Date post: | 13-Aug-2015 |
Category: |
Business |
Upload: | digitallibrary |
View: | 690 times |
Download: | 0 times |
www.lumension.com
© Copyright 2008 - Lumension Security
iPods, CD/DVD, USB, etc.How to Protect From the Dangers Within
Speakers: Matt Mosher, LumensionJohn Dasher, PGP Corporation
© Copyright 2008 - Lumension Security
www.lumension.com 1
How much would you pay for this USB stick?
© Copyright 2008 - Lumension Security
www.lumension.com 2
Some would pay
© Copyright 2008 - Lumension Security
www.lumension.com 3
would!
© Copyright 2008 - Lumension Security
www.lumension.com 4
The Shifting Endpoint
What has changed in today’s
market to make a USB stick
so valuable to some and
potentially such a great risk to
others?
© Copyright 2008 - Lumension Security
www.lumension.com 5
The Value of Data Has Been Recognized and Targeted
Financial Records
� Social security numbers
� Credit card numbers
� Bank account numbers
� Brokerage account numbers
� Mortgage account
Personal Identification
� Drivers License
� Account Passwords
� Passport
� Date of Birth
Medical Records
� Patient medical history
� Health Insurance information
Government Classified Information
� Military Intelligence
� Nuclear Secrets
� Homeland Security
� Infrastructure Data
� Counter-Terrorism
� Immigration Data
Corporate IP
� Customer Lists
� Product Roadmap and R&D
� Marketing Strategies
� Company Financials
� Trade secrets
� Patents
� Trademarks and Copyrights
� Designs and Architectures
© Copyright 2008 - Lumension Security
www.lumension.com 6
The Borderless Enterprise
Remote users and mobile technology.
6
Data has moved beyond the enterprise firewall:
Laptops / Home Offices USB Sticks / WiFi / VPN
and more…
Data
© Copyright 2007 - Lumension Security
www.lumension.com
New Technology - New Sources of Risk
Easy of Connectivity = Risk Increases
Increased Storage Capacity = Risk Increases
© Copyright 2008 - Lumension Security
www.lumension.com 8
Removable media stores more at lower cost than ever before and fits in your pocket
Plug and Play offers seamless support for removable media
Removable media is significant to daily business operations
Professional and personal use of removable media has merged
Evolution of Removable Media
Physical Size Storage Size Per MB Price
© Copyright 2008 - Lumension Security
www.lumension.com 9
Increasing Internal Risk
Insiders have direct access to your most sensitive data.
70% of all serious incidents
are sparked by insiders.
Lost Laptops & Devices
Disgruntled Employees
P2P File Sharing Software
IDC Worldwide Security Products and Services2007 Top 10 Predictions
© Copyright 2008 - Lumension Security
www.lumension.com 10
What Threat Does an Insider Pose?
John’s iPod might have 80 GB of his favorite music and video's or it might contain:
� software he brought from home to install
� malicious software, such as malware, spyware, crime ware
� a virus or Trojan
When John leaves at night it might have:
� your customer database
� financial data
� intellectual property
53% of organizations would NEVER know what data
was on a lost USB device 1
Source:1– Ponemon Institute, 2006 Cost of Data Breach Study
© Copyright 2008 - Lumension Security
www.lumension.com 11
External Threats use Mobile Technology
Data is not just going out on Mobile Devices
Malware coming in on Mobile Devices
New form of Social Engineering
Leaving USB drives in parking lots of Targeted Companies with Malware installed
© Copyright 2008 - Lumension Security
www.lumension.com
Malware in the Supply Chain
What do these removable devices all have in common?
All came pre-installed with viruses capable of stealing passwords and opening doors for hackers
© Copyright 2008 - Lumension Security
www.lumension.com 13
Data Leakage Costs On the Rise
Data breaches remain the leading cause of financial losses 1
Data breach costs continue to increase 2
Source:1 - 2006 CSI/FBI Computer Crime and Security Survey2 - Ponemon Institute, 2007 Cost of Data Breach Study
© Copyright 2008 - Lumension Security
www.lumension.com 14
Data Leakage Can Amount to Lost Business
Lost business accounts for 65% of data breach costs
Source:Ponemon Institute, 2007 Cost of Data Breach Study
© Copyright 2008 - Lumension Security
www.lumension.com 15
Who Are the Victims and How Often
Sources:1 – 2006 CSI/FBI Computer Crime and Security Survey2 – IT Policy Compliance, Taking Action to Protect Sensitive Data, Benchmark Research Report, February 20073 – Privacy Rights Clearinghouse http://www.privacyrights.org/ar/ChronDataBreaches.htm
Corporations
� 75% of Fortune 1000 companies fell victim to data leakage 1
� 68% experience six losses of sensitive data annually 2
� 20% suffer from 22 or more sensitive data losses per year 2
Recent examples of individuals include:
� Consumers - Fidelity National Information Services Inc. (2.3 million)
� US Military Veterans (26 million)
� Patients - Stockport Primary Care Trust Patients (4,000)
� Students - Georgetown University students (38,000)
More than 217 million records exposed in 2007 3
© Copyright 2008 - Lumension Security
www.lumension.com 16
Removable Media Has Legitimate Business Use
Every device isn't there to harm you, John might need a...� USB drive
� to easily move large files
� to take work on the road with him
� to carry a “toolkit” with him to support other users
� As backup data
� iPod
� to watch a video training
� to listen to a company podcast
� to listen to a class he is taking
© Copyright 2008 - Lumension Security
www.lumension.com 17
Rethink Your Policies
Organizations need to ask themselves...”do we need to allow access to these devices?”
