information risk management - csm-ace · information risk management starts from day 1 information...
TRANSCRIPT
Information Risk Management
Alvin Ow
Director, Technology Consulting
Asia Pacific & Japan
RSA, The Security Division of EMC
Agenda
Data Breaches
Required Capabilities of preventing Data Loss
– Information Risk
– Information Incident
– Root Cause
Building a Comprehensive Information Risk Management
Platform
Summary
Information Loss/Data Breach Questions
What information?
Who did this?
How did they get the information?
How do we ensure this never happens again?
What is the exposure to the organization?
How do we prevent this from happening again?
Analysis of a Data Breach
Bob realized that he can
access the sales file share
Newly hired PM, Bob, is
provisioned a profile similar to
that of Deb’s
Deb joined Product
Management from sales but still
has access to sales file shares
The email is identified as
violation of a policy
The email is blocked
The security analyst and Bob’s
boss are alerted
T [T+.2] minutes [T+.5] minutes[T-1] days[T-15] days[T+180] days
Data Loss Event Happens here
Bob emailed the sales
pipeline data out to a
competitor
Data Loss Prevention Starts Here
Required Capabilities for Preventing Data Loss
Discover
Information Risk
• Accurate discovery
• Scalable discovery
• Risk assessment
• Efficient process
RSA Data Loss Prevention
Workflow and Surveys
Risk Dashboards
Respond
Information Incidents
• Incident Mgmt.
• Business context
• Workflow/ticketing
• Metrics
• Dashboards
RSA Data Loss Prevention
RSA Security Incident & Event
Management
Dashboards and Workflow
Reactive Controls
Fix
Root Cause
• Business/IT context
• Control procedures
• Integration and
Questionnaires
• Metrics & Dashboards
RSA Archer IT GRC
SIEM
Proactive Controls
Required Capabilities for Preventing Data Loss
Discover
Information Risk
• Accurate discovery
• Scalable discovery
• Risk assessment
• Efficient process
RSA Data Loss Prevention
Datacenter and endpoint
Workflow and Surveys
Risk Dashboards
Respond
Information Incidents
• Incident Mgmt.
• Business context
• Workflow/ticketing
• Metrics
• Dashboards
DLP network and endpoint
SIEM
Dashboards and Workflow
Reactive Controls
Fix
Root Cause
• Business/IT context
• Control procedures
• Integration and
Questionnaires
• Metrics & Dashboards
IT GRC
SIEM. SSCM and VA
Proactive Controls
Real-life Use Case
11/2
30K files discovered
by RSA Data Loss
Prevention
11/19
RSA Archer IT GRC
Platform Sends
questionnaire to data
owners
12/19 90% of files remediated
Repeatable and
continuously monitored
Process time
reduced by 400%
11/6
1200 Owners
in 43 Countries
Identified
Evaluate and Reduce Risk at Datacenter
RemediateAnalyzeDiscover
FS, Server, Laptop
•Windows file shares
•Unix file shares
•NAS / SAN storage
•Windows 2000, 2003
•Windows XP, Vista
300+ File Types
•Microsoft Office Files
•PDFs, PSTs
•Zip files
•CATIA files
Databases
•SharePoint
•Documentum
•Microsoft Access
•Oracle, SQL
•Content Mgmt systems
Remediation
•Secure Delete
• Manual/Auto Move
• Manual/Auto
Quarantine
• Notifications
• eDRM
RSA Data Loss Prevention & Data Governance
•List of sensitive files
•Content do sensitive files
•Risk level of the files
Data Governance
• Users who have access
• Users accessing the files
• Owners of the files
RSA DLP Datacenter
• List of sensitive files
• Content of sensitive files
• Risk level of the files
+• Identify files/folders at risk
• Identify true business owners
• Change permissions
RSA Archer Risk ManagementConsistent and flexible approach for identifying, evaluating and responding to risks
Overview
Capture and relate risk to
corporate objectives, mitigating
controls and enterprise objects.
Maintain a repository of risk
metrics.
Track financial losses as risk
intelligence.
Build and deliver online
assessments.
Score assessments automatically
and generate findings for
incorrectly answered questions.
Understand your organization’s
inherent and residual risk through
real-time reporting capabilities.
Required Capabilities for Preventing Data Loss
Discover
Information Risk
• Accurate discovery
• Scalable discovery
• Risk assessment
• Efficient process
DLP Datacenter
Workflow and Surveys
Risk Dashboards
Respond
Information Incidents
• Incident Mgmt.
