Date post: | 18-Nov-2014 |
Category: |
Documents |
Upload: | illyas-kanhangad |
View: | 2,390 times |
Download: | 1 times |
A knowledge based approach to Data
Protection
-Information Leakage Prevention-Where technology fails?
Where it can help?
ILLYAS KOOLIYANKALPMP, CISM, CISA, CISSP, ITIL, ISO 27001 LA
IT Security Officer
Abu Dhabi Securities Exchange
So it is happening around U?
Information Leakage
What is it? And why is it suddenly become such a hot topic?
Agenda
Introduction
Cases of Data Loss
Existing Security Mechanisms?
How can you Approach the Protection? Is it Easy?
How can you Protect?
Technology – DLP
Important factors/Best Practices
ADX Approach
Summary
Why Data is a Priority?
Indirect Costs$1.5M$15/record
Opportunity Costs$7.5M$75/record
Direct Costs$5.0M$50/record
Cost of Data Breaches$140/record
Source: Ponemon Institute SVB Alliant
Leakage of confidential/proprietary information
Un patched vulnerabilities
Insider attacks
Spyware
Phishing attacks
Malicious Code
Spam
Denial of Service attacks
Fraud
Keystroke loggers
52%
24%
18%
14%
10%
4%
4%
4%
2%
2%
What do you consider to pose the
biggest current threat to your
organization’s overall security?
(multiple responses)
Source: Merrill Lynch survey of 50 North American CISOs, July 2006
Why DLP is so HOT?
More mobility, flexibility – Laptops, palmtops and homeworkers…data is in and out of organization.
Criminals using Leaked data for monitory gain
Business impact – Reputation, monitory, growth, …
Legal and Regulatory compliances – you can be liablefor the loss of data under your custody (credit cards,identity information, etc.)
Local (ADSIC) and international standards
Finally…. it started to affect us personally – credit cards,identity information leaks…
Are you Protected?
Are you confident that the personal information of yourcustomers will not leak to the Internet?
What safeguards do you have in place to prevent thetheft or loss of your confidential documents, sourcecode, marketing data, trade secrets or other intellectualproperty?
Data Leakage Incidents
In 2007, an official with the Dutch Foreign Ministryaccidentally left a USB stick containing unencryptedconfidential information—building maps, security codes,account information and more—in a rental car
A laptop stolen from the home of a U.S. Department ofVeterans’ Affairs employee contained the SocialSecurity numbers and birth dates for nearly 27 millionveterans and their spouses. None of the information wasencrypted
Data Leakage Incidents
More recently, the Harris County (Texas) HospitalDistrict admitted that an administrator, eager to catch upon work over the weekend, lost an unencrypted USBflash drive containing medical and financial records of1,200 patients with AIDS, HIV, and other medicalconditions
Countrywide Financial Corporation (now part of Bank ofAmerica) is still recovering from the theft and sale ofpersonal information—including Social Securitynumbers—of nearly two million mortgage applicants, bya former employee in August, 2008
Data Leakage Incidents - UAE
Corporate Data Thefts Cause Huge Losses to Firms
by Amira Agarib , 19 October 2009
DUBAI — Disclosure of confidential information causes huge losses
especially to the companies whose value and wealth are based on information related to their customers and resources. This was stated on Saturday by Major Saeed Al Hajiri, director of Anti-Cyber Crimes Department, Dubai Police.
So far 316 electronic crime cases have been recorded andinvestigated, including seven cases of breach of trust and sale ofconfidential information to competitor companies.
In one of the cases, an investment company reported to the police that it had lost clients as someone had sold information to competitors.
The investigators checked the computers and investigations led them to two suspects, who worked as collectors for the company.
Incident Monitoring
How Serious it is?
Every year, many companies must confess thedisclosure of their customers' credit card and SocialSecurity numbers in the media, which is not onlyenormously embarrassing and harmful in itself butinvites lawsuits.
Recession - when cash-strapped companies are goingout of business every day, a severe intellectual propertytheft can lead to lost sales or the covert transfer ofvaluable trade secrets to one's competitors
How it Happens?
