putting the “information” back in information...
TRANSCRIPT
![Page 1: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/1.jpg)
Rich MogullSecurosis
Putting the “Information” Back in Information Security
Thursday, June 3, 2010
![Page 2: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/2.jpg)
Mainframe Internet I Internet II
Jail Fortress ZoneNETWORK
Thursday, June 3, 2010
![Page 3: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/3.jpg)
But what about the information?
Thursday, June 3, 2010
![Page 4: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/4.jpg)
Security architectures over the next ten years will focus on
information, mobility, ubiquitousness, transparency, collaboration, and openness.
Thursday, June 3, 2010
![Page 5: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/5.jpg)
Network
Host
Application
Data
Use
rThursday, June 3, 2010
![Page 6: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/6.jpg)
ecurosis.com
Information-Centric Security
Thursday, June 3, 2010
![Page 7: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/7.jpg)
Data
Expl
oit Egress
Data Breach Triangle
Thursday, June 3, 2010
![Page 8: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/8.jpg)
Pragmatic Data Security Cycle
Thursday, June 3, 2010
![Page 9: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/9.jpg)
The Pragmatic Philosophy
• Keep it simple
• Keep it practical
• Start small
• Grow iteratively
• Eat the elephant
• Document everything
Thursday, June 3, 2010
![Page 10: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/10.jpg)
The Two Sides of Data
Data Center Productivity
Thursday, June 3, 2010
![Page 11: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/11.jpg)
Your Arsenal
Thursday, June 3, 2010
![Page 12: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/12.jpg)
DLP/CMP
CMP
Thursday, June 3, 2010
![Page 13: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/13.jpg)
ADMP (WAF + DAM)
Thursday, June 3, 2010
![Page 14: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/14.jpg)
ADMP (WAF + DAM)
Thursday, June 3, 2010
![Page 15: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/15.jpg)
Getting Started
Thursday, June 3, 2010
![Page 16: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/16.jpg)
Discover
1. Define sensitive data.
2. Find it.
3. Correlate back to users.
4. Assess vulnerabilities and penetration test.
Thursday, June 3, 2010
![Page 17: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/17.jpg)
Thursday, June 3, 2010
![Page 18: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/18.jpg)
Techniques
Thursday, June 3, 2010
![Page 19: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/19.jpg)
Thursday, June 3, 2010
![Page 20: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/20.jpg)
VA and Pen Testing
• Find vulnerabilities
• Focus on sensitive data stores.
• Use specialized tools for web apps and databases.
• Penetration test
• Validates risks.
• Determines information exposure.
Thursday, June 3, 2010
![Page 21: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/21.jpg)
What You Should Do
• Start with 1-3 data types.
• Use CMP/DLP to find them in storage and on endpoints.
• Use DAM/ADMP (or CMP) to find in databases.
• FOSS tools can help for basic data/PII, but not IP.
Thursday, June 3, 2010
![Page 22: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/22.jpg)
Secure• Fix access controls.
• Remove unneeded data.
• Lock down access channels.
• Segregate network
• (Maybe) encrypt
Thursday, June 3, 2010
![Page 23: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/23.jpg)
AccessControls
Encryption DRM
Thursday, June 3, 2010
![Page 24: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/24.jpg)
The Three Laws of Encryption
Thursday, June 3, 2010
![Page 25: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/25.jpg)
Encryption Layers
Com
plexity
ProtectionThursday, June 3, 2010
![Page 26: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/26.jpg)
Tokenization
Thursday, June 3, 2010
![Page 27: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/27.jpg)
Access Channels
Remote DB Access
Web ApplicationServers
Application ServersBatch Jobs
Direct DB Access
Thursday, June 3, 2010
![Page 28: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/28.jpg)
Data MaskingProduction Development
Thursday, June 3, 2010
![Page 29: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/29.jpg)
Network Segregation
Thursday, June 3, 2010
![Page 30: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/30.jpg)
Network Segregation
Thursday, June 3, 2010
![Page 31: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/31.jpg)
What You Should Do
• Remove/quarantine viral data.
• If you can’t map access controls to users, just lock it down and manage exceptions.
• Encrypt laptops, backup tapes, and portable media.
• Lock down application and database access channels.
• Begin data masking.
Thursday, June 3, 2010
![Page 32: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/32.jpg)
Monitor
• DLP/CMP for the network, storage, and endpoints.
• DAM/ADMP for databases.
• Egress filtering.
• Other tools may help, but give a false sense of security.
