Dave Lewis

Egress Filtering: Who Let The Data Out?

Blog Post created by Dave Lewis Employee on Jul 2, 2015

A cheese ball headline if I ever I wrote one. My apologies. But, there is a salient question here. We all take the time to review the logs to see what is attacking out networks (right?). We take the time to ensure that our perimeter is safe and secure. We practice our incident response plans to make sure we know who has to do which job, when and who to contact. You get the idea.


But, I digress. The problem that I’ve seen too often is a rather simple one. Who is watching what is leaving the network? I had an opportunity to speak to a large number of SMB CIOs over the last couple weeks. Now, being home after three weeks on the road I’m struck by something. The number of times that people were surprised when I asked them if they were watching what was leaving their network was an uncomfortably high number.


In one company that I worked with several years ago the CEO sent an email to the entire company. In this he outlined some rather serious financial information that could affect the stock price were it to get out. And get out it did. Unfortunately the security team didn’t have any advance notice that this email was going to be sent out. When it was sent out it was before the markets had closed. In less than 5 minutes that very email had been forwarded 47 times to various other destinations.


Predictably the markets took notice and it was ugly. This was serious to be sure. But, this was a preventable item that could have had a better way to share the information from medium to timing. I have seen even more insidious instances where data was leaving a network and went unnoticed…for years.


Another company that I worked with had a slightly different problem. They had a flat network which, while ugly, wasn’t the main issue. This network had points of presence around the globe. So, there was no wonder that there were interactions to IP addresses everywhere. Naturally, there came a time when we realized there was a need to go through and review all of the these connections to remote office and third party providers.


Then there it was staring back at us. A database system with critical intellectual property had a weekly backup schedule. Nothing seemed out of place at first. Upon further review we came to the cold reality that this back up had been sending the backups to an IP address that we didn’t control in a country that, well, wasn’t exactly where we wanted our data to be.


The most difficult aspect of this problem was that this was in place for years. Since no one was historically checking the data leaving the enterprise this went unnoticed.


If you are not already checking the information leaving your enterprise, you really should get in front of that as soon as possible. Time to peel back the layers and see what is underneath.


Originally posted on Forbes, April 2015