A knowledge based approach to Data

Protection

-Information Leakage Prevention-Where technology fails?

Where it can help?

ILLYAS KOOLIYANKALPMP, CISM, CISA, CISSP, ITIL, ISO 27001 LA

IT Security Officer

Abu Dhabi Securities Exchange

So it is happening around U?

Information Leakage

What is it? And why is it suddenly become such a hot topic?

Agenda

Introduction

Cases of Data Loss

Existing Security Mechanisms?

How can you Approach the Protection? Is it Easy?

How can you Protect?

Technology – DLP

Important factors/Best Practices

ADX Approach

Summary

Why Data is a Priority?

Indirect Costs$1.5M$15/record

Opportunity Costs$7.5M$75/record

Direct Costs$5.0M$50/record

Cost of Data Breaches$140/record

Source: Ponemon Institute SVB Alliant

Leakage of confidential/proprietary information

Un patched vulnerabilities

Insider attacks

Spyware

Phishing attacks

Malicious Code

Spam

Denial of Service attacks

Fraud

Keystroke loggers

52%

24%

18%

14%

10%

4%

4%

4%

2%

2%

What do you consider to pose the

biggest current threat to your

organization’s overall security?

(multiple responses)

Source: Merrill Lynch survey of 50 North American CISOs, July 2006

Why DLP is so HOT?

More mobility, flexibility – Laptops, palmtops and homeworkers…data is in and out of organization.

Criminals using Leaked data for monitory gain

Business impact – Reputation, monitory, growth, …

Legal and Regulatory compliances – you can be liablefor the loss of data under your custody (credit cards,identity information, etc.)

Local (ADSIC) and international standards

Finally…. it started to affect us personally – credit cards,identity information leaks…

Are you Protected?

Are you confident that the personal information of yourcustomers will not leak to the Internet?

What safeguards do you have in place to prevent thetheft or loss of your confidential documents, sourcecode, marketing data, trade secrets or other intellectualproperty?

Data Leakage Incidents

In 2007, an official with the Dutch Foreign Ministryaccidentally left a USB stick containing unencryptedconfidential information—building maps, security codes,account information and more—in a rental car

A laptop stolen from the home of a U.S. Department ofVeterans’ Affairs employee contained the SocialSecurity numbers and birth dates for nearly 27 millionveterans and their spouses. None of the information wasencrypted

Data Leakage Incidents

More recently, the Harris County (Texas) HospitalDistrict admitted that an administrator, eager to catch upon work over the weekend, lost an unencrypted USBflash drive containing medical and financial records of1,200 patients with AIDS, HIV, and other medicalconditions

Countrywide Financial Corporation (now part of Bank ofAmerica) is still recovering from the theft and sale ofpersonal information—including Social Securitynumbers—of nearly two million mortgage applicants, bya former employee in August, 2008

Data Leakage Incidents - UAE

Corporate Data Thefts Cause Huge Losses to Firms

by Amira Agarib , 19 October 2009

DUBAI — Disclosure of confidential information causes huge losses

especially to the companies whose value and wealth are based on information related to their customers and resources. This was stated on Saturday by Major Saeed Al Hajiri, director of Anti-Cyber Crimes Department, Dubai Police.

So far 316 electronic crime cases have been recorded andinvestigated, including seven cases of breach of trust and sale ofconfidential information to competitor companies.

In one of the cases, an investment company reported to the police that it had lost clients as someone had sold information to competitors.

The investigators checked the computers and investigations led them to two suspects, who worked as collectors for the company.

Incident Monitoring

How Serious it is?

Every year, many companies must confess thedisclosure of their customers' credit card and SocialSecurity numbers in the media, which is not onlyenormously embarrassing and harmful in itself butinvites lawsuits.

Recession - when cash-strapped companies are goingout of business every day, a severe intellectual propertytheft can lead to lost sales or the covert transfer ofvaluable trade secrets to one's competitors

How it Happens?

Whether it’s a researcher, who accidentally sends a new product formula to hundreds of partners,

OR

A junior member of the finance team who unknowingly exposes the company’s unannounced financial results to the public

OR

Even a hard-working, loyal employee who takes home his laptop or a USB drive for the weekend to get work done—and accidentally leaves it on the subway as he runs to greet his children at the end of a long workweek

“Internal risk that can lead to data loss are real.”

