Date post: | 15-Jan-2016 |
Category: |
Documents |
Upload: | jade-stewart |
View: | 213 times |
Download: | 0 times |
Data Loss PreventionOverview
Jeff Silver, CISSP
Delaware
DLP Technical Specialist
AGENDA:
I. Introduction
II. ‘WHY” Data Loss Prevention
III. DLP Architecture and Fundamentals
IV. Examples of DLP Violations
V. Questions and Discussion
Many customers worry about data extraction and leakage:• Reputation Damage/Strategic Loss
• Compliance Fines
• Litigation and financial loss
What Makes A Business Consider DLP?
The Legal Department informs the Network Security Team that a DLP deployment might violate International Privacy Laws in Europe.
The Human Resources Department does not feel comfortable installing DLP Agents onto employee PCs, as active monitoring of every user action is generally frowned upon.
What Makes A Business Worry about DLP?
PC ‘Barker’ message that comes up for every login session. This message must contain the proper legal ‘verbage’ to clearly remove the employees ‘right’ to any privacy on company owned equipment.
Employee action to click on this message stating they read and understand this corporate policy.
Employees must sign an employee handbook . For certain industries, annual confirmation is required [i.e. Healthcare]. This handbook should clearly lay out in solid legal terms that the company has the right to monitor all user actions while they are using or accessing corporate resources.
On-line mandatory training regarding protection of corporate intellectual property and other sensitive data [in relation to regulations the company must adhere to] is an added value.
Clearly written ‘Standard Operating Procedures’ on corporate policy that lays out not just what the company can and will do to the employee, but what the interaction is with Law Enforcement, if intervention is needed.
Legal Considerations for DLP
Should the employer issue out mobile devices or let the employee use their own for corporate use?
Compartmenting work spaces with ‘Containers’.
Corporate applications that can be accessed from personal devices. For example, Outlook Web Application. How do you monitor this vector of data loss that can happen right from the employees living room!
Has the organization formalized a clear plan of action for what to do if sensitive data has been moved onto an active employees personal device?
Has the organization factored in State and Federal Privacy Laws that apply to it’s business and employees?
If the organization is International in nature, is the network infrastructure segmented so that security tools can be implemented in a way that does not violate stricter overseas privacy laws [for example, Germany and France]? Defense in depth to cover this vector.
Legal Considerations for DLP--- BYOD
PCIDSS
HIPAAInternalPolicy
GLBA HSPD 12
CSB 1386CountryPrivacyLaws
SOX EU CDR UK RIPA
FISMA COCOMData
Security Act
FACTAEU DataPrivacy
FFIEC BASEL II J-SOX IRS 97-22 NERC
NISPOMPartnerRules
ACSI 33 NIST 800State
Privacy Laws
Compliance and Regulations
The “community’ of attackers
Nation state
actors
PII, government, defense industrial base, IP rich organizations
Criminals
Unaware/Petty criminals
Organized crime
Organized, sophisticated supply chains (PII, financial services, retail)
Unsophisticated
Non-state actors
CyberTerroristsAnti-establishment
vigilantes
“Hacktivists”Targets of opportunity
PII, Government, critical infrastructure
DLP ARCHITECTURE
EnforceAllow, Notify, Block, Encrypt
EnforceAllow, Justify, Block on Copy, Save As, Print, USB, Burn, etc.
RemediateQuarantine, Move to secure location, Delete, or Shred
Monitor Hard Drives, USB, External Devices, Print Actions, burn to CD/DVD, etc.
MonitorEmail, webmail, IM/Chat, FTP, HTTP/S, Telnet, etc
Discover File shares, SharePoint sites, Databases, SAN/NAS
11
Data Loss Prevention Components
DLP Enterprise Manager
DLP Datacenter DLP Network DLP Endpoint
Unified Policy Mgmt & Enforcement
Incident Workflow
Dashboard & Reporting
User & System Administration
Electronic Data Rights Management
Encryption Access Controls
DLP Management
Single policy and administration interface for all DLP components• Network
• Datacenter
• Endpoint
Consolidated workflow and remediation
Custom incident search engine
Active Directory integration [key for reports]
Role-based permissions and report access
Reducing Your Sources of Risk: Data at Rest
File shares, Servers, Laptops Databases & Repositories
13
• Windows file shares• Unix file shares• NAS / SAN storage• Windows 2003, 2008• Windows XP, 7
• SharePoint• Microsoft Access• Oracle, SQL• Content Mgmt
systems
Remediation
• Delete• Move• Quarantine• Notifications
300+ True File types
• Microsoft Office Files• PDFs• PST files• Zip files
Discover Analyze Remediate
Rescan sources to measure and manage risk
Grid Worker Automation Drives Performance
Automatic Load Balancing
Grid Workers work together, intelligently balancing the scan load. They can be modified on the fly as well.
