The idea that you can keep people out of your network is a great one, but in reality is goes in the same category as any fantasy. Any determined threat actor will find a way to get into your system either through a newly discovered 0-day or by compromising a user system. There is simply no way to prevent every potential entry point. You can try to limit their lateral movement in your network, but in time they are going to get to a place where your data is kept. When that happens you need something to prevent the removal of your stuff.
We met up with the guys from enSilo to see what they had to offer for this problem. According to enSilo their systems is one that is designed specifically to prevent the removal of data from an outside source. To do this they check connections to and from systems inside a network. They look at the metadata for these connections along with a forensic style analysis of all communication in a network to determine what is good and what is not. Sounds pretty simple and straight forward, but I dug a little deeper.
One of the first things I wanted to know was how enSilo actually develops the initial traffic for comparison. I was told that enSilo uses something like a whitelist to understand good traffic from bad and that initially the product listens only to help establish a baseline of what traffic is actually moving around. This way the system can listen to everything a give you a good view into your network. It also prevents the possibility of killing real network connections right after you turn things on.
Now while this is great it is also something that you can replicate with multiple existing tools on the market. It did not give me all of the answers that I wanted. When I asked this particular question; the gang from enSilo responded that while the foundation of the product might be monitoring the network that is not all that it does. Using listening agents on systems throughout the network they are able keep track of things. These agents will also react to specific policies that you can setup to automatically respond to and alert on suspicious traffic. There are also some built-in policies to make sure that you are protected from malware that tries to ransom or exfiltrate your data. enSilo maintains a malware zoo so they can determine how the different types of malware operate and also to ensure that they are only alerting on what you need to know (alerts are based on family and classes or malware instead of specific infection attempts). enSilo can even protect against ransomware as there are policies that prevent the encryption of the file (which is very cool).
There was one other thing that made enSilo a little different from many of the other options out there. Through their policies and technology they are able to stop data from being removed even while there may still be an active infection or breach. This gives security teams time to react to the threat and fix it the right way instead of having a knee-jerk response that could allow for some data to stolen or persistence objects to be missed.
There is a slight downside to enSilo at the moment. While enSilo appears to be a solid product to keep your data from being taken by an outside threat, there is nothing to prevent an insider from taking something from a trusted system. When we posed this question we were told that it is something they are aware of. This puts enSilo into a complementary role with other software and hardware to keep everything safe (or as safe as possible). This last item is not really a deal breaker as what enSilo does is still pretty impressive, but you will need to make sure you take steps to protect insider theft while enSilo has your back from outside threats.
Over all I am happy that I am hearing more and more ideas to really deal with security instead of the same old line we have been given by the big guys out there. We have to see a fundamental shift in the way we handle things and this year at Black Hat I am starting to see this with companies like enSilo.