Data Loss PreventionOverview

Jeff Silver, CISSP

Delaware

DLP Technical Specialist

AGENDA:

I. Introduction

II. ‘WHY” Data Loss Prevention

III. DLP Architecture and Fundamentals

IV. Examples of DLP Violations

V. Questions and Discussion

Many customers worry about data extraction and leakage:• Reputation Damage/Strategic Loss

• Compliance Fines

• Litigation and financial loss

What Makes A Business Consider DLP?

The Legal Department informs the Network Security Team that a DLP deployment might violate International Privacy Laws in Europe.

The Human Resources Department does not feel comfortable installing DLP Agents onto employee PCs, as active monitoring of every user action is generally frowned upon.

What Makes A Business Worry about DLP?

PC ‘Barker’ message that comes up for every login session. This message must contain the proper legal ‘verbage’ to clearly remove the employees ‘right’ to any privacy on company owned equipment.

Employee action to click on this message stating they read and understand this corporate policy.

Employees must sign an employee handbook . For certain industries, annual confirmation is required [i.e. Healthcare]. This handbook should clearly lay out in solid legal terms that the company has the right to monitor all user actions while they are using or accessing corporate resources.

On-line mandatory training regarding protection of corporate intellectual property and other sensitive data [in relation to regulations the company must adhere to] is an added value.

Clearly written ‘Standard Operating Procedures’ on corporate policy that lays out not just what the company can and will do to the employee, but what the interaction is with Law Enforcement, if intervention is needed.

Legal Considerations for DLP

Should the employer issue out mobile devices or let the employee use their own for corporate use?

Compartmenting work spaces with ‘Containers’.

Corporate applications that can be accessed from personal devices. For example, Outlook Web Application. How do you monitor this vector of data loss that can happen right from the employees living room!

Has the organization formalized a clear plan of action for what to do if sensitive data has been moved onto an active employees personal device?

Has the organization factored in State and Federal Privacy Laws that apply to it’s business and employees?

If the organization is International in nature, is the network infrastructure segmented so that security tools can be implemented in a way that does not violate stricter overseas privacy laws [for example, Germany and France]? Defense in depth to cover this vector.

Legal Considerations for DLP--- BYOD

PCIDSS

HIPAAInternalPolicy

GLBA HSPD 12

CSB 1386CountryPrivacyLaws

SOX EU CDR UK RIPA

FISMA COCOMData

Security Act

FACTAEU DataPrivacy

FFIEC BASEL II J-SOX IRS 97-22 NERC

NISPOMPartnerRules

ACSI 33 NIST 800State

Privacy Laws

Compliance and Regulations

The “community’ of attackers

Nation state

actors

PII, government, defense industrial base, IP rich organizations

Criminals

Unaware/Petty criminals

Organized crime

Organized, sophisticated supply chains (PII, financial services, retail)

Unsophisticated

Non-state actors

CyberTerroristsAnti-establishment

vigilantes

“Hacktivists”Targets of opportunity

PII, Government, critical infrastructure

DLP ARCHITECTURE

EnforceAllow, Notify, Block, Encrypt

EnforceAllow, Justify, Block on Copy, Save As, Print, USB, Burn, etc.

RemediateQuarantine, Move to secure location, Delete, or Shred

Monitor Hard Drives, USB, External Devices, Print Actions, burn to CD/DVD, etc.

MonitorEmail, webmail, IM/Chat, FTP, HTTP/S, Telnet, etc

Discover File shares, SharePoint sites, Databases, SAN/NAS

11

Data Loss Prevention Components

DLP Enterprise Manager

DLP Datacenter DLP Network DLP Endpoint

Unified Policy Mgmt & Enforcement

Incident Workflow

Dashboard & Reporting

User & System Administration

Electronic Data Rights Management

Encryption Access Controls

DLP Management

Single policy and administration interface for all DLP components• Network

• Datacenter

• Endpoint

Consolidated workflow and remediation

Custom incident search engine

Active Directory integration [key for reports]

Role-based permissions and report access

Reducing Your Sources of Risk: Data at Rest

File shares, Servers, Laptops Databases & Repositories

13

• Windows file shares• Unix file shares• NAS / SAN storage• Windows 2003, 2008• Windows XP, 7

• SharePoint• Microsoft Access• Oracle, SQL• Content Mgmt

systems

Remediation

• Delete• Move• Quarantine• Notifications

300+ True File types

• Microsoft Office Files• PDFs• PST files• Zip files

Discover Analyze Remediate

Rescan sources to measure and manage risk

Grid Worker Automation Drives Performance

Automatic Load Balancing

Grid Workers work together, intelligently balancing the scan load. They can be modified on the fly as well.