If yes,
� Who should have access – everyone, specific groups or users
� What devices should be allowed – USB drives, mp3 players, etc.
� When should access be allowed - 24/7, Mon. - Fri., 9 to 5
� Where should they be used – every machine or specific machines
� How should they be used – read only or read/write permission
If not, how are you going to deny access to the devices
© Copyright 2008 - Lumension Security
www.lumension.com 18
Policy Enforcement
How would you control these devices?� Order machines without USB ports
� Physically blocking the USB ports
� Disabling the USB ports in the Bios
� Disable the USB ports in the registry
� Ban portable storage devices
� Use a software based tool to control access
� Do nothing
© Copyright 2008 - Lumension Security
www.lumension.com 19
Four Steps to Reduce Risk
DiscoveryKnow what applications and devices are in use on endpoints
Policy EstablishmentDevelop company-wide, group and/or user-specific policies that reduce, or eliminate endpoint security issues
Policy EnforcementEnforce and administer endpoint security policies and the flexibility to seamlessly make policy changes as appropriate, reducing end users’ need for involvement
Policy Monitoring and Compliance ReportingUnderstand the effectiveness of endpoint policies and to know when they have been violated
© Copyright 2008 - Lumension Security
www.lumension.com 20
Strategic Approach to Data Protection
© Copyright 2008 - Lumension Security
www.lumension.com21
Strategic Approach to Data Protection
Lumension Device Control
PGP Disk and File Encryption
Data Intelligence / DLP
Complete Data Security Solution
Best-of-Breed Technologies to Create Total Solution »
PGP Whole Disk EncryptionAssures FIPS 140-2 encryption onto removable media
Comprehensive data-at-rest policy enforcement
Data Intelligence / DLPIn-line analysis of data transferred over the network
Integration with Sanctuary Device Control provides deeper level of policy enforcement for removable media
© Copyright 2008 - Lumension Security
www.lumension.com 22
Lumension’s Sanctuary Device Control
© Copyright 2008 - Lumension Security
www.lumension.com
Lumension’s Sanctuary Device Control
Automates discovery of peripheral devices
Provides granular device control permission settings
Offers flexible encryption options
Enforcement of Removable Device Use Policies
Delivers detailed audit capabilities
� Patented bi-directional “Shadowing” of data written to/from a device
� All device access attempts
� All administrator actions
© Copyright 2008 - Lumension Security
www.lumension.com
System Service scans the network
on pre-defined intervals for unknown
devices
Works clientless
Intuitive User Interface
Creates template-based HTML
Reports
XML Export Interface
Removable Device Discovery
© Copyright 2008 - Lumension Security
www.lumension.com
Read / Write
Scheduled Access
From 08:00h to 18:00h Monday to Friday
Temporary Access
For the next 15 minutes; starting next Monday, for 2 days
Out-of-band Permissions
Assign permissions when not connected to network, all device classes supported
Online / Offline
Quota Management
� Limit copied data to 100 MB / day
Encryption enforcement
� Device has accessible only if encrypted (decentralized encryption) with password
recovery option
File Type Filtering
� Limit the access to specific file types
Granular Device Control Permission Settings
© Copyright 2008 - Lumension Security
www.lumension.com
Removable Media Encryption
Assign any removable media to any user and then encrypt
the media. Encrypted device is accessible only by the user
who owns the access rights on the removable media
AES 256 = market standard
Fast and transparent within the network
Strong password enforcement for usage outside the
corporate network
Flexible Encryption Options
© Copyright 2008 - Lumension Security
www.lumension.com
User Actions Logging
� Read Denied / Write denied
� Device entered / Medium inserted
� Open API for 3rd party reporting tools
Shadowing of all copied data
� Level 1: shows File Name and attributes of
copied data
� Level 2: Captures and retains full copy of data
written to extenal device or read from such a
device
Administrator Auditing
� Keeps track of all policy changes made by SDC
admins
Detailed Audit Capabilities
© Copyright 2008 - Lumension Security
www.lumension.com 28
PGP Encryption
© Copyright 2008 - Lumension Security
www.lumension.com
IT Security Evolves: Enterprise Data Protection
An evolutionary approach to data security