Grid Workers can be dedicated servers, or even existing servers and PCs in the environment. The grid worker service can be made permanent or temporary, based on the needs of the business.
15
DLP Datacenter and Endpoint: Agent Details
Temporary scan agent
Agent Software Uses• Site Coordinator Software• Scanning Agent
• Permanent• Temporary (Dissolvable)
• Grid Worker Agent• Endpoint Enforcement Agent (policy-enabled)
Agent Software Deployment Options• Manual installation• RSA DLP Enterprise Manager push installation• SMS or other configuration management tool
Permanent scan agent
8 Best Practices for Enterprise Data Protection
Know where your sensitive data resides
What level of sensitivity is it
How many copies exist
Who has access to it
Is it dormant
Set appropriate controls based on policy, risk and location of data
Manage centrally
Audit consistently
Sensitive InformationSensitive Information
Endpoint Network Applications FS/DB Storage
Security IncidentsSecurity Incidents
PolicyPolicy
REAL WORLD ‘DATA CENTER’ INCIDENTS
Tightening Up Loose Ends
Tightening Up Loose Ends [Part 2]
Tightening Up Loose Ends [Part 3]
PST Files and User Backup Data Issues
Executive Level Sensitive Information
Executive Level Sensitive Information
REAL WORLD ‘NETWORK’ INCIDENTS
Protecting Data In The Network: Data in Motion
Email Web Traffic
25
• SMTP email• Exchange, Lotus, etc.• Webmail• Text and attachments
• FTP• HTTP• HTTPS• TCP/IP
Remediation
• Audit• Block• Encrypt• Log
Instant Messages
• Yahoo IM• MSN Messenger• AOL Messenger• Google Talk/Chat
Monitor Analyze Enforce
Sending Work Home---In the ‘Wild’
This employee sent work home, and it contained a lot of SSNs.
Medical Information to Russia [with love]
Protecting Data In The Endpoint: Data in Use
Print Copy and Save As
29
• Local printers• Network printers
• Copy to Network shares
• Copy to external drives
• Save As to external drives
Actions & Controls
• Justify• Notify• Block• Audit & Log
USB
• External hard drives• Memory sticks• i-Pods, portable discs
Monitor Analyze Enforce
UNDER THE ‘DLP’ HOOD
31
Content Analysis
Described Content Analysis
Fingerprinted Analysis
DLP Classification Methodology
32
Built-in Expert Policy Templates
• Policies ‘out of the box’
• National & International Regulations
• Includes PCI, PII, HIPAA, GLBA, etc.
• Industry specific templates
DLP Classification Methodology
33
Described Content Analysis
• Keywords, Phrases, RegEx, Dictionaries
• Special patterns - Entities
• Proximity analysis
• Positive and negative rules
• Weighting
DLP Classification Methodology
34
Fingerprinted Analysis
• Register known sensitive data
• Applicable for any binary/digital file
• Intellectual property protection
• Automated fingerprinting
DLP Classification Methodology
35
Identity Analysis
• Understand “who” and “where”
• Insight into organization and hierarchy
• Real-time data from Active Directory
DLP Classification Methodology
36
• Every Document and/or Transmission is analyzed
• Risk Factor assigned
• Appropriate Remediation Applied
DLP Classification Methodology
DLP Considerations
AccuracyHighest levels of accuracy in identifying and discovering sensitive data
Advanced contextual analysis using proximity, weighting, and conditions 3rd Party validated Expert Analysis Engineering and Library Teams on the back end of the DLP Solution
ScalabilityScales to hundreds of terabytes of data, thousands of laptops/desktops across geographically distributed areas
Grid processing for Datacenter discovery Temporary and permanent agents for Endpoint discovery
Ease of UseCentralized policy management across Datacenter, Network, Endpoint with:
Many out-of-the-box policy templates for both U.S. and international markets An intuitive, user-friendly dashboard-based interface
38