Thursday, June 3, 2010
![Page 33: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/33.jpg)
^(?:(?<Visa>4\d{3})|(?<Mastercard>5[1-5]\d{2})|(?<Discover>6011)|(?<DinersClub>(?:3[68]\d{2})|(?:30[0-5]\d))|(?<AmericanExpress>3[47]\d{2}))([ -]?)(?(DinersClub)(?:\d{6}\1\d{4})|(?(AmericanExpress)(?:\d{6}\1\d
{5})|(?:\d{4}\1\d{4}\1\d{4})))$
Content Analysis
Partial Document Matching
Rules
Exact File Matching
StatisticalDatabase Fingerprinting
CategoriesConceptual
Thursday, June 3, 2010
![Page 34: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/34.jpg)
Incident ManagementID Time Policy Channel/
Location Severity User Action Status
1138 1625 PII /SAN1/files/ 1.2 M rmogull Quarantine Open
1139 1632 HIPAA IM 2 jsmith Notified Assigned
1140 1702 PII Endpoint/HTTP 1 192.168.0.213 None Closed
1141 1712 R&D/Product X USB 4 bgates Notified Assigned
1142 1730 Financials //sjobs/C$ 4 sjobs Quarantine Escalated
Thursday, June 3, 2010
![Page 35: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/35.jpg)
DB Auditing vs. Activity Monitoring
Thursday, June 3, 2010
![Page 36: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/36.jpg)
Aggregation and Correlation
SQL Server
Oracle
DB2System Query Type ...
Or1 Select
MS23 Update
Thursday, June 3, 2010
![Page 37: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/37.jpg)
Alternatives/Adjuncts
• SIEM
• Many SIEM tools now include DAM support, or can pull (some of) audit logs.
• Log Management
• Many also now include some database support
• Triggers
• A bad option, but free and might be good enough under some circumstances
Thursday, June 3, 2010
![Page 38: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/38.jpg)
Network Security Monitoring
• Network monitoring for data security is now absolutely essential for financial services.
• Deep packet inspection and egress filtering.
• *Must* have proactive alerting, especially on transaction networks.
Thursday, June 3, 2010
![Page 39: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/39.jpg)
What You Should Do
• Focus network DLP/CMP on transaction areas first, since that’s where the worst losses occur.
• Use DAM on priority databases, then expand.
• Other logging/monitoring can help, but is not content specific, and won’t give great results.
• Monitor sensitive data on endpoints with DLP, especially portable storage transfers.
Thursday, June 3, 2010
![Page 40: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/40.jpg)
Protect
• Secure web applications.
• Validate encryption.
• Use DLP/CMP for network communications and endpoints.
• Set DAM policies for proactive alerting.
Thursday, June 3, 2010
![Page 41: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/41.jpg)
Web Application Security
Thursday, June 3, 2010
![Page 42: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/42.jpg)
WebAppSec Priorities
• Vulnerability Assessment to find
• Web Application Firewall to shield
• Fix the code
Thursday, June 3, 2010
![Page 43: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/43.jpg)
CMP Deployment Modes
Thursday, June 3, 2010
![Page 44: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/44.jpg)
Endpoint Options
• DLP/CMP for content-based blocking.
• Portable device control or encryption for gross protection.
• Monitor/shadow files with CMP or PDC.
Thursday, June 3, 2010
![Page 45: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/45.jpg)
Defining Process
Thursday, June 3, 2010
![Page 46: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/46.jpg)
Egress Filtering
• Segregate sensitive networks/transactions paths
• Lock channels with firewall/UTM
• Filter content with DLP
• Application control/next gen firewalls
• Hide behind a VPN
Thursday, June 3, 2010
![Page 47: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/47.jpg)
What You Should Do
• WAFs offer the quickest protection for web applications.
• DLP/CMP for network monitoring and blocking.
• You may use existing email and network tools to protect PII, but it will be more difficult to manage and offer less protection.
• PDC or DLP/CMP for endpoint data protection (on top of encryption).
Thursday, June 3, 2010
![Page 48: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/48.jpg)
The Plan• Segregate known transaction networks and enforce strict
monitoring and egress controls.
• Use DLP and database discovery to find other data sources. Trust me, they are out there.
• Start activity monitoring (DAM).
• Focus VA and penetration tests on these systems, especially if accessed via web applications. This is the single biggest channel for major financial breaches.
• Encrypt all laptops.
• Egress filter transaction networks.
• Slowly minimize use of protected data. Do you really need to let that many people access it? Can you consolidate/tokenize it?
Thursday, June 3, 2010
![Page 49: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/49.jpg)
ecurosis.com
Create
Destroy
Store
Share Archive
Use
ClassifyAssign Rights
Access ControlsEncryptionRights ManagementContent Discovery
Activity Monitoring and EnforcementRights ManagementLogical ControlsApplication Security
CMP (DLP)EncryptionLogical ControlsApplication Security
EncryptionAsset Management
Crypto-ShreddingSecure DeletionContent Discovery
Thursday, June 3, 2010
![Page 50: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/50.jpg)
ecurosis.com
The Future?
