Data Leakage PreventionSigal Russin, CISO

Senior Analyst at STKI

sigalr@stki.info

Sigal Russin’s work/ Copyright@2014Do not remove source or attribution from any slide, graph or portion of graph

What are you getting:

2

1 2 3 4

5 6

Sigal Russin’s work/ Copyright@2014Do not remove source or attribution from any slide, graph or portion of graph

Symantec DLP News

3

Sigal Russin’s work/ Copyright@2014Do not remove source or attribution from any slide, graph or portion of graph

It’s about People

4

Sigal Russin’s work/ Copyright@2014Do not remove source or attribution from any slide, graph or portion of graph

Customers need more than a technology solution

5

Source: http://www.slideshare.net/ArrowECSMarketing/data-loss-prevention-from-symantec

Sigal Russin’s work/ Copyright@2014Do not remove source or attribution from any slide, graph or portion of graph

Variety of Misuse Actions

6

Sigal Russin’s work/ Copyright@2014Do not remove source or attribution from any slide, graph or portion of graph

What is DLP?• DLP means different things to different people

* Data Loss Prevention

* Data Leakage Prevention

* Data Loss Protection

• DLP is always about protecting organization sensitive information.

• DLP technology is content aware

referred to as deep packet inspection, analyzes the payload

contained within a file or session.

• DLP references data in one of three states

* Data in motion

* Data at rest

* Data in use7

Source: http://www.slideshare.net/technetbelux/data-leakage-prevention-22804526

Sigal Russin’s work/ Copyright@2014Do not remove source or attribution from any slide, graph or portion of graph

Defense In Depth: Encryption + DLP

8

Sigal Russin’s work/ Copyright@2014Do not remove source or attribution from any slide, graph or portion of graph

Sensitive organization dataLack of familiarity with the types of information

that exist in organizations and processes related to use.

• What is confidential information?

• Where is it stored?

• What are the channels through which

information may leak ?

• What actions will be taken if and

when the event occurs leaked

confidential information?

9

Source: http://searchsecurity.techtarget.com/feature/IT-Security-Trends-2013-Mobile-security-concerns-tops-the-list

Sigal Russin’s work/ Copyright@2014Do not remove source or attribution from any slide, graph or portion of graph

Round table Insights 2010

10

This project includes: Legal dep. , IT, HR.

50% organization culture, 50%

technology tools.

Data classification should include all

Department managers and management.

You can not get 100% coverage of Data

Leakage, even with three systems.

Not all organizations covering the issue of data leakage from all

views.

Sigal Russin’s work/ Copyright@2014Do not remove source or attribution from any slide, graph or portion of graph

DLP ProjectI. Analysis of the business environment and existing threats

(internal / external ).

II. Data classification - Definition of Confidential Information / sensitive and classified according to the level of sensitivity. For example, Financial info, medical info, customers info etc.

III. Identification and mapping of confidential / sensitive data storage. For example: USB drives, Data Bases, file servers, mobile, PC etc.

11

Sigal Russin’s work/ Copyright@2014Do not remove source or attribution from any slide, graph or portion of graph

DLP ProjectV. Mapping and analysis of business processes and information

lifecycle organization: create data, distribution data (email), backup, update a file server etc.

VI. Mapping and assessment of potential leakage channels. For example: Interfaces and external web links, third-party authors or temporary workers, faxes and printers etc.

VII. Characterization requirements- product selection and implementation, including compliance and design policies, procedures, processes Reply and complementary measures.

12

Sigal Russin’s work/ Copyright@2014Do not remove source or attribution from any slide, graph or portion of graph

13

Sigal Russin’s work/ Copyright@2014Do not remove source or attribution from any slide, graph or portion of graph

Recommendations

14

Work Procedures and Guidelines

Processing of events - depending on organization nature and information security team.capabilities

Responsibilities and new roles

Life cycle processes of organization information- Determining the classification tags each document creation stage.

Audit logging and connection to SIEM systems

Lifelong learning and improving the quality of monitoring depending on the events and the number of false alarms produced by the system.

Sigal Russin’s work/ Copyright@2014Do not remove source or attribution from any slide, graph or portion of graph

Thank You!

Sigalr@stki.info