & CTO Dan Woods covering an advanced perspective on what you should do to ensure API Security, specifically as related to Authentication, Data Protection, and Validation.

Click here to register for the webinar: http://mcaf.ee/49tin

With traditional approaches to DLP, you’d start with a set of initial policies.  The policies are then deployed in a production environment and then you wait …. and wait.  Most of the time, the policies are not optimized and so you’ll end up with too many potential security violations (false positives) or too little (false negatives).  So, you will need to go back and tweak the policies and then wait again.  In speaking with people implementing traditional DLP, I’ve learned that this process can take months! During that time, your organization continues to face the risk of data loss and has to invest precious resources in order to create an optimized policy.

Another problem with this traditional approach is that data that doesn’t match an existing policy is let go. It’s water under the bridge, and goes straight out the firewall into the wild. You’ll have no visibility into what has left the organization, and that has an impact on future policy development.

McAfee took a different approach to data loss prevention. In addition to the set of policies that we use to evaluate and log violations, we also log all outgoing data. We do this using unique Capture technology that is available with McAfee Data Loss Prevention. We hash the data, index it, and perform analytics on it.

So you may ask “how are you using the data you have captured?”  We use it to help in many ways.

1. Test policies before they go live

Use the real data you have captured in the last few months and test your new DLP policies on the data.  It allows you stop guessing and build effective polices with confidence without having to wait for weeks to verify efficacy.

2. Perform quick, complete investigations

This is better explained with an example.   Let’s say that an employee left your company, and unbeknownst to you, took sensitive corporate information with him to his next employer. A month later, you noticed the competitor was making announcements about a technology that sounded like yours.  Before this employee left, you didn’t know that you needed to be watching what he was doing, so no specific policy was in place.  But with McAfee’s Capture technology, you can go back in time, almost like a digital video recorder, and figure out what that employee did before he left, and identify whether or not, he in fact, took information that wasn’t rightfully his.

3.  Stay ahead of your data risks

The captured data helps you see the patterns of real-world data being used in your organization. It gives you visibility to look at events that lead up to a breach to identify current broken business processes. As you understand how your organization uses data you will be more able to predict risks and be proactive in avoiding them. This vastly increases the efficiency and effectiveness of your data protection.

You cannot protect what you don’t know.  Unique McAfee Capture technology, available in McAfee Data Loss Prevention, gives you a faster and more efficient and cost effective way to leverage your data for your DLP solution. 

These blogs aren’t the only way to stay current on DLP.  Follow us on Twitter (@McAfeeDLP) and subscribe to the McAfeeDLP YouTube channel.