> just how did whatever Data Loss Prevention (DLP) solution that Sony uses miss terabytes of data flying out of their network? How did their sophisticated on-premise perimeter security appliances miss such huge anomalies in network traffic, machine usage or host relationships? How did they miss Sony’s own edge being hijacked and used as public bittorrent servers aiding the exfiltration of their data?
In my experience, nobody takes DLP seriously, except maybe [some] government. It's more of a "At least we know about this issue; nobody feels like dealing with it, so just flag it and continue as normal." In fact, almost all DLP and similar systems i've seen were intended to only record violations so they have evidence to litigate with later.
> It’s clear from the leaked data that Sony has a culture which doesn’t take security very seriously. From plaintext password files, to using “password” as the password in business critical certificates, through to just the shear volume of aging unclassified yet highly sensitive data left out in the open. This isn’t a simple slip-up or a “weak link in the chain” – this is a serious organization-wide failure to implement anything like a reasonable security architecture.
This is all large organizations. All of them. As one previous manager so eloquently put it: "There are too many security violations for us to fix; all we can do is prioritize and go after the biggest fish." The only places that take security seriously are places that hire BOFH-quality security nazi managers.
> Who do I think is behind this? My money is on a disgruntled (possibly ex) employee of Sony.
I wanted to comment on these exact same things, e.g. "nobody takes DLP seriously" and "this is a serious organization-wide failure". You have done a nice job highlighting them. Unfortunately your comments are buried in the middle of a very long discussion.
In general, in the numerous discussions I've read so far, people are much more focused on this breech itself, not on the root causes nor how to prevent these types of breeches in the future.
In my experience, nobody takes DLP seriously, except maybe [some] government. It's more of a "At least we know about this issue; nobody feels like dealing with it, so just flag it and continue as normal." In fact, almost all DLP and similar systems i've seen were intended to only record violations so they have evidence to litigate with later.
> It’s clear from the leaked data that Sony has a culture which doesn’t take security very seriously. From plaintext password files, to using “password” as the password in business critical certificates, through to just the shear volume of aging unclassified yet highly sensitive data left out in the open. This isn’t a simple slip-up or a “weak link in the chain” – this is a serious organization-wide failure to implement anything like a reasonable security architecture.
This is all large organizations. All of them. As one previous manager so eloquently put it: "There are too many security violations for us to fix; all we can do is prioritize and go after the biggest fish." The only places that take security seriously are places that hire BOFH-quality security nazi managers.
> Who do I think is behind this? My money is on a disgruntled (possibly ex) employee of Sony.
Or a contractor (e.g. Snowden)