Data Loss Prevention Overview Jeff Silver, CISSP Delaware DLP - - PowerPoint PPT Presentation

Data Loss Prevention Overview

Jeff Silver, CISSP

Delaware DLP Technical Specialist

AGENDA:

• I. Introduction
• II. ‘WHY” Data Loss Prevention
• III. DLP Architecture and Fundamentals
• IV. Examples of DLP Violations
• IV. Examples of DLP Violations
• V. Questions and Discussion

Many customers worry about data extraction and leakage:

• Reputation Damage/Strategic Loss
• Compliance Fines
• Litigation and financial loss

What Makes A Business Consider DLP?

The Legal Department informs the Network Security Team that a DLP deployment might violate International Privacy Laws in Europe. The Human Resources Department does not feel comfortable installing DLP Agents onto employee PCs, as active monitoring of every user action is generally frowned upon.

What Makes A Business Worry about DLP?

PC ‘Barker’ message that comes up for every login session. This message must contain the proper legal ‘verbage’ to clearly remove the employees ‘right’ to any privacy on company owned equipment. Employee action to click on this message stating they read and understand this corporate policy. Employees must sign an employee handbook . For certain industries, annual confirmation is required [i.e. Healthcare]. This handbook should clearly lay out in

Legal Considerations for DLP

confirmation is required [i.e. Healthcare]. This handbook should clearly lay out in solid legal terms that the company has the right to monitor all user actions while they are using or accessing corporate resources. On-line mandatory training regarding protection of corporate intellectual property and

• ther sensitive data [in relation to regulations the company must adhere to] is an

added value. Clearly written ‘Standard Operating Procedures’ on corporate policy that lays out not just what the company can and will do to the employee, but what the interaction is with Law Enforcement, if intervention is needed.

Should the employer issue out mobile devices or let the employee use their own for corporate use? Compartmenting work spaces with ‘Containers’. Corporate applications that can be accessed from personal devices. For example, Outlook Web Application. How do you monitor this vector of data loss that can happen right from the employees living room!

Legal Considerations for DLP--- BYOD

Has the organization formalized a clear plan of action for what to do if sensitive data has been moved onto an active employees personal device? Has the organization factored in State and Federal Privacy Laws that apply to it’s business and employees? If the organization is International in nature, is the network infrastructure segmented so that security tools can be implemented in a way that does not violate stricter

• verseas privacy laws [for example, Germany and France]? Defense in depth to

cover this vector.

PCI DSS HIPAA Internal Policy GLBA HSPD 12 CSB 1386 Country Privacy Laws SOX EU CDR UK RIPA Data EU Data

Compliance and Regulations

FISMA COCOM Data Security Act FACTA EU Data Privacy FFIEC BASEL II J-SOX IRS 97-22 NERC NISPOM Partner Rules ACSI 33 NIST 800 State Privacy Laws

Customers WWW WAN eCommerce Applications Production Database Backup Tape Disk Arrays Privileged Users Privileged Users Privileged Users Privileged Users Internal Employees

Why is Data Security So Difficult?

:because sensitive information is always moving and transforming

Endpoint Endpoint Apps/DB Apps/DB Storage Storage FS/CMS FS/CMS Network Network

Partners Remote Campuses LAN VPN Business Analytics Enterprise Applications Outsourced Dev. Replica Staging Backup Disk Collaboration & Content Mgmt Systems File Server Portals Disk Arrays Disk Arrays Disk Arrays Backup System Production Database Remote Employees

The “community’ of attackers

Nation state

PII, government, defense industrial base,

Criminals

Unaware/Petty criminals Organized crime Organized, sophisticated supply chains (PII, financial services, retail) Unsophisticated

state actors

PII, government, defense industrial base, IP rich organizations

Non-state actors

CyberTerrorists Anti-establishment vigilantes “Hacktivists” Targets of opportunity PII, Government, critical infrastructure

DLP ARCHITECTURE

Monitor Monitor Discover

Data Loss Prevention Components

DLP Enterprise Manager

DLP Datacenter DLP Network DLP Endpoint

Unified Policy Mgmt & Enforcement

Incident Workflow Dashboard & Reporting User & System Administration

Enforce

Allow, Notify, Block, Encrypt

Enforce

Allow, Justify, Block on Copy, Save As, Print, USB, Burn, etc.

Remediate

Quarantine, Move to secure location, Delete, or Shred

Monitor

Hard Drives, USB, External Devices, Print Actions, burn to CD/DVD, etc.