Comprehensive strategy based on multiple technologies
Securing data, wherever it goes
Encryption & key management play critical roles
Protect: Secure data according to policy
Detect: Identify risk & enforce policy
Access: Authenticate identity
Manage: Archive, backup, & store
© Copyright 2008 - Lumension Security
www.lumension.com
Many Applications…Many Silos
• To date, the only approach
• Difficult to manage
• Expensive to acquire, deploy,
& maintain
• Likely inconsistent policies
across silos
FTP & Custom Apps
Key Management, Security Policies,
Deployment, Reporting
Key Management, Security Policies,
Deployment, Reporting
Key Management, Security Policies,
Deployment, Reporting
Key Management, Security Policies,
Deployment, Reporting
Gateway Email & Digital Signatures
Desktop Email, Mobile, Digital Signatures
Laptop Disk “At Boot”
Data in Folders, USB, File Servers
Key Management, Security Policies,
Deployment, Reporting
Key Management, Security Policies,
Deployment, Reporting
Key Management, Security Policies,
Deployment, Reporting
Key Management, Security Policies,
Deployment, Reporting
Archiving Tape Backup
Desktop Instant Messaging
File Servers
© Copyright 2008 - Lumension Security
www.lumension.com
Silo Approach
Two Approaches
Plotted Cost, Effort, & Time ($)
• Change management
• Hardware
• Setup keys
• Clustering
• Failover
• Passphrase setup
• Internal enrollment
• External enrollment
• Package distribution
• LDAP
• Recovery configuration
• User profile
• Logging
• SNMP
• User training
• Admin training
• Help desk training
• Vendor support
• Policy configuration
Enrollment
Monitoring
RolloutInstall
Configure
Integration
Policy
Training
© Copyright 2008 - Lumension Security
www.lumension.com
Silo Approach
Two Approaches
Platform-Enabled
Plotted Cost, Effort, & Time ($)
Enrollment
Monitoring
RolloutInstall
Configure
Integration
Policy
Training
App #1
Enrollment
Monitoring
RolloutInstall
Configure
Integration
Policy
Training
App #2
Enrollment
Monitoring
RolloutInstall
Configure
Integration
Policy
Training
App #3
Enrollment
Monitoring
RolloutInstall
Configure
Integration
Policy
Training
App #4
Deploy Once
App #1
App #2
App #3App #4
© Copyright 2008 - Lumension Security
www.lumension.com
PGP® Encryption Platform
The first application deploys the Platform… future applications leverage it.
© Copyright 2008 - Lumension Security
www.lumension.com
Platform Scalability
The PGP Platform reduces operational costs and business risks
Software CostDeployment Effort
Maintenance
Number of Encryption Applications
© Copyright 2008 - Lumension Security
www.lumension.com 35
Data Protection in Action:
Case Studies
© Copyright 2008 - Lumension Security
www.lumension.com
Total Economic Impact: PGP Encryption Platform
Case study of €19B global media company
PGP Encryption Platform vs. point products
� 4 encryption applications
� 65% cost savings
� 185%+ ROI
� Immediate payback
© Copyright 2008 - Lumension Security
www.lumension.com
Case Study: John C. Lincoln Health Network
Summary Financial Results Unadjusted
(best case)
Risk-Adjusted
ROI (four year) 372% 365%
Payback* 16 month 19 months
Total four-year costs (PV) ($140,384) ($136,040)
Total four-year benefits (PV) $662,092 $632,966
Total four-year net savings (PV) $521,709 $496,926
Table 1: Company ROI, Original and Risk-Adjusted
*Note: Payback would have been faster, had deployment not been spread out over two years.Source: Forrester Research, Inc.
$500,000
$400,000
$300,000
$200,000
$100,000
0
($100,000)
Summary Financial Results, Risk Adjusted
Year 1 Year 2 Year 3 Year 4
Costs (PV)
Benefits (PV)
CumulativeCash Flow (PV)
© Copyright 2008 - Lumension Security
www.lumension.com
Summary
Organizations of all sizes/industries are susceptible to data leakage
Removable devices provide an easy way to transfer data
Data leakage is expensive
Data loss is more common, but the greater risk is data theft
Enforce user and data controls and audit activity
� Minimize the greatest source of risk - data theft - by putting controls and auditing capabilities around removable media and endpoints
� Deliver and enforce FIPS 140-2 validated encryption for data on removable media and endpoints to protect against data loss
© Copyright 2008 - Lumension Security
www.lumension.com
Conclusion
Contact Information
Lumension Security
Matt Mosher, SVP of Americas
PGP® Corporation
John Dasher, Director of Product Management
© Copyright 2008 - Lumension Security
www.lumension.com
Thank You
Q&A