data loss prevention overview
play

Data Loss Prevention Overview Jeff Silver, CISSP Delaware DLP - PowerPoint PPT Presentation

Data Loss Prevention Overview Jeff Silver, CISSP Delaware DLP Technical Specialist AGENDA: I. Introduction II. WHY Data Loss Prevention III. DLP Architecture and Fundamentals IV. Examples of DLP Violations IV. Examples of DLP


  1. Data Loss Prevention Overview Jeff Silver, CISSP Delaware DLP Technical Specialist

  2. AGENDA: I. Introduction II. ‘WHY” Data Loss Prevention III. DLP Architecture and Fundamentals IV. Examples of DLP Violations IV. Examples of DLP Violations V. Questions and Discussion

  3. What Makes A Business Consider DLP? Many customers worry about data extraction and leakage: • Reputation Damage/Strategic Loss • Compliance Fines • Litigation and financial loss

  4. What Makes A Business Worry about DLP? The Legal Department informs the Network Security Team that a DLP deployment might violate International Privacy Laws in Europe. The Human Resources Department does not feel comfortable installing DLP Agents onto employee PCs, as active monitoring of every user action is generally frowned upon.

  5. Legal Considerations for DLP PC ‘Barker’ message that comes up for every login session. This message must contain the proper legal ‘verbage’ to clearly remove the employees ‘right’ to any privacy on company owned equipment. Employee action to click on this message stating they read and understand this corporate policy. Employees must sign an employee handbook . For certain industries, annual confirmation is required [i.e. Healthcare]. This handbook should clearly lay out in confirmation is required [i.e. Healthcare]. This handbook should clearly lay out in solid legal terms that the company has the right to monitor all user actions while they are using or accessing corporate resources. On-line mandatory training regarding protection of corporate intellectual property and other sensitive data [in relation to regulations the company must adhere to] is an added value. Clearly written ‘Standard Operating Procedures’ on corporate policy that lays out not just what the company can and will do to the employee, but what the interaction is with Law Enforcement, if intervention is needed.

  6. Legal Considerations for DLP--- BYOD Should the employer issue out mobile devices or let the employee use their own for corporate use? Compartmenting work spaces with ‘Containers’. Corporate applications that can be accessed from personal devices. For example, Outlook Web Application. How do you monitor this vector of data loss that can happen right from the employees living room! Has the organization formalized a clear plan of action for what to do if sensitive data has been moved onto an active employees personal device? Has the organization factored in State and Federal Privacy Laws that apply to it’s business and employees? If the organization is International in nature, is the network infrastructure segmented so that security tools can be implemented in a way that does not violate stricter overseas privacy laws [for example, Germany and France]? Defense in depth to cover this vector.

  7. Compliance and Regulations PCI Internal HIPAA GLBA HSPD 12 DSS Policy Country CSB 1386 Privacy SOX EU CDR UK RIPA Laws Data Data EU Data EU Data FISMA COCOM Security FACTA Privacy Act FFIEC BASEL II J-SOX IRS 97-22 NERC State Partner NISPOM ACSI 33 NIST 800 Privacy Rules Laws

  8. Why is Data Security So Difficult? :because sensitive information is always moving and transforming Privileged Privileged Privileged Privileged Customers Users Users Users Users WWW Production Internal eCommerce Disk Backup Database Employees Applications Arrays Tape WAN Production Enterprise File Server Backup LAN Disk Database Applications Remote System Arrays Campuses VPN Business Replica Analytics Portals Disk Backup Remote Arrays Disk Employees Staging Outsourced Collaboration & Dev. Disk Content Mgmt Arrays Systems Partners Endpoint Endpoint Network Network Apps/DB Apps/DB FS/CMS FS/CMS Storage Storage

  9. The “community’ of attackers Organized Unaware/Petty crime criminals Organized, sophisticated Criminals Unsophisticated supply chains (PII, financial services, retail) Nation PII, government, defense industrial base, PII, government, defense industrial base, state state IP rich organizations actors Anti-establishment CyberTerrorists vigilantes Non-state “Hacktivists” PII, Government, critical infrastructure Targets of opportunity actors