Data Leakage - Boundary

Employees(remote workers,

mobile workers)

Business Partners(Suppliers, outsourcers,

consultants)

CompetitorsCustomers

Hackers

Contractors

Temporaries

Visitors

SOURCE: FORRESTER RESEARCH

Employees

Sensitive Data

Existing Security Devices/Solutions?

Stop incoming threats; miss outgoing

sensitive information

Courtesy: www.PortAuthorityTech.com

Protected from Outsiders –Is it Enough?

Over the years, organizations have spent tremendousamount of resources in hopes of protecting theirinformation.

However, their efforts have been focused on preventingoutsiders from hacking into the organization, educatingemployees, and securing data at rest

Data - Concerns

As organizations invest millions in business

Systems, increasing the availability of information to

build or maintain a competitive edge, there remain a

slew of security-related considerations, including:

Where is the organization’s confidential & sensitive data?

How, where, and when is the data transmitted and by whom?

How can the data be controlled and protected?

What is my organization’s financial risk (from a leak)?

Most effective Approach

Holistic Approach

People, Process, Technology

Develop and implement fool proof processes in overallbusiness environment (Information –at all stages/states)

Staff Awareness and support

Implement appropriate technology to assist the usersand the organization to protect the data efficiently andwithout business interruption.

Is it Easy?Issues

Information is required for the business easily andseamlessly.

Existing security solutions and tools are with limitedcapability

Huge amount of sensitive data and alsounwanted/outdated data

Information leaked by Internal/Authorized users

Performance issues.

False Positives and False Negatives

User Resistance & Org Culture of Trust, openness

Impact to the normal business operations?

How can you protect?

Approach it as a business problem rather than atechnical one.

Formulate a comprehensive strategy for Data protection,by addressing information leakage also.

Develop a classification policy after thorough businessstudy and based on industry best practices.

Analyze various data sources and data, classify it, andconduct detailed risk assessment.

Identify and select an appropriate technical solution forDLP

How can you protect?

State of the Data– in motion, at rest, in use.

Develop/Decide on the policies to be applied based onthe sensitivity and classification

Apply light weight policies and train the users to be morecareful

Actions – Controls (Log, Alert, Justification, block, etc)

Monitor and Fine Tune

Approach it phase by phase – Begin with log only, analyze the events and tighten the controls slowly and steadily.

Where to Start?

Where is my confidential data?

Where is my data going?

Who is using data?

How can I protect it?

What is the business and resource impact?

How do I get started?

What Technology Available to support?

How much does it cost?

What is DLP?

To detect and prevent the unauthorized transmission of information from the

computer systems of an organization to outsiders.

Information Leak Detection & Prevention (ILDP), Information Leak

Prevention (ILP) or Content Monitoring and Filtering (CMF).

DLP Technology ?

With Data Protection solutions, you can quickly and comprehensively determine

What data needs to be secured?

When you need to protect it?

Who is sending it out of the company?

How sensitive is the data? And

Where it is stored/moved/used?

What DLP offer?

Let you secure the data you know you need to protect

Automate the discovery and understanding of the datayou don’t know—to create a comprehensive solutionthat guards against the risk posed by insiders.

By securing all your information—from the datacenter tothe network endpoints—you protect it through all phasesof its lifecycle—at rest, in motion, and in use—andensure its confidentiality and integrity.

Where to apply protection?

Protect Data In Motion & Use▫ Monitor outbound and internal communications to identify data policy

violations

▫ Automated selective blocking/enforcement of information reaching unauthorized recipients

▫ Automated selective enforcement (eg; encryption) of sensitive information for authorized recipients

Protect Data at Rest▫ Discover sensitive data that violates regulatory or internal security policies

▫ Automated selective enforcement of unauthorized transfer of files/documents

▫ Automated encryption of critical information assets

The Landscape

Data At Rest

• Data classification

• Device control

• Content control

• Application control

Transaction Data

• Direct Database Access

• Access via Applications

• Web applications

• Web services

Data In Motion

• Outgoing communications

• Internal communications

• Databases and documents

• Monitoring and enforcement

Employees(Honest & Rogue)

Customers& Criminals

Accidental,

Intentional and

Malicious Leaks

Employees(Honest & Rogue)

Employees(Honest & Rogue)

Courtesy: www.PortAuthorityTech.com

How is it different?