Grid Workers can be dedicated servers, or even existing servers and PCs in the environment. The grid worker service can be made permanent or temporary, based on the needs of the business.

15

DLP Datacenter and Endpoint: Agent Details

Temporary scan agent

Agent Software Uses• Site Coordinator Software• Scanning Agent

• Permanent• Temporary (Dissolvable)

• Grid Worker Agent• Endpoint Enforcement Agent (policy-enabled)

Agent Software Deployment Options• Manual installation• RSA DLP Enterprise Manager push installation• SMS or other configuration management tool

Permanent scan agent

8 Best Practices for Enterprise Data Protection

Know where your sensitive data resides

What level of sensitivity is it

How many copies exist

Who has access to it

Is it dormant

Set appropriate controls based on policy, risk and location of data

Manage centrally

Audit consistently

Sensitive InformationSensitive Information

Endpoint Network Applications FS/DB Storage

Security IncidentsSecurity Incidents

PolicyPolicy

REAL WORLD ‘DATA CENTER’ INCIDENTS

Tightening Up Loose Ends

Tightening Up Loose Ends [Part 2]

Tightening Up Loose Ends [Part 3]

PST Files and User Backup Data Issues

Executive Level Sensitive Information

Executive Level Sensitive Information

REAL WORLD ‘NETWORK’ INCIDENTS

Protecting Data In The Network: Data in Motion

Email Web Traffic

25

• SMTP email• Exchange, Lotus, etc.• Webmail• Text and attachments

• FTP• HTTP• HTTPS• TCP/IP

Remediation

• Audit• Block• Encrypt• Log

Instant Messages

• Yahoo IM• MSN Messenger• AOL Messenger• Google Talk/Chat

Monitor Analyze Enforce

Sending Work Home---In the ‘Wild’

This employee sent work home, and it contained a lot of SSNs.

Medical Information to Russia [with love]

Protecting Data In The Endpoint: Data in Use

Print Copy and Save As

29

• Local printers• Network printers

• Copy to Network shares

• Copy to external drives

• Save As to external drives

Actions & Controls

• Justify• Notify• Block• Audit & Log

USB

• External hard drives• Memory sticks• i-Pods, portable discs

Monitor Analyze Enforce

UNDER THE ‘DLP’ HOOD

31

Content Analysis

Described Content Analysis

Fingerprinted Analysis

DLP Classification Methodology

32

Built-in Expert Policy Templates

• Policies ‘out of the box’

• National & International Regulations

• Includes PCI, PII, HIPAA, GLBA, etc.

• Industry specific templates

DLP Classification Methodology

33

Described Content Analysis

• Keywords, Phrases, RegEx, Dictionaries

• Special patterns - Entities

• Proximity analysis

• Positive and negative rules

• Weighting

DLP Classification Methodology

34

Fingerprinted Analysis

• Register known sensitive data

• Applicable for any binary/digital file

• Intellectual property protection

• Automated fingerprinting

DLP Classification Methodology

35

Identity Analysis

• Understand “who” and “where”

• Insight into organization and hierarchy

• Real-time data from Active Directory

DLP Classification Methodology

36

• Every Document and/or Transmission is analyzed

• Risk Factor assigned

• Appropriate Remediation Applied

DLP Classification Methodology

DLP Considerations

AccuracyHighest levels of accuracy in identifying and discovering sensitive data

Advanced contextual analysis using proximity, weighting, and conditions 3rd Party validated Expert Analysis Engineering and Library Teams on the back end of the DLP Solution

ScalabilityScales to hundreds of terabytes of data, thousands of laptops/desktops across geographically distributed areas

Grid processing for Datacenter discovery Temporary and permanent agents for Endpoint discovery

Ease of UseCentralized policy management across Datacenter, Network, Endpoint with:

Many out-of-the-box policy templates for both U.S. and international markets An intuitive, user-friendly dashboard-based interface

38