  10. DLP ARCHITECTURE

  11. Data Loss Prevention Components DLP Enterprise Manager Unified Policy Mgmt & Incident User & System Dashboard & Workflow Administration Reporting Enforcement DLP Endpoint DLP Datacenter DLP Network Discover Discover Monitor Monitor Monitor Monitor File shares, SharePoint sites, Email, webmail, IM/Chat, FTP, Hard Drives, USB, External Devices, Databases, SAN/NAS HTTP/S, Telnet, etc Print Actions, burn to CD/DVD, etc. Remediate Enforce Enforce Quarantine, Move to secure location, Allow, Notify, Block, Encrypt Allow, Justify, Block on Copy, Save Delete, or Shred As, Print, USB, Burn, etc. Electronic Data Rights Electronic Data Rights Encryption Encryption Access Controls Access Controls Management Management 11

  12. DLP Management Single policy and administration interface for all DLP components • Network • Datacenter • • Endpoint Endpoint Consolidated workflow and remediation Custom incident search engine Active Directory integration [key for reports] Role-based permissions and report access

  13. Reducing Your Sources of Risk: Data at Rest Remediate Discover Analyze Rescan sources to measure and manage risk Rescan sources to measure and manage risk File shares, Servers, Laptops Databases & Repositories Remediation 300+ True File types • Windows file shares • Microsoft Office Files • SharePoint • Delete • Unix file shares • PDFs • Microsoft Access • Move • NAS / SAN storage • PST files • Oracle, SQL • Quarantine • Windows 2003, 2008 • Zip files • Content Mgmt systems • Notifications • Windows XP, 7 13

  14. Grid Worker Automation Drives Performance Automatic Load Balancing Grid Workers work together, intelligently balancing the scan load. They can be modified on the fly as well. Grid Workers can be dedicated servers, or even existing servers and PCs in the environment. The grid worker service can be made permanent or temporary, based on the needs of the business. the needs of the business.

  15. DLP Datacenter and Endpoint: Agent Details Agent Software Uses • Site Coordinator Software • Scanning Agent • Permanent • Temporary (Dissolvable) • Grid Worker Agent • • Endpoint Enforcement Agent (policy-enabled) Endpoint Enforcement Agent (policy-enabled) Agent Software Deployment Options • Manual installation • RSA DLP Enterprise Manager push installation • SMS or other configuration management tool Temporary scan agent Permanent scan agent 15

  16. 8 Best Practices for Enterprise Data Protection Know where your sensitive Sensitive Information Sensitive Information data resides What level of sensitivity is it How many copies exist Who has access to it Who has access to it Is it dormant Policy Policy Set appropriate controls based on policy, risk and location of data Manage centrally Audit consistently Security Incidents Security Incidents Endpoint Network Applications FS/DB Storage

  17. REAL WORLD ‘ DATA CENTER ’ INCIDENTS

  18. Tightening Up Loose Ends

  19. Tightening Up Loose Ends [Part 2]

  20. Tightening Up Loose Ends [Part 3]

  21. PST Files and User Backup Data Issues

  22. Executive Level Sensitive Information

  23. Executive Level Sensitive Information

  24. REAL WORLD ‘ NETWORK ’ INCIDENTS

  25. Protecting Data In The Network: Data in Motion Monitor Analyze Enforce Email Instant Messages Web Traffic Remediation • SMTP email • Yahoo IM • FTP • Audit • Exchange, Lotus, etc. • MSN Messenger • HTTP • Block • Webmail • AOL Messenger • HTTPS • Encrypt • Text and attachments • Google Talk/Chat • TCP/IP • Log 25

  26. Sending Work Home---In the ‘Wild’ This employee sent work home, and it contained a lot of SSNs.

  27. Medical Information to Russia [with love]

  28. Tracking Legitimate Encrypted Business Traffic RSA DLP can help track business traffic that is encrypted.

  29. Protecting Data In The Endpoint: Data in Use Monitor Analyze Enforce Print Copy and Save As Actions & Controls USB • Local printers • External hard drives • Copy to Network shares • Justify • Network printers • Memory sticks • Copy to external drives • Notify • i-Pods, portable discs • Save As to external • Block drives • Audit & Log 29

  30. UNDER THE ‘DLP’ HOOD

  31. DLP Classification Methodology Described Content Analysis Content Analysis Fingerprinted Analysis 31

  32. DLP Classification Methodology Built-in Expert Policy Templates •Policies ‘out of the box’ • National & International Regulations • Includes PCI, PII, HIPAA, GLBA, etc. • Industry specific templates 32

  33. DLP Classification Methodology Described Content Analysis • Keywords, Phrases, RegEx, Dictionaries • Special patterns - Entities • Proximity analysis • Positive and negative rules •Weighting 33

  34. DLP Classification Methodology Fingerprinted Analysis • Register known sensitive data • Applicable for any binary/digital file • Intellectual property protection • Automated fingerprinting 34

Recommend


More recommend