data loss prevention - verney conference management pres.pdf · propagation? • how do i improve...
TRANSCRIPT
Data Loss Prevention Data Protection Done Right
Rob WilsonSenior Principal ConsultantCA TechnologiesSession 3C3:25 – 4:25 September 28 2010
Why Are We Here Today?
>What data is at risk?
>What is Data Loss Prevention?
>DLP solution Components
>How DLP can Protect your Data>How DLP can Protect your Data
2
Introduction
> Rob Wilson, Senior Principal Consultant CA Technologies
> 15 years in the IT industry
� From Apologizing for things that were not my fault to Trusted Advisor
> I’ve held positions in Government, the financial industry and consulting
> Specializing in Identity and Access Management > Specializing in Identity and Access Management
> ‘Professional Student’
� MSc IT from University of Liverpool
� Bachelor of Technology from Memorial University of Newfoundland
� Advanced Telecommunications Management Diploma from Ryerson
� Numerous industry Certifications from Microsoft, Cisco, etc…
3
What Information is at Risk?
Personally Identifiable
Information (PII)
Birthdates
Employee Numbers
Social Insurance Numbers
Credit Card Information
Personal Health Information
Intellectual Property (IP)
Source Code
Product Design Documents
Research Information
Patent Applications
Customer Lists
Non Public Information
(NPI)
Financial Information
M&A Activities & Info
Executive Communication
Legal/Regulatory Matters
Corporate Policies
“Traditional”
Ris
k A
rea
s
Employee Behavior
Intimidation
Gifts and Entertainment
Communication with Press
Inappropriate Web Use
Customer Treatment
Complaints
Service Level Infractions
Promises & Guarantees
Harassment
Financial Controls
Budgets & Forecasts
Audit Materials
Expense Reports
Quarterly Reports & Filings
Communication with regulators
Additional
Which risk areas concern you?
Which risk areas are you aware of?
Ris
k A
rea
s
How is Your Information Put At Risk
PII IP NPI
Internal communications forwarded to
external parties.
Communication of inappropriate content
between employees (internal).
Moving confidential data to a USB drive to
transfer to another computer.
Not on the corporate network; online at a
Employee
Behavior
PII
Customer
Treatment
IP
Financial
NPI
Which exposes the greatest risk for your
organization?
Highly confidential but unprotected data
stored in accessible network folders.
Not on the corporate network; online at a
hotel uploading sensitive data to Webmail.
Printing specs disconnected or from the office
to take to a 3rd party.
…and so on.
Data Challenges
Where is my sensitive data
going?
And…
• Who is using data?
Where is my sensitive data stored?
And…
• How do I recognize
How do I effectively remediate data loss
in my firm?
And…
• How do I reduce
7
• Who is using data?
• Why are they using
data?
• How do I educate
users on data use
policies?
• How do I control data
with minimal IT
burden?
• How do I recognize
sensitive data and
corporate secrets
tied to regulations?
• How do I take
action on what I’ve
identified?
• How do I reduce
data access and
propagation?
• How do I improve
compliance
attestation?
> Current Needs
� Prevent loss of information
� Discover critical data
� Protect brand and
reputation
� Control intellectual property
� Compliance
Organizational Needs
Of organizations plan to start a Data Loss Prevention project
April 2009
One of the Top Priorities in IT Security
74%74%
� Compliance
� Protection for data on and
off premise
� Balance collaboration and
protection
� Better management of data
8
Forrester DLP Webcast March 2010
If stopping employee accidents
from “leaking” credit card
numbers is all you use DLP for,
you are missing the point.
Additional Information Challenges
1122Rapid GrowthRapid Growth
Over 70% Growth
Communications Stored Data
Compliance Requirements Expanding
�HIPA�PCI�SOX�GLBA�FINRA�PIPEDA�FOIPP Act�ITAR
�SB1380�NIST�SEC�NASD�EUDP�Privacy Act�FOIPOP Act�LAFOIPP Act
33 44Information attacks and internal
threat increasing
� 75% of companies
experience data loss each
year, 78% from insiders
Communications Stored Data
New information channels and escape routes continue to emerge
Etc…
�ITAR �LAFOIPP Act
Understanding Data Loss Prevention
Key Functions Approach to DLP
Control sensitive data Find and control known data with a single, firm-wide mandate
Clean the enterprise once (…and be done with it?)
Recognize data types Primarily PII (Personally Identifiable Information), also
IP (Intellectual Property) and
What is DLP?
