150 likes | 277 Views
Deepak Rout. Enterprise Information Security ... a Different view. Nullcon ( Dwitiya ) Goa 26 Feb 2011. Agenda . Data Leakage Prevention …a new paradigm IBA instead of RBA …turning ‘The Standard’ around What’s in store for us! Q & A. Shortcomings of a Readymade DLP Solution.
E N D
Deepak Rout Enterprise Information Security... a Different view • Nullcon (Dwitiya) • Goa • 26 Feb 2011
Agenda • Data Leakage Prevention …a new paradigm • IBA instead of RBA …turning ‘The Standard’ around • What’s in store for us! • Q & A
Shortcomings of a Readymade DLP Solution • Very high false positives • Long gestation period • Data Leakage due to the DLP solution • Several data leakage avenues left out • Mass storage devices • Unmonitored Internet access • Uncontrolled Exception Management • Too many Admins/Super-Users • Differing Legal/Regulatory provisions - Globally Result:Unintentional data loss gets detected, while planned Data Theft or Corporate Espionage agent remains a step ahead of DLP policies.
Data Leakage Preventions - Essentials • Business/Management Concerns on Security of Data • Statutory and Regulatory Imperatives • Contracts and Agreements • Data Protection - a Security Manager’s KPI • Avoiding the Silver Bullet Syndrome • Holistic & Proactive Data Protection Framework
Holistic Approach to Reduce Data Leakage • Closing data leak channels not required for business • Proactively monitoring channels required to be opened for business • Focus on known/suspected leak channels • Adhering to ‘need to know’ • Controlling leakage by authorized users (e.g. End point solution) • Controlling leakage to unauthorized users (e.g. Rights management) • Using technology as well as process controls • Phased deployment approach • Strong management intent and business involvement • Educating users on DLP program and consequences of violation • Effective Consequence Management and exemplary treatment • Doing PDCA, if a DLP solution is deployed • Knowing limitations of DLP controls/tools, brief management to accept risk • Accepting that even after all controls, data leak incidents may happen: • Capability to audit user actions • Tools to investigate data leak incidents
DLP - Do Not & Do Do Not • As a remedial measure in the aftermath of a particularly nasty incident • Business doing well &security gets to push through security investment • Getting entangled with a silver bullet DLP solution • Pure selling by DLP solution providers • As a mail filtering mechanism Do • Deploy a comprehensive set of DLP technologies and processes as a risk mitigation measure which emerges from a systematic Risk Assessment based on business and security objectives
Agenda • Data Leakage Prevention …a new paradigm • IBA instead of RBA …turning ‘The Standard’ around • What’s in store for us! • Q & A
IBA instead of RBA for EIS • 'Risk Based Approach' (RBA) - PDCA approach of identifying & mitigating risks • 'Incident based approach' (IBA) is an alternate to RBA - PDCA cycle based on incident prevention • On occurrence follow steps - Triage, Investigate, CAPA, RCA, Implement • Digital Forensics play a anchoring role in all stages: • Triage - Preserve incident parameters • Investigation, CAPA & RCA - Diagnostics & Analysis • Prevention - Designing Enterprise Controls
Typical Chronology of Digital Investigation....1 • Prepare a clean destination hard drive: • Difficult to distinguish between old data and new • Suspect can claim that incriminating evidence was planted • Specialised tools to wipe off past data (e.g. DriveWiperVoom) • Also generates reports to demonstrate that hard disk is clean • 2. Digitally image data from suspect system to target drive: • Bit-by-bit clone of original hard drive using specialized tools • Includes all files (OS, deleted, encrypted, password protected & hidden) • Data hidden surreptitiously within other files is also retrieved • OS independent tools, do not require a dedicated drive • Rapid imaging • Original hard drive is then sealed ACQUIRE
Typical Chronology of a Digital Investigation....2 • 3. Fingerprint: • To ensure that data copied from source drive to cloned drive is the same • Unique fingerprint created for each hard drive (hashing) • Suspect hard drive is seized along with hash value, known to suspect • Same hash value demonstrated on seized drive • 4. Write-protect data: • Using write-protect bridges • Then onwards, the drive can only be read but not written to • Guarantees purity of evidence • 5.Analyse/Investigate: • Specialised tools to scan hard drive and classify files as per category (encrypted files, password protected files, misnamed files, image files, compressed files etc). • Password-cracking tools are used on password-protected files • Steganography (camouflaging files within another file) can be countered with tools conforming to judicial and evidential requirements (analysed for hidden messages) AUTHENTICATE ANALYSE
Enterprise Capability Model for Digital Forensics • Highly developed internal capability not desirable • Minimum & potent internal capability (imaging, packet capture, logging etc) • Advanced capabilities on-demand (image analysis, link analysis, heuristics etc): • As appropriate for specific industry • Pre-configured per management/regulatory requirement • Pre-negotiated & with SLA • RoI & industry considerations for configuring model • Optimum model - limited internal & bulk outsourced capability • After Forensics, What???
A View of the Future!!! • New criminal business models & malware sophistication:Criminal organizations worldwide are increasingly migrating business models online. Complexity of threats will increase & digital crimes will be more. • The problem will not disappear: • Criminals online activities will continue to be hosted in distributed servers worldwide. • New targets: • Newer attack methodologies including targeting of SCADA systems that control key infrastructure and economy sectors (petrol, gas, electricity, water, nuclear etc). • Economic impact. • World economy’s relationship with online services is so strong that any failure could lead to complete chaos. Criminals know this and will take full advantage of it. • Ubiquitous Malware. • Citizens will continue to depend on technology and ubiquitous online services (mobiles, PDA, laptops, 3G etc). We will see more attacks targeting these technologies. It’s a very profitable business; returns exceed stock markets (3 digit growth)… Security will be in Business!
Q&A rout.deepak@gmail.com 0-95821-58042