the malicious insider and data loss how to read the writings on...
TRANSCRIPT
The Malicious Insider and Data Loss – How to Read the Writings on the Wall
Andreas Zengel / Guido Sanchidrian
SYMANTEC VISION 2012
The Facts
Top root cause for data breaches are
negligent people and
malicious / criminal attacks
Within malicious attack type, a big portion is caused by
malicious insiders
The Malicious Insider and Data Loss
SYMANTEC VISION 2012
Safeguarding Confidential Data = Complex Challenge
Mobile devices have made instant access to personal and confidential data
Organisations look for automated, process-oriented way of identifying and managing confidential data on networks, datacenter servers, workplace desktops as well as mobile devices
The Malicious Insider and Data Loss
SYMANTEC VISION 2012
Blurred Line between Professional And Personal Lives
Same devices to electronically connect to fellow employees, customers, prospects as well as to families and friends
The Malicious Insider and Data Loss
SYMANTEC VISION 2012
Fundamental Privacy Rights vs. Legitimate Business Interests
“In considering the question of surveillance, it must be borne in mind that while workers have a
right to a certain degree of privacy in the workplace, this right must be balanced against
the right of the employer to control the functioning of his business and defend himself
against workers' actions likely to harm employers' legitimate interests, for example, the
employer's liability for the action of their workers”
Copeland v. United Kingdom - European Court of Human Rights
The Malicious Insider and Data Loss
SYMANTEC VISION 2012
Fundamental Privacy Rights vs. Legitimate Business Interests
“Workers do not abandon their right
to privacy and data protection every
morning at the doors of the
workplace. They do have a legitimate
expectation of a certain degree of
privacy in the workplace ...”
Article 29 Working Party
The Malicious Insider and Data Loss
SYMANTEC VISION 2012
Best Practice: Understand General Principles for Monitoring
The Malicious Insider and Data Loss
SYMANTEC VISION 2012
Best Practice: Identify The Purposes For Monitoring
To negotiate with employees, works councils and data protection authorities
Business reasons
Data inventory and classification
The Malicious Insider and Data Loss
SYMANTEC VISION 2012
Best Practice: Monitoring Must Be Proportionate
Identify clear purposes
Identify adverse impact
Considering alternatives
Taking into account the obligations
Judging whether monitoring is justified
The Malicious Insider and Data Loss
SYMANTEC VISION 2012
Best Practice: Consultation
Armed with the former assessments, enter into consultations with employees, their unions or other representatives
Includes discussion of the purposes for monitoring, how monitoring will take place, when it will occur and what will be done with the information collected during monitoring
The Malicious Insider and Data Loss
SYMANTEC VISION 2012
Best Practice: Understand The Laws Of Each Country
Unless you aren‘t a professional lawyer, seek legal counsel on
–General Privacy Laws
–Personal Data Protection Laws and Regulations
–Workplace Privacy Laws
–Current Discussion
The Malicious Insider and Data Loss
SYMANTEC VISION 2012
Best Practice: Implement Technology That Fosters Compliance
The Malicious Insider and Data Loss
SYMANTEC VISION 2012
Steps to a Successful DLP Program
The Malicious Insider and Data Loss
SYMANTEC VISION 2012
Some Facts About Data Security
The Malicious Insider and Data Loss
• So, users need help doing the right thing
In the absence of education or experience, people naturally make
poor security decisions with confidential data.
• > 70% of breaches happen without purpose
Most costly breaches come from simple failures or mistakes, not from
ingenious hackers or thieves.
• Having the right metrics is invaluable in demonstrating progress against your goals.
Security isn’t about security. It’s about achieving risk reduction at
some cost.
* Adapted from the 5 Laws of Data Security by Herbert H. Thompson
SYMANTEC VISION 2012
Key Success Factors
Key Success Factors
Executive Level Involvement
Prioritized Approach
Business Owner Involvement
Trained Incident Response Team
Employee Awareness
The Malicious Insider and Data Loss
SYMANTEC VISION 2012
Prioritized Approach Recommended