1 / 36

Data Loss Prevention Overview

Data Loss Prevention Overview. Jeff Silver, CISSP Delaware DLP Technical Specialist. AGENDA:. I. Introduction II. ‘WHY” Data Loss Prevention III. DLP Architecture and Fundamentals IV. Examples of DLP Violations V. Questions and Discussion. What Makes A Business Consider DLP?.

ervin
Download Presentation

Data Loss Prevention Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Data Loss PreventionOverview Jeff Silver, CISSP Delaware DLP Technical Specialist

  2. AGENDA: I. Introduction II. ‘WHY” Data Loss Prevention III. DLP Architecture and Fundamentals IV. Examples of DLP Violations V. Questions and Discussion

  3. What Makes A Business Consider DLP? • Many customers worry about data extraction and leakage: • Reputation Damage/Strategic Loss • Compliance Fines • Litigation and financial loss

  4. What Makes A Business Worry about DLP? • The Legal Department informs the Network Security Team that a DLP deployment might violate International Privacy Laws in Europe. • The Human Resources Department does not feel comfortable installing DLP Agents onto employee PCs, as active monitoring of every user action is generally frowned upon.

  5. Legal Considerations for DLP • PC ‘Barker’ message that comes up for every login session. This message must contain the proper legal ‘verbage’ to clearly remove the employees ‘right’ to any privacy on company owned equipment. • Employee action to click on this message stating they read and understand this corporate policy. • Employees must sign an employee handbook . For certain industries, annual confirmation is required [i.e. Healthcare]. This handbook should clearly lay out in solid legal terms that the company has the right to monitor all user actions while they are using or accessing corporate resources. • On-line mandatory training regarding protection of corporate intellectual property and other sensitive data [in relation to regulations the company must adhere to] is an added value. • Clearly written ‘Standard Operating Procedures’ on corporate policy that lays out not just what the company can and will do to the employee, but what the interaction is with Law Enforcement, if intervention is needed.

  6. Legal Considerations for DLP--- BYOD • Should the employer issue out mobile devices or let the employee use their own for corporate use? • Compartmenting work spaces with ‘Containers’. • Corporate applications that can be accessed from personal devices. For example, Outlook Web Application. How do you monitor this vector of data loss that can happen right from the employees living room! • Has the organization formalized a clear plan of action for what to do if sensitive data has been moved onto an active employees personal device? • Has the organization factored in State and Federal Privacy Laws that apply to it’s business and employees? • If the organization is International in nature, is the network infrastructure segmented so that security tools can be implemented in a way that does not violate stricter overseas privacy laws [for example, Germany and France]? Defense in depth to cover this vector.

  7. Compliance and Regulations PCI DSS HIPAA Internal Policy GLBA HSPD 12 CSB 1386 Country Privacy Laws SOX EU CDR UK RIPA FISMA COCOM Data Security Act FACTA EU Data Privacy FFIEC BASEL II J-SOX IRS 97-22 NERC NISPOM Partner Rules ACSI 33 NIST 800 State Privacy Laws

  8. The “community’ of attackers Organized, sophisticated supply chains (PII, financial services, retail) Criminals Unsophisticated Anti-establishment vigilantes CyberTerrorists Nation state actors PII, government, defense industrial base, IP rich organizations Organized crime Unaware/Petty criminals Non-state actors “Hacktivists”Targets of opportunity PII, Government, critical infrastructure

  9. DLP ARCHITECTURE

  10. Data Loss Prevention Components DLP Enterprise Manager Unified Policy Mgmt & Enforcement Incident Workflow User & System Administration Dashboard & Reporting DLP Datacenter DLP Network DLP Endpoint Discover File shares, SharePoint sites, Databases, SAN/NAS Monitor Email, webmail, IM/Chat, FTP, HTTP/S, Telnet, etc Monitor Hard Drives, USB, External Devices, Print Actions, burn to CD/DVD, etc. Remediate Quarantine, Move to secure location, Delete, or Shred Enforce Allow, Notify, Block, Encrypt Enforce Allow, Justify, Block on Copy, Save As, Print, USB, Burn, etc. Electronic Data Rights Management Encryption Access Controls

  11. DLP Management • Single policy and administration interface for all DLP components • Network • Datacenter • Endpoint • Consolidated workflow and remediation • Custom incident search engine • Active Directory integration [key for reports] • Role-based permissions and report access