Various products are available and they are differ based on

Channels

Method of analysis

Performance & resources requirements

etc…

How Does DLP Work?

Identify and Classify data in motion, at rest, and in use

Dynamically apply the desired type and level of control, including the ability to perform mandatory access control that can’t be circumvented by the user

Monitors multiple channels for specific inbound and outbound content

What it provides?

Track complete sessions for analysis, not individual packets, with full understanding of application semantics

Use linguistics analysis techniques beyond simple keyword matching for detection (i.e. advanced regular expressions, partial document matching, etc.)

Detect (or filter) content that is based on policy-based rules

Block/Alert/Log/Justify (at a minimum) policy-based violations

Reduce Your Risk

Audit, Notify,

Quarantine, Block

Encrypt

…

Reduce Risk

• Enable enforcement policy

• Quarantine suspicious

messages

• Create audit trail of all

communications to

substantiate compliance

• Reduce violations to

required levels

EnforceLearn

Define Metrics

• Use pre-defined policies

or create custom policies

• Learn critical information

using information

fingerprinting service

Monitor

• Monitor communication

channels

• Reporting of matches

against policies and

information fingerprints

• Tune policies

Assess Risk

Courtesy: www.PortAuthorityTech.com

How to select the vendor?

Monitoring Vs Prevention

Centralized Management

Performance Impact

Market Presence – Experience in Policy development and problems faced will be beneficial

Ease of Integration – should not be overlooked

Staff need – Operate and manage?

Important factors

Clear definition of the ―need for DLP‖ should be in place

Try Proof of concept from the vendors

Phase by phase approach – start with data in use/motion

Adequate and comprehensive testing (functionality and performance) should be ensured.

Apply the policy of Prevention/Block once it is tested and confident to avoid any business interruption

Important Factors

Take time to have a comprehensive understanding and inventory of the types of sensitive data and what policies are need to control and enforce how the data can be shared.

For this, analyze the regulatory requirement, enforcement and intellectual property protection

Analyze the impact of DLP on the workflow – solution should be dynamic and flexible to support the business process and the changes in it.

Comprehensive and effective

Unobtrusive – Non Intrusive

Look for reporting, administration

Combine best of breed solutions

Additional Features to look for

Data Discovery scanning and moving the sensitive files to a secure location.

Integration with Active Directory

Incident remediation process

ADX – How we approached

Built a Data protection strategy in consideration with Information Leakage

Developed an information classification policy

Identified all the information assets and sources of it with sensitivity

Analyzed and identified the prospective channels of information leakage

ADX – How we approached

Went through a process of selecting the DLP solution

Analyzed the business needs and how the DLP solution can be integrated with Operations

C-level buy in and support

Developed proposed policies and discussed with the information owners and got their buy in.

Customized based on operational requirements

Tested the policies

Implement it across with management inputs and requirements

DLP – Ongoing Process

Information Leakage Prevention – is an ongoing processand a huge learning curve exists.

Recommended to be in Monitoring mode for 6 monthsbefore applying any blocking feature, unless you aretotally sure.

Summary

Information Leakage is a serious concern to organizations and individuals

Approach has to be holistic addressing through People, Process and Technology

DLP technology addresses Data in motion, rest and at use.

Summary

Classification Policy, Information about Data and Data Source, Classify those, Select DLP Solution, Develop Policies and Test, Apply, Monitor, Fine Tune, Awareness

Action – Log, Alert, Justify, Block etc..

Resistance, Org Culture, Performance, huge amount of known/unknown data etc are some of the obstacles.

Start with light weight policies and gradually tighten it once the awareness and adaptability is achieved

Information Leakage Prevention is an ongoing process

Thank You!

Illyas Kooliyankal

illyask@adx.ae

IT Security Officer

Abu Dhabi Securities Exchange

Contacts: 0504442878/026128994

Any Questions ?