200 likes | 412 Views
Latest techniques and solutions for data loss prevention. Nick Copeland Senior Systems Engineer. Agenda. About Fidelis Security Systems DLP—Risks and Requirements DLP and Social Engineering Products and Technology. Mission.
E N D
Latest techniques and solutions for data loss prevention Nick Copeland Senior Systems Engineer
Agenda • About Fidelis Security Systems • DLP—Risks and Requirements • DLP and Social Engineering • Products and Technology
Mission Fidelis Security Systems provides the next generation of network security enabling organizations to leverage their sensitive information while protecting it from data leakage and cyber attacks.
DLP Issues Top Concern for CSOs Merrill Lynch CISO Survey, June 27, 2007 The 2008 Global Information Security Workforce Study, Frost & Sullivan, April 22, 2008
The Reality of Today’s Networks • Web Mail • IM • Social Networking • Skype • File Transfers • Information Sharing • Bots • Virus • Hackers • Port Hopping • Tunneling • SAAS • PAAS • Cloud Computing • Web Apps 5
Threats are Targeting Information • Business Partners • Webmail • Social Networking • Cloud Leakage Uneducated User Theft • Nation States • Organized Non-State Actors (e.g., Terrorist groups) • Organized Crime • Advanced Persistent Threats Malicious Insider Exfiltration External Threat Actors
Social Networking: The Risks Corporations use Social Networking Facebook 69% Twitter 44% Youtube 32% LinkedIn 23% Social Networking as source of attacks – 1/3rd of companies reporting attacks Facebook malware infection 71.6% percent, data leakage 73.2% YouTube malware infection 41.2% Twitter privacy violations (leakage) 51%. Social Networking as source of financial loss – 1/3rd of attacks Facebook 62% Twitter 38% YouTube 24% LinkedIn 11% Source: Security Week 7
DLP and Social Engineering • As attacks become more custom and targeted, “what’s getting out?” is becoming a key element of defense in depth • Example #1: Phone call requesting sensitive information • Example #2: E-mail impersonating trusted individual • Example #3: Rogue CD or USB flash drive
Example #1: Phone call requesting sensitive information • Social Engineering preparation: • Visits agency web site, www.organization.gov to gather information • Searches Social networking sites (e.g., Facebook, LinkedIn) to find a victim • Researches contacts and network too • The attack: • Calls victim, spoofs Caller ID • Represents himself as a Government Contractor, sub-contracting a big Prime at the agency • Requests sensitive information to be e-mailed • Provides professional sounding e-mail, don.smith@newtongovsol.com • www.newtongovsol.com has a basic, but professional looking web site • The response: • Configured to prevent leakage of agency sensitive information • E-mail prevented • Forensic details capture and CERT notified
Example #2: E-mail impersonating trusted individual • Social Engineering preparation: • Researches target from Congressional testimonies • Researches IT outsourcing contract awards • Purchases custom targeted malware program from other hacker online • The attack: • E-mail victim, spoofed from outsourced help desk employee • Contains attachment to “update computer system inventory” • When executed, searches machine for certain file types • FTPs files out of the network to bad guys server • The response: • Configured to prevent leakage of agency sensitive information • FTP session terminated • Forensic details captured and CERT notified
Example #3: Rogue CD or USB flash drive • Social Engineering preparation: • Finds list of employees from trade show attendee list • Purchases malware from hacker online • Creates a very attractive presentation • Combines presentation and malware on a CD-ROM • The attack: • Mails a professionally labeled CD-ROM: “Secrets to Career Advancement in the US Federal Government” • When run, a PowerPoint-like presentation plays showing information on “How to become an SES”, “Impressing both Political Appointees and Long-time Government Employees”, …. • Lots of builds and graphics—makes the hard drive spinning seem normal • Installs keylogger while presentation plays • Relays all typing via SSH connection on non-standard ports to a server in a non-ally nation • The response: • Configured to detect port-hopping/tunneling • Configured to detect transfers to rogue nations • Configured to detect rogue encryption • SSH session terminated • Forensic details capture and CERT notified
Example #4: Personal Financial Gain Social Engineering preparation: Facebook account is targeted for attack The hacker gains credentials to the account often via a dictionary or spear-phishing. The attack: login and send their requests as if they were the user. Inform friends of traveling to a foreign country, robbed Need to quickly send money via Western Union Desperately needed cash to be able to get back home The response: Don’t be fooled 12
