Quick Wins with Data Loss Prevention How to Make DLP Work for You Rich Mogull, CEO & Analyst Securosis, L.L.C.
John Dasher, Senior Director, Data Protection, McAfee
Mark Moroses, Assistant CIO, Continuum Health Partners
2
Agenda
• Rich Mogull, CEO & Analyst, Securosis, L.L.C. – Low-Hanging Fruit: Quick Wins with DLP
• Mark Moroses, Assistant CIO, Continuum Health Partners – How Continuum uses McAfee DLP to protect sensitive patient data
• John Dasher, Senior Director, Data Protection, McAfee – McAfee DLP solution overview
Quick Wins with Data Loss Prevention!
Rich Mogull!Securosis, LLC!
DLP Fears!
• Too complex to deploy.!
• Too many false positives.!
The Quick Wins Process!
"Products that, based on central policies, identify, monitor, and protect data at rest, in motion, and in use through deep content analysis."!
-Rich Mogull!
What DLP Provides!• Helps you identify where you store
sensitive information.!
• Helps you understand how that information is used and moved throughout your organization.!
• Proactively protects your information, while limiting impact on legitimate business processes.!
Defining Process!
Process Workflow!
Prepare Directory Servers!
• Why? DLP policies are typically user and group based.!
• Need to correlate activities back to warm bodies.!
• Poor directories are a leading obstacle to DLP deployments.!
• Email vs. Web vs. Endpoint!
Integrate with Infrastructure!
• Passive sniffer (SPAN/Mirror)!
• Email (MTA)!
Network!
• Software deployment!
Endpoint!
• Admin credentials!
Storage!
Integration Recap!
• For all deployments: Directory services (usually your Active Directory and DHCP servers).!
• Network deployments: Network gateways and mail servers.!
• Endpoint deployments: Software distribution tools.!
• Discovery/storage deployments: File shares on the key storage repositories (you generally only need a username/password pair to connect).!
Choose Flavor!Single Data Type! Information Usage!
Choose Deployment Type!
Network! Storage! Endpoint!
Define Policies!Single Type!
• Leverage an existing category when possible.!
• Tune later.!
• False positives are good!!
Information Usage!
• Turn on (nearly) everything.!
• Collect as much as possible to identify usage patterns.!
Monitor!ID! Time! Policy! Channel! Severity! User! Action! Status!1138! 1625! PII! Email! 1.2 M! rmogull! Blocked! Open!1139! 1632! HIPAA! IM! 2! jsmith! Notified!Assigned!1140! 1702! PII! HTTP! 1! 192.168.0.213! None! Closed!1141! 1712! R&D/Product X! USB! 4! bgates! Notified!Assigned!1142! 1730! Financials! Storage! 4! 192.168.1.94! Encrypt! Escalated!
1143! 12/1/08! Source Code! Cut/Paste! 12! sjobs! Confirm! Open!
Analyze!• Top violations by data type.!
• Top violations by business unit.!
• Top violations by volume.!
• False positive patterns.!
• Different violations from same source.!
• Unusual origins.!
What Did We Accomplish?!
• Established a flexible incident management process.!
• Integrated with major infrastructure components.!
• Assessed broad information usage.!
• Set foundation for later.!
Deployment Best Practices!
Evaluate results!
Tune policy!
Add protection!
Expand scan scope!
Baseline scan!Integrate with Infrastructure!
Define Initial Policy!
Rich Mogull!
[email protected]!http://securosis.com!
AIM: securosis!Skype: rmogull!
Twitter: rmogull!
Securosis, L.L.C.!
Continuum Health Partners Deploying Data Loss Prevention
Mark Moroses, Assistant CIO, Continuum Health Partners
22
Background
• Who is Continuum Health Partners? • Drivers
– Regulations - HIPAA – Joint commissions to certify best practices – Regular audits
• Failure not an option • Policy
– Must be able to ensure enforcement – Need to prove policies are being followed
Solution
• Business Enablement – IT supporting physician’s needs
• Allow liberal web access while still having monitoring capabilities • Data Risk Assessment
– Documented inappropriate data leakage, which helped secure budget • Investigative Support
– McAfee DLP has become the starting point for investigations – Investigations now able to occur much faster
• Passing Audits – Proving compliance with policies and demonstrating working controls – Predictable technology and process speed future audits, reduce
manpower requirements
23
Lessons Learned
• Executive sponsorship – Physician with prior first-hand experience
• Deployment – “Soft opening” – Communicated roll-out plan
• Response Plan – No “ready, fire, aim” – Work closely with HR & Legal stakeholders
24
McAfee Data Loss Prevention
John Dasher, Senior Director, Data Protection, McAfee
McAfee Data Protection 26
Static DLP Leaks Data
Violations
Data
McAfee Data Protection 27
Static DLP Leaks Data
Violations
Bit Bucket
Data
McAfee Data Protection 28
McAfee DLP Leverages Data
Violations
Data
McAfee Data Protection 29
McAfee DLP Leverages Data
Violations
Capture Data Intelligence
Data
Fast, accurate policy creation and rapid, in-depth investigations
McAfee DLP 9 Advantages
Tight Product Integration • Integrated technologies provide superior protection • Optimized oversight and control
Deployment Velocity • Protected sensitive data more quickly • Drive down deployment and ongoing costs
Data Analytics • Build better policy, conduct fast investigations • Anticipate risks before they become problems
31
McAfee DLP Solution – What Others Say
SC Magazine finds McAfee Host DLP “to be a good value for customers looking for a lot of features and a lot of flexibility in both data leakage control and enterprise rights management.”
NetworkWorld found that McAfee has a “very practical understanding of the role of DLP in a modern organization” with “innovative features, excellent user interfaces, and a clear vision for the future of DLP.”
32
McAfee DLP Resources
• Optimized Security Architecture for Data Protection http://www.mcafee.com/us/enterprise/optimize/data_protection.html
– 10 Steps to Protecting Your Data – Low Hanging Fruit: Quick Wins with DLP – Forrester Research Total Economic Impact of McAfee DLP – McAfee 48-hour Data Risk Assessment
• http://dataprotection.mcafee.com/forms/RiskAssessment
• Data Protection section of McAfee.com http://www.mcafee.com/us/enterprise/products/data_protection/data_loss_prevention/index.html
– Continuum and BCI customer case studies
• Data Protection Blogs http://siblog.mcafee.com/category/data-protection/
Q&A