Whether it’s a researcher, who accidentally sends a new product formula to hundreds of partners,
OR
A junior member of the finance team who unknowingly exposes the company’s unannounced financial results to the public
OR
Even a hard-working, loyal employee who takes home his laptop or a USB drive for the weekend to get work done—and accidentally leaves it on the subway as he runs to greet his children at the end of a long workweek
“Internal risk that can lead to data loss are real.”
Data Leakage - Boundary
Employees(remote workers,
mobile workers)
Business Partners(Suppliers, outsourcers,
consultants)
CompetitorsCustomers
Hackers
Contractors
Temporaries
Visitors
SOURCE: FORRESTER RESEARCH
Employees
Sensitive Data
Existing Security Devices/Solutions?
Stop incoming threats; miss outgoing
sensitive information
Courtesy: www.PortAuthorityTech.com
Protected from Outsiders –Is it Enough?
Over the years, organizations have spent tremendousamount of resources in hopes of protecting theirinformation.
However, their efforts have been focused on preventingoutsiders from hacking into the organization, educatingemployees, and securing data at rest
Data - Concerns
As organizations invest millions in business
Systems, increasing the availability of information to
build or maintain a competitive edge, there remain a
slew of security-related considerations, including:
Where is the organization’s confidential & sensitive data?
How, where, and when is the data transmitted and by whom?
How can the data be controlled and protected?
What is my organization’s financial risk (from a leak)?
Most effective Approach
Holistic Approach
People, Process, Technology
Develop and implement fool proof processes in overallbusiness environment (Information –at all stages/states)
Staff Awareness and support
Implement appropriate technology to assist the usersand the organization to protect the data efficiently andwithout business interruption.
Is it Easy?Issues
Information is required for the business easily andseamlessly.
Existing security solutions and tools are with limitedcapability
Huge amount of sensitive data and alsounwanted/outdated data
Information leaked by Internal/Authorized users
Performance issues.
False Positives and False Negatives
User Resistance & Org Culture of Trust, openness
Impact to the normal business operations?
How can you protect?
Approach it as a business problem rather than atechnical one.
Formulate a comprehensive strategy for Data protection,by addressing information leakage also.
Develop a classification policy after thorough businessstudy and based on industry best practices.
Analyze various data sources and data, classify it, andconduct detailed risk assessment.
Identify and select an appropriate technical solution forDLP
How can you protect?
State of the Data– in motion, at rest, in use.
Develop/Decide on the policies to be applied based onthe sensitivity and classification
Apply light weight policies and train the users to be morecareful
Actions – Controls (Log, Alert, Justification, block, etc)
Monitor and Fine Tune
Approach it phase by phase – Begin with log only, analyze the events and tighten the controls slowly and steadily.
Where to Start?
Where is my confidential data?
Where is my data going?
Who is using data?
How can I protect it?
What is the business and resource impact?
How do I get started?
What Technology Available to support?
How much does it cost?
What is DLP?
To detect and prevent the unauthorized transmission of information from the
computer systems of an organization to outsiders.
Information Leak Detection & Prevention (ILDP), Information Leak
Prevention (ILP) or Content Monitoring and Filtering (CMF).
DLP Technology ?
With Data Protection solutions, you can quickly and comprehensively determine
What data needs to be secured?
When you need to protect it?
Who is sending it out of the company?
How sensitive is the data? And
Where it is stored/moved/used?
What DLP offer?
Let you secure the data you know you need to protect
Automate the discovery and understanding of the datayou don’t know—to create a comprehensive solutionthat guards against the risk posed by insiders.
By securing all your information—from the datacenter tothe network endpoints—you protect it through all phasesof its lifecycle—at rest, in motion, and in use—andensure its confidentiality and integrity.
Where to apply protection?
Protect Data In Motion & Use▫ Monitor outbound and internal communications to identify data policy
violations
▫ Automated selective blocking/enforcement of information reaching unauthorized recipients
▫ Automated selective enforcement (eg; encryption) of sensitive information for authorized recipients
Protect Data at Rest▫ Discover sensitive data that violates regulatory or internal security policies
▫ Automated selective enforcement of unauthorized transfer of files/documents
▫ Automated encryption of critical information assets
The Landscape
Data At Rest
• Data classification
• Device control
• Content control
• Application control
Transaction Data
• Direct Database Access
• Access via Applications
• Web applications
• Web services
Data In Motion
• Outgoing communications
• Internal communications
• Databases and documents
• Monitoring and enforcement
Employees(Honest & Rogue)
Customers& Criminals
Accidental,
Intentional and
Malicious Leaks
Employees(Honest & Rogue)
Employees(Honest & Rogue)
Courtesy: www.PortAuthorityTech.com
How is it different?