Example #5: Partner relationship requesting sensitive information Social Engineering preparation: set up an account as corporate contractor. pick one of the large system integrators. create some other fake accounts in that area Mount a website reference, simple, but professional build a wiki page on the company The attack: Message the individual under target learn things from employee (or other system integrator) contact other persons involved in a project individually data might not be useful aggregate data and the sensitive information comes together put together pictures of information that I shouldn't have had access to The response: Vocabulary violation for discussing business on networking site List of recognized partners for communications 13
Example #6: ghosting as corporate executive Social Engineering preparation: Create an account of an executive of your company Create links to any existing employees, executives The attack: Message the subordinate under target Refer them to employee quizsite "How Great of an Employee are you?" "how long have you been a corporate employee", "what office you work in", "what contractors you do business with - rate them", "which people do you do business with - rate them", "how much spending you oversee", “where do you get the best results”, When the user is done and submits the quiz, they get a score of "Fabulous Employee“ Walk away with leads on where to go next to extract data. The response: Vocabulary violation for discussing business List of recognized partners for communications 14
The Solution: Session-Level Network Security Fidelis XPS Patented Deep Session Inspection™ Platform: Port-Independent Session-Level Visibility and Control
Fidelis Extrusion Prevention System®―Fidelis XPS™ Comprehensive Information Protection • Content protection • Application activity control • Encryption policy enforcement • Threat mitigation Deep Session Inspection™ Platform • Comprehensive visibility into content and applications • Prevention on all 65,535 ports • Wire-speed performance The Power to Prevent: It’s the Next Generation Network Appliance • Fast to deploy = quick time-to-value • Easy to manage • Enables zones of control
Policy Engine: Power of Context In addition to pre-built policies, customer-specific policies can easily be built using Fidelis XPS’ powerful policy engine. Policy = group of one or more rules Rule = logical combination of one or more triggers delivers context • Trigger > Content • Sensitive information defined in content analyzers • Trigger > Location • Sender and recipient information • Trigger > Channel • Details about theinformation flow • Smart Identity Profiling • Keyword • Keyword Sequence • Regular Expressions • Binary Signatures • Encrypted Files • File Names • Exact File Matching • Partial Document Matching • Embedded Images • source IP address • destination IP address • Geographical Data–the country in which the IP address is registered • Username • LDAP directory attributes • Application / protocol (port -independent) • Application-specific Attributes (e.g., user, e-mail address, subject, filename, URL, encrypted, cipher, and many more) • Port (Source / Destination) • Session length / size • Day of week / Time of day • Session duration • Decoding path 18
Social Network whilst Mitigating Risk Technical and Business Controls Ensure employees code-of-conduct policies covers social networking Who can speak on behalf of the company What can employees use social network for Train employees on roles and risks of social networking Create official profiles for corporate executives Even if they will not actually be used Request sites block executives account Implement technical controls that address how social network is used Social Networking is here to stay Security Policy needs to address how it is used 19
2007 Product of the Year Thank You For Your Time! Let Us Know If You Have Any Questions. Thank You For Your Time! Let Us Know If You Have Any Questions. As network usage and users continue to grow, we want to make sure information is accessible but also in compliance with the Federal Education Rights and Privacy Act (FERPA). Fidelis Security Systems’ Fidelis XPS is an essential component of this strategy to ensure transmission of appropriate information. -- Joseph Renard, Information Security Officer, District of Columbia Public Schools Fidelis can be recognized as a force to be reckoned with when providing innovative DLP security technologies and solutions that are agile and cost effective to protect today’s corporate networks. The end result is a company that has out paced their competitors in terms of technology and corporate growth. -- Frost & Sullivan We like that Fidelis, unlike most other anti-data leakage vendors, built its own protocol and document decoders (most others license those components)… its federal customers – including those in sensitive military environments – back up its claims of technical differentiation. -- The 451 Group The product has a strong focus on high-performance detection, analysis, and prevention of traffic. -- Burton Group We had a growing concern over the potential of PII and information proprietary to the district being disclosed without permission. At the same time, although we have a strict AUP in place, we had limited visibility to track, trace and stop violations of these policies. -- Charles Thompson, CIO, Orange County Public Schools.