  12. Reducing Your Sources of Risk: Data at Rest Discover Analyze Remediate Rescan sources to measure and manage risk Databases & Repositories Remediation File shares, Servers, Laptops 300+ True File types • Windows file shares • Unix file shares • NAS / SAN storage • Windows 2003, 2008 • Windows XP, 7 • Microsoft Office Files • PDFs • PST files • Zip files • SharePoint • Microsoft Access • Oracle, SQL • Content Mgmt systems • Delete • Move • Quarantine • Notifications 13

  13. Automatic Load Balancing Grid Worker Automation Drives Performance Grid Workers work together, intelligently balancing the scan load. They can be modified on the fly as well. Grid Workers can be dedicated servers, or even existing servers and PCs in the environment. The grid worker service can be made permanent or temporary, based on the needs of the business.

  14. DLP Datacenter and Endpoint: Agent Details • Agent Software Uses • Site Coordinator Software • Scanning Agent • Permanent • Temporary (Dissolvable) • Grid Worker Agent • Endpoint Enforcement Agent (policy-enabled) • Agent Software Deployment Options • Manual installation • RSA DLP Enterprise Manager push installation • SMS or other configuration management tool Temporary scan agent Permanent scan agent 15

  15. Enforce Sensitive Information Report and Audit Discover and Classify Business Initiatives Policy IT Systems Security Incidents Endpoint Network Applications FS/DB Storage 8 Best Practices for Enterprise Data Protection • Know where your sensitive data resides • What level of sensitivity is it • How many copies exist • Who has access to it • Is it dormant • Set appropriate controls based on policy, risk and location of data • Manage centrally • Audit consistently

  16. REAL WORLD ‘DATA CENTER’ INCIDENTS

  17. Tightening Up Loose Ends

  18. Tightening Up Loose Ends [Part 2]

  19. Tightening Up Loose Ends [Part 3]

  20. PST Files and User Backup Data Issues

  21. Executive Level Sensitive Information

  22. Executive Level Sensitive Information

  23. REAL WORLD ‘NETWORK’ INCIDENTS

  24. Protecting Data In The Network: Data in Motion Monitor Analyze Enforce Email Instant Messages Web Traffic Remediation • SMTP email • Exchange, Lotus, etc. • Webmail • Text and attachments • Yahoo IM • MSN Messenger • AOL Messenger • Google Talk/Chat • FTP • HTTP • HTTPS • TCP/IP • Audit • Block • Encrypt • Log 25

  25. Sending Work Home---In the ‘Wild’ This employee sent work home, and it contained a lot of SSNs.

  26. Medical Information to Russia [with love]

  27. Protecting Data In The Endpoint: Data in Use Monitor Analyze Enforce Copy and Save As Actions & Controls Print USB • Local printers • Network printers • External hard drives • Memory sticks • i-Pods, portable discs • Copy to Network shares • Copy to external drives • Save As to external drives • Justify • Notify • Block • Audit & Log 29

  28. UNDER THE ‘DLP’ HOOD

  29. DLP Classification Methodology Described Content Analysis Content Analysis Fingerprinted Analysis 31

  30. DLP Classification Methodology • Built-in Expert Policy Templates • Policies ‘out of the box’ • National & International Regulations • Includes PCI, PII, HIPAA, GLBA, etc. • Industry specific templates 32

  31. DLP Classification Methodology • Described Content Analysis • Keywords, Phrases, RegEx, Dictionaries • Special patterns - Entities • Proximity analysis • Positive and negative rules • Weighting 33

  32. DLP Classification Methodology • Fingerprinted Analysis • Register known sensitive data • Applicable for any binary/digital file • Intellectual property protection • Automated fingerprinting 34

  33. DLP Classification Methodology • Identity Analysis • Understand “who” and “where” • Insight into organization and hierarchy • Real-time data from Active Directory 35

  34. DLP Classification Methodology • Every Document and/or Transmission is analyzed • Risk Factor assigned • Appropriate Remediation Applied 36

  35. DLP Considerations Accuracy Highest levels of accuracy in identifying and discovering sensitive data • Advanced contextual analysis using proximity, weighting, and conditions • 3rd Party validated • Expert Analysis Engineering and Library Teams on the back end of the DLP Solution Scalability Scales to hundreds of terabytes of data, thousands of laptops/desktops across geographically distributed areas • Grid processing for Datacenter discovery • Temporary and permanent agents for Endpoint discovery Ease of Use Centralized policy management across Datacenter, Network, Endpoint with: • Many out-of-the-box policy templates for both U.S. and international markets • An intuitive, user-friendly dashboard-based interface

More Related