• Business context
• Workflow/ticketing
• Metrics
• Dashboards
RSA DLP network and endpoint
RSA Security Incident & Event
Mmanagement
Dashboards and Workflow
Reactive Controls
Fix
Root Cause
• Business/IT context
• Control procedures
• Integration and
Questionnaires
• Metrics & Dashboards
IT GRC
SIEM. SSCM and VA
Proactive Controls
A Solution for DLP Incident Management
SMTP
Security Incident & Event
Management
RSA enVision picks up a DLP action
as an event which it can correlate
with other events
HTTP, HTTPS, FTP
Proxy ServerMail Servers
Data Feed Mgr
Correlated alerts are integrated into
Archer
Archer shares enterprise context
with enVision
Risk Mgr, Dashboards
and Workflow
Incidents are assigned in work
queues, workflow automates the
case management process. Risk
and Compliance metrics are rolled
up into an executive level
dashboard
Context Policy
Enterprise and Policy Mgr
enVision alerts are put in context
with enterprise assets, risk,
process, teams, etc.
RSA Data Loss Prevention
Monitor & Enforce User Actions at Egress
EnforceEducateMonitor
•SMTP email
•Exchange, Lotus, etc.
•Webmail
•Text and attachments
Instant Message
•Yahoo
•AOL
•Microsoft
Web Traffic
•FTP
•HTTP
•HTTPS
•TCP/IP
Enforce
•Audit
•Block
•Encrypt
•Log
Monitor & Enforce User Actions on Endpoints
Connected or Disconnected
from Corporate Network
EnforceEducateMonitor
Monitor and mitigate risk from end user actions on endpoints
Not Connected to
Corporate Network
Connected to
Corporate Network
RSA DLP Endpoint Monitor Agent
RSA Archer Incident ManagementReduce incident response times
Overview
► Centralize incident data and control
access to assure data integrity.
► Track incidents and ethics violations in
real-time through a customizable and
easy-to-use web interface.
► Manage the investigation process.
► Implement response procedures and
track incident resolution using built-in
workflow.
► Maintain a detailed incident audit trail.
► Monitor incident status and impact,
and identify trends and incident
relationships.
Required Capabilities for Preventing Data Loss
Discover
Information Risk
• Accurate discovery
• Scalable discovery
• Risk assessment
• Efficient process
DLP Datacenter
Workflow and Surveys
Risk Dashboards
Respond
Information Incidents
• Incident Mgmt.
• Business context
• Workflow/ticketing
• Metrics
• Dashboards
DLP network and endpoint
SIEM
Dashboards and Workflow
Reactive Controls
Fix
Root Cause
• Business/IT context
• Control procedures
• Integration and
Questionnaires
• Metrics & Dashboards
RSA Archer IT GRC
SIEM. SSCM and VA
Proactive Controls
What is Enterprise Context?
Business initiatives
Industry standards
Federal regulations
Best practices
Contractual obligations
Divisions
Facilities
Prod./Services
People
Processes
Applications
Devices
Information
Context Policy
evidence
Physical and Virtual IT Infrastructure
SIEM | DLP | Vulnerability | Configurations | Surveys | Assessments
evidence
Physical and Virtual IT Infrastructure
Connecting Enterprise Context to IT “Evidence”
Integration
Context Policy
Data Loss w/ Business ContextUsers from Client Services Group in
Boston Facility is copying tier 1 data
(SSNs) from customer support
application to partner’s platform in UK for
quarterly reporting process.
Data Loss w/o Business ContextUser kpbrady from AD group Corp243
violated a policy on 3/8/2010 called “PII-CMR
201” by attempting to ftp SSNs from ip
address 10.81.253.39 to 10.91.0.21. The
action was blocked by DLP.
SIEM | DLP | Vulnerability | Configurations | Surveys | Assessments
Physical and Virtual IT Infrastructure
Process for Managing Risk
evidencecheck
Views and Reports
Workflow
Detailed Controls
Integration
Workflow for incident
management
Visibility and Context for
prioritizing incidents and
improving insight into risk
Correlated
incidents and
Scan results
Control
procedures tied
directly to IT
Assets
Enforce Policy with workflow,
reports and by connecting to
detailed controls that are, in turn
tied to IT assets
SIEM | DLP | Vulnerability | Configurations | Surveys | Assessments
Context Policy
Summary
Information Risk Management starts from day 1
Information Risk
Information Incident
Root Cause Analysis
Information Risk Management Platform
– RSA Data Loss Prevention
– RSA Security Incident & Events Management
– RSA Archer IT Governance Risk & Compliance Platform