DLP is the ability to dynamically apply policy to identify and control sensitive data across the enterprise.
11
IP (Intellectual Property) and
NPI (Non-Public Information)
Protect at various locations
Endpoint (data in use)
Network (data in motion)
Stored Data (data at rest)
Reporting and remediation
Basic review and reporting capabilities
Generates significant work (because so many events are flagged)
DLP Controls
Network Control
•Monitor and control data at network egress points•Controls many protocols (web, email, instant message, ftp, etc)•Implemented as a network appliance or integrated to ICAP servers and MTA’s
Message Server Control
•Monitor and control email at messaging servers (MS Exchange and Lotus Notes)•Control out bound but also internal, web access and mobile device email•Implemented as a component in conjunction with mail servers.
12
Stored Data Control
•Scan and mange data on shared folders, file and document repositories, public folders, ODBC sources and other repositories. •Implemented as a local server or network scan.
Endpoint Control
•Monitor and control data at the endpoint•Controls email, web, printing and saving data whether the device is connected or offline•Scans for sensitive information locally•Implemented as agent on the desktop or laptop.
One Management Platform with common reporting, data policies and incident review
DLP: Data Protection Done Right
NetworkEmail (SMTP), Files (FTP), IM, Web (HTTP) and others
Endpoint (desktops,
laptops)
Email, Web use, Saving Files, Printing Files, Scanning Files
ENDPOINT NETWORK
13
Message ServerMessage servers (Exchange, Domino), internal, outbound & inbound messages
Stored DataShared folders, file and document repositories, public folders, ODBC sources and other
MESSAGESERVER
STOREDDATA
DLP Architecture
PolicyManagementPolicy
Administrators
Data Loss Prevention
Central Management Server
Endpoints
NetworkDevices
User Role/ Identity
Information
Identity/ Role Manager
14
IncidentReview &Reports
IncidentReviewers
Console
Servers & Stored Data
Message Servers
Business and Privileged Users
SIM solutions
Event Logs
3rd Party Archives / Records Management Systems such as CA Message Manager
Classifications
DLP Stored Data Control
� On Demand� Continuous� Timed or Frequency� Changed Files Only� NIST Exclusion
Scanning Options
� Owner or User� Machine
Capture
Remote Shares
Local Drives & Folders
ODBC Sources
> Discover and take action on
data-at-rest throughout the
enterprise
> Discovery/scanning tasks can
be executed on-demand or on a
specified schedule
> Highly scalable and distributed
16
� Machine� Dates� Fingerprints� Hashes� And more
� Ingest� Delete � Copy or Move� Stub / Replace� Tag / Classify
Scanning OptionsCA DLP Stored Data Scanning
> Highly scalable and distributed
architecture allows data to be
scanned at very high rates (i.e.
exceeding 500GB per hour)
> Once discovered, information
can be deleted, copied, stubbed
or moved to another location
Stored Data Capabilities
Scanning Options• On Demand• Continuous• Timed• Frequency• Changed Files Only
Meta Data• Owner• User• Machine
File Shares and Servers
Databases
17
SharePoint
Workstations and Laptops
Policy Engines Provide Redundancy and Scalability
File Scanning Central Server
Actions• Review• Delete• Copy• Move• Stub• Classify
• Machine• Dates• Fingerprints• Hashes• XML …
Exchange Public Folders
DLP Endpoint Control
FunctionalityInteractive interventions include Warns, Blocks, Quarantine, Informational, alerts, and capture.
Email Web Save Print App Control
+ +
File Scan
> Protect data-in-use activity on the
endpoint asset (Print, Email, Save,
Screen Print, etc.)