Various products are available and they are differ based on
Channels
Method of analysis
Performance & resources requirements
etc…
How Does DLP Work?
Identify and Classify data in motion, at rest, and in use
Dynamically apply the desired type and level of control, including the ability to perform mandatory access control that can’t be circumvented by the user
Monitors multiple channels for specific inbound and outbound content
What it provides?
Track complete sessions for analysis, not individual packets, with full understanding of application semantics
Use linguistics analysis techniques beyond simple keyword matching for detection (i.e. advanced regular expressions, partial document matching, etc.)
Detect (or filter) content that is based on policy-based rules
Block/Alert/Log/Justify (at a minimum) policy-based violations
Reduce Your Risk
Audit, Notify,
Quarantine, Block
Encrypt
…
Reduce Risk
• Enable enforcement policy
• Quarantine suspicious
messages
• Create audit trail of all
communications to
substantiate compliance
• Reduce violations to
required levels
EnforceLearn
Define Metrics
• Use pre-defined policies
or create custom policies
• Learn critical information
using information
fingerprinting service
Monitor
• Monitor communication
channels
• Reporting of matches
against policies and
information fingerprints
• Tune policies
Assess Risk
Courtesy: www.PortAuthorityTech.com
How to select the vendor?
Monitoring Vs Prevention
Centralized Management
Performance Impact
Market Presence – Experience in Policy development and problems faced will be beneficial
Ease of Integration – should not be overlooked
Staff need – Operate and manage?
Important factors
Clear definition of the ―need for DLP‖ should be in place
Try Proof of concept from the vendors
Phase by phase approach – start with data in use/motion
Adequate and comprehensive testing (functionality and performance) should be ensured.
Apply the policy of Prevention/Block once it is tested and confident to avoid any business interruption
Important Factors
Take time to have a comprehensive understanding and inventory of the types of sensitive data and what policies are need to control and enforce how the data can be shared.
For this, analyze the regulatory requirement, enforcement and intellectual property protection
Analyze the impact of DLP on the workflow – solution should be dynamic and flexible to support the business process and the changes in it.
Comprehensive and effective
Unobtrusive – Non Intrusive
Look for reporting, administration
Combine best of breed solutions
Additional Features to look for
Data Discovery scanning and moving the sensitive files to a secure location.
Integration with Active Directory
Incident remediation process
ADX – How we approached
Built a Data protection strategy in consideration with Information Leakage
Developed an information classification policy
Identified all the information assets and sources of it with sensitivity
Analyzed and identified the prospective channels of information leakage
ADX – How we approached
Went through a process of selecting the DLP solution
Analyzed the business needs and how the DLP solution can be integrated with Operations
C-level buy in and support
Developed proposed policies and discussed with the information owners and got their buy in.
Customized based on operational requirements
Tested the policies
Implement it across with management inputs and requirements
DLP – Ongoing Process
Information Leakage Prevention – is an ongoing processand a huge learning curve exists.
Recommended to be in Monitoring mode for 6 monthsbefore applying any blocking feature, unless you aretotally sure.
Summary
Information Leakage is a serious concern to organizations and individuals
Approach has to be holistic addressing through People, Process and Technology
DLP technology addresses Data in motion, rest and at use.
Summary
Classification Policy, Information about Data and Data Source, Classify those, Select DLP Solution, Develop Policies and Test, Apply, Monitor, Fine Tune, Awareness
Action – Log, Alert, Justify, Block etc..
Resistance, Org Culture, Performance, huge amount of known/unknown data etc are some of the obstacles.
Start with light weight policies and gradually tighten it once the awareness and adaptability is achieved
Information Leakage Prevention is an ongoing process
Thank You!
Illyas Kooliyankal
IT Security Officer
Abu Dhabi Securities Exchange
Contacts: 0504442878/026128994
Any Questions ?