Monitor

Email, webmail, IM/Chat, FTP, HTTP/S, Telnet, etc

Discover

File shares, SharePoint sites, Databases, SAN/NAS

11

Electronic Data Rights Management Electronic Data Rights Management

Encryption Encryption

Access Controls Access Controls

DLP Management

Single policy and administration interface for all DLP components

• Network
• Datacenter
• Endpoint
• Endpoint

Consolidated workflow and remediation Custom incident search engine Active Directory integration [key for reports] Role-based permissions and report access

Reducing Your Sources of Risk: Data at Rest

Discover Analyze Remediate

Rescan sources to measure and manage risk

File shares, Servers, Laptops Databases & Repositories

13

• Windows file shares
• Unix file shares
• NAS / SAN storage
• Windows 2003, 2008
• Windows XP, 7
• SharePoint
• Microsoft Access
• Oracle, SQL
• Content Mgmt systems

Remediation

• Delete
• Move
• Quarantine
• Notifications

300+ True File types

• Microsoft Office Files
• PDFs
• PST files
• Zip files

Rescan sources to measure and manage risk

Grid Worker Automation Drives Performance

Automatic Load Balancing

Grid Workers work together, intelligently balancing the scan load. They can be modified on the fly as well. Grid Workers can be dedicated servers, or even existing servers and PCs in the

• environment. The grid worker service can

be made permanent or temporary, based on the needs of the business. the needs of the business.

DLP Datacenter and Endpoint: Agent Details

Agent Software Uses

• Site Coordinator Software
• Scanning Agent
• Permanent
• Temporary (Dissolvable)
• Grid Worker Agent
• Endpoint Enforcement Agent (policy-enabled)

15 Temporary scan agent

• Endpoint Enforcement Agent (policy-enabled)

Agent Software Deployment Options

• Manual installation
• RSA DLP Enterprise Manager push installation
• SMS or other configuration management tool

Permanent scan agent

8 Best Practices for Enterprise Data Protection

Know where your sensitive data resides What level of sensitivity is it How many copies exist Who has access to it

Sensitive Information Sensitive Information

Who has access to it Is it dormant Set appropriate controls based

• n policy, risk and location of data

Manage centrally Audit consistently

Endpoint Network Applications FS/DB Storage

Security Incidents Security Incidents

Policy Policy

REAL WORLD ‘DATA CENTER’ INCIDENTS

Tightening Up Loose Ends

Tightening Up Loose Ends [Part 2]

Tightening Up Loose Ends [Part 3]

PST Files and User Backup Data Issues

Executive Level Sensitive Information

Executive Level Sensitive Information

REAL WORLD ‘NETWORK’ INCIDENTS

Protecting Data In The Network: Data in Motion

Monitor Analyze Enforce

Email Web Traffic

25

• SMTP email
• Exchange, Lotus, etc.
• Webmail
• Text and attachments
• FTP
• HTTP
• HTTPS
• TCP/IP

Remediation

• Audit
• Block
• Encrypt
• Log

Instant Messages

• Yahoo IM
• MSN Messenger
• AOL Messenger
• Google Talk/Chat

Sending Work Home---In the ‘Wild’

This employee sent work home, and it contained a lot of SSNs.

Medical Information to Russia [with love]

Tracking Legitimate Encrypted Business Traffic

RSA DLP can help track business traffic that is encrypted.

Protecting Data In The Endpoint: Data in Use

Monitor Analyze Enforce

Print Copy and Save As

29

• Local printers
• Network printers
• Copy to Network shares
• Copy to external drives
• Save As to external

drives Actions & Controls

• Justify
• Notify
• Block
• Audit & Log

USB

• External hard drives
• Memory sticks
• i-Pods, portable discs

UNDER THE ‘DLP’ HOOD

Content Analysis

Described Content Analysis Fingerprinted Analysis

DLP Classification Methodology

31

Built-in Expert Policy Templates

• Policies ‘out of the box’
• National & International Regulations
• Includes PCI, PII, HIPAA, GLBA, etc.
• Industry specific templates

DLP Classification Methodology

32

Described Content Analysis

• Keywords, Phrases, RegEx, Dictionaries
• Special patterns - Entities
• Proximity analysis
• Positive and negative rules
• Weighting

DLP Classification Methodology

33

Fingerprinted Analysis

• Register known sensitive data
• Applicable for any binary/digital file
• Intellectual property protection
• Automated fingerprinting

DLP Classification Methodology

34

Identity Analysis

• Understand “who” and “where”
• Insight into organization and hierarchy
• Real-time data from Active Directory

DLP Classification Methodology

35

• Every Document and/or Transmission is

analyzed

• Risk Factor assigned
• Appropriate Remediation Applied

DLP Classification Methodology

36

DLP Considerations

Accuracy

Highest levels of accuracy in identifying and discovering sensitive data

• Advanced contextual analysis using proximity, weighting, and conditions
• 3rd Party validated
• Expert Analysis Engineering and Library Teams on the back end of the DLP Solution

Scalability Scalability

Scales to hundreds of terabytes of data, thousands of laptops/desktops across geographically distributed areas

• Grid processing for Datacenter discovery
• Temporary and permanent agents for Endpoint discovery

Ease of Use

Centralized policy management across Datacenter, Network, Endpoint with:

• Many out-of-the-box policy templates for both U.S. and international markets
• An intuitive, user-friendly dashboard-based interface

38