> On-line and off-line enforcement
> Incident-appropriate response
upon detection of a violation
18
Infrastructure Common Services
Gateway & Central Server
> Educate end-users with an
educational popup window to
explain company or regulatory
policy
> Scalable to tens and hundreds of
thousands of endpoints
Employee Privacy Options
> The data captured is configurable
by policy (and by user/group)
� Metadata only
� Metadata and message detail
� Metadata, message detail and
attachments
> Data can only be reviewed by a
user with the correct privileges
and management group and management group
responsibility for the relevant part
of the hierarchy
> Endpoint actions can include
“Warn – User Designate as
Personal”
� Allow employees to mark emails
as “Personal”
� Ensures that a copy of the email
is not retained
19
Personal button
ensures that
message detail is
not captured
DLP Message Server Control
> Protect and control data-in-
motion at the message server
> Coverage includes Web-based
email applications and mobile
devices, such as Blackberry
> Messages can be blocked,
quarantined, encrypted or
�Analysis of internal and outbound messages
�Massive horizontal scalability �Active and passive modes� Interactive controls include Blocks, Warns, Redirection and Quarantine
Functionality
quarantined, encrypted or
ingested for review
> A unique warning can also be
sent to the original sender,
asking whether or not to allow
the Send to proceed
20
Message Server Analysis
Central Server
Message Server Architecture
Message Server
Policy Engine Hub
Exchange and Domino
Destination (Internal or External)
21
Policy Engines Provide Scalability and Redundancy
Central Server
Block or Warn Notification
DLP – Encryption Integration
> Selectively identify and flag messages versus using a blanket
approach
DLP Endpoint or Policy Engine
X-Header Applied
Email Sent 3rd Party Encryption Server
approach
> Use DLP Policy to identify messages that require protection and flag
them for downstream encryption
� Append an x-header to the message
� The downstream encryption solution would act on the x-header
22
DLP Network Control
> Protect data-in-motion at the
network boundary
> Actively block specific traffic or
passively monitor and review
> Reconstruct and analyze full
objects, not individual packets
> Exceptional resilience – even if
FunctionalitySeveral protocols including Email (SMTP), Web (HTTP), Files (FTP), Instant Message protocols, and more. Supports both active and passive operation capture activity for complete review and reporting.
+
> Exceptional resilience – even if
the appliance loses power
> Integrate to popular MTAs (Mail
Transport Agents) for additional
protection options
> ICAP integration to monitor the
HTTPS protocol
23
MTA Analysis Boundary Appliance ICAP
Gateway & Central Server
Corporate Boundary
Network Architecture
Protocol Decoding
Full Filter
Network Appliance
Internet
Router or Switch
24
Policy Engines Provide Scalability and Redundancy
Central Server
Decoding
Streamed Whole Objects
Block or Allow
Analysis & Detection Techniques
These techniques drive the highest levels of accuracy.
SCORING ���� WEIGHTING
Content Registration
Exact Data Matching
Index Data Match
Content Description
Keywords
Stemming
Wildcards
Contextual Analysis
Identity
Hierarchy
Role
Conceptual Analysis
Intent-Aware
Business-Aware
25
Wildcards Role
Source
Destination
Absence of Content
SOPHISTICATION
= + + +
Understanding Accuracy (Email Example)
DLP needs to use multi-dimensional analysis to achieve results.
33
44
66
11
22
33
Content-Focused Inspection
Rich-Content Analysis
Context
Basic Approach
DLP Analysis
26
22
55
11
33
44
55
66
Context
Identity
Role
User Involvement
> Criteria can be “scored” positively or negatively
> Whole object analysis is vital to accuracy
> If a threshold is exceeded, an activity or communication will be flagged
Accuracy Enhanced with Hierarchy
> A user hierarchy can determine:
� Who gets which policy (based
on role or identity)
� Exceptions or policy variations
based on department or other
user attributes
� Review delegation security � Review delegation security
rights and access
> The hierarchy can synchronize
with an existing source or
directory
> Policy is automatically inherited
and enforced
27
Document contains intellectual
property in the form of product
technical specifications.
Removable Drive
Bringing DLP to Life
Control Saving to USB – Warn
28
Bringing DLP to Life
Control Web – Block
User attempts to post non-public
financial content to
29
financial content to a Web-based message board.
When the Insert Record button is pressed, a
comprehensive message is
provided to the sender while the action is blocked.
CA DLP
Bringing DLP to Life
Control SharePoint – Delete & Replace
The contents of the file containing
sensitive data that was residing in an unprotected region in SharePoint have been replaced.
30
Data Protection
Eliminating your business risks with the highest
levels of accuracy while minimizing overhead.
Enable more secure, effective collaboration
between your employees.
DLP is…
Data Protection
Done Right Protect your private information.
Ensuing privacy is maintained
Minimize resources and remediation efforts.
32
DLP Affects More Organizational Disciplines
> Various services and other parts of the organization will
introduce new requirements for identity-centric DLP
33
The Expanding Requirements of DLP Featuring Forrester’s Andrew Jaquith
Review
>We reviewed what data is at risk
� PII, IP, NPI, Employee Behaviour,
Customer Treatment, Financial
>Data Loss Prevention is the ability to
control sensitive data across the control sensitive data across the
organization
>DLP Solution Components
>Examples of DLP in action
35