Thursday, June 3, 2010
![Page 51: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/51.jpg)
Cloud Info-Centric Security Building Blocks
LabelsLabels
Thursday, June 3, 2010
![Page 52: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/52.jpg)
Cloud Info-Centric Security Building Blocks
EncryptionEncryptionThursday, June 3, 2010
![Page 53: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/53.jpg)
Cloud Info-Centric Security Building Blocks
EDRMEDRMThursday, June 3, 2010
![Page 54: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/54.jpg)
Cloud Info-Centric Security Building Blocks
DLPDLP
Thursday, June 3, 2010
![Page 55: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/55.jpg)
Cloud Info-Centric Security Building Blocks
IAMIAM
Thursday, June 3, 2010
![Page 56: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/56.jpg)
Labels are applied via context and content
analysis
Thursday, June 3, 2010
![Page 57: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/57.jpg)
CreateApply Contextual
Labels
Analyze Content
Apply Contextual Labels
Apply Mandatory and Discretionary Rights
Thursday, June 3, 2010
![Page 58: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/58.jpg)
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><w:document xmlns:mv="urn:schemas-microsoft-com:mac:vml" xmlns:mo="http://schemas.microsoft.com/office/mac/office/2008/main" xmlns:ve="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing"><w:body><w:p w:rsidR="001333AF" w:rsidRDefault="001333AF"><w:pPr><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica"/></w:rPr></w:pPr><w:r w:rsidRPr="001333AF"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica"/></w:rPr><w:t>What Mac Users Need to Know About Security</w:t></w:r></w:p><w:p w:rsidR="001333AF" w:rsidRDefault="001333AF"><w:pPr><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica"/></w:rPr></w:pPr><w:r><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica"/></w:rPr><w:t>By Rich Mogull</w:t></w:r></w:p><w:p w:rsidR="001333AF" w:rsidRDefault="001333AF"><w:pPr><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica"/></w:rPr></w:pPr></w:p><w:p w:rsidR="00B105ED" w:rsidRDefault="001333AF"><w:pPr><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica"/></w:rPr></w:pPr><w:r><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica"/></w:rPr><w:t>Few topics in the Mac community are as contentious as</w:t></w:r><w:r w:rsidR="00DB4EE1"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica"/></w:rPr><w:t xml:space="preserve"> security</w:t></w:r><w:r><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica"/></w:rPr><w:t xml:space="preserve">. </w:t></w:r><w:r w:rsidR="00DB4EE1"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica"/></w:rPr><w:t>On one side are vendors and the press; hyping every new potential threat like it’s the end of the world</w:t></w:r><w:r w:rsidR="001147E2"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica"/></w:rPr><w:t xml:space="preserve"> with the hope of selling more products or getting more readers</w:t></w:r><w:r w:rsidR="00DB4EE1"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica"/></w:rPr><w:t xml:space="preserve">. On the other side are the religious zealots who consider Macs immune to security problems, and react to any discussion of potential weaknesses like a personal assault. Caught in the middle </w:t></w:r><w:r w:rsidR="002C06E3"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica"/></w:rPr><w:t>of these competing agendas is the vast sea of</w:t></w:r><w:r w:rsidR="00DB4EE1"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica"/></w:rPr><w:t xml:space="preserve"> average Mac users</w:t></w:r><w:r w:rsidR="00B105ED"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica"/></w:rPr><w:t xml:space="preserve">, who desire little more than to know what they need to do to </w:t></w:r>
New Granularity in “Unstructured” Content
Thursday, June 3, 2010
![Page 59: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/59.jpg)
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><w:document xmlns:mv="urn:schemas-microsoft-com:mac:vml" xmlns:mo="http://schemas.microsoft.com/office/mac/office/2008/main" xmlns:ve="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing"><w:body><w:p w:rsidR="001333AF" w:rsidRDefault="001333AF"><w:pPr><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica"/></w:rPr></w:pPr><w:r w:rsidRPr="001333AF"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica"/></w:rPr><w:t>What Mac Users Need to Know About Security</w:t></w:r></w:p><w:p w:rsidR="001333AF" w:rsidRDefault="001333AF"><w:pPr><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica"/></w:rPr></w:pPr><w:r><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica"/></w:rPr><w:t>By Rich Mogull</w:t></w:r></w:p><w:p w:rsidR="001333AF" w:rsidRDefault="001333AF"><w:pPr><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica"/></w:rPr></w:pPr></w:p><w:p w:rsidR="00B105ED" w:rsidRDefault="001333AF"><w:pPr><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica"/></w:rPr></w:pPr><w:r><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica"/></w:rPr><w:t>Few topics in the Mac community are as contentious as</w:t></w:r><w:r w:rsidR="00DB4EE1"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica"/></w:rPr><w:t xml:space="preserve"> security</w:t></w:r><w:r><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica"/></w:rPr><w:t xml:space="preserve">. </w:t></w:r><w:r w:rsidR="00DB4EE1"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica"/></w:rPr><w:t>On one side are vendors and the press; hyping every new potential threat like it’s the end of the world</w:t></w:r><w:r w:rsidR="001147E2"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica"/></w:rPr><w:t xml:space="preserve"> with the hope of selling more products or getting more readers</w:t></w:r><w:r w:rsidR="00DB4EE1"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica"/></w:rPr><w:t xml:space="preserve">. On the other side are the religious zealots who consider Macs immune to security problems, and react to any discussion of potential weaknesses like a personal assault. Caught in the middle </w:t></w:r><w:r w:rsidR="002C06E3"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica"/></w:rPr><w:t>of these competing agendas is the vast sea of</w:t></w:r><w:r w:rsidR="00DB4EE1"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica"/></w:rPr><w:t xml:space="preserve"> average Mac users</w:t></w:r><w:r w:rsidR="00B105ED"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica"/></w:rPr><w:t xml:space="preserve">, who desire little more than to know what they need to do to </w:t></w:r>
New Granularity in “Unstructured” Content
In database content we can apply labels/rights at the row/field level.
In document-based content we can now apply at the paragraph or object level.
Thursday, June 3, 2010
![Page 60: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/60.jpg)
Cross-Domain Information Protection
ID Last First SSN
1111 Mogull Richard 555-12-5555
1112 Smith John 324-86-3456
Thursday, June 3, 2010
![Page 61: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/61.jpg)
Cross-Domain Information Protection
ID Last First SSN
1111 Mogull Richard 555-12-5555
1112 Smith John 324-86-3456
ID Last First SSN
1111 Mogull Richard 555-12-5555
1112 Smith John 324-86-3456
050
100150200
2007 2008 2009 2010
Customer Report
Customer retention grew 13% YoY. Customer 138-56-8375 held return value while...
11 Last First SSN
asdf asd asd ads
ads ads asd asd
Customer Report
Customer retention grew 13% YoY. Customer 138-56-8375 held return value while...
11 Last First SSN
asdf asd asd ads
ads ads asd asd
Thursday, June 3, 2010
![Page 62: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/62.jpg)
Cross-Domain Information Protection
ID Last First SSN
1111 Mogull Richard 555-12-5555
1112 Smith John 324-86-3456
ID Last First SSN
1111 Mogull Richard 555-12-5555
1112 Smith John 324-86-3456
050
100150200
2007 2008 2009 2010
Customer Report
Customer retention grew 13% YoY. Customer 138-56-8375 held return value while...
11 Last First SSN
asdf asd asd ads
ads ads asd asd
Customer Report
Customer retention grew 13% YoY. Customer 138-56-8375 held return value while...
11 Last First SSN
asdf asd asd ads
ads ads asd asd
Thursday, June 3, 2010
![Page 63: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/63.jpg)
Data DispersionData-In-Motion/Rest
Shared Storage
8lkal;kadsjfO(*&#W$M Bpoihjf 9*E#Jfg;lkjR)((WQEU 09UMhjd)(*$^ MR)(
Thursday, June 3, 2010
![Page 64: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/64.jpg)
• Content analysis fully integrated into both productivity and transaction applications.
• Rights (and thus encryption) applied at the point of creation, at the data-element level.
• Choke points between on-premise, off-premise, and between cloud services enforce policies at the data level, enforced by encryption/DRM.
• Rights transfer and are maintained between state changes.
Where This Take Us
Thursday, June 3, 2010
![Page 65: Putting the “Information” Back in Information Securitycdn.ttgtmedia.com/searchSecurity/downloads/FISD_2010_EmergingThre… · Incident Management ID Time Policy Channel/ Location](https://reader034.vdocuments.site/reader034/viewer/2022051910/5ffeccea33fafc1bf41fd3a5/html5/thumbnails/65.jpg)
Rich Mogull
[email protected]://securosis.com
AIM: securosisSkype: rmogull
Twitter: rmogull
Securosis, L.L.C.
Thursday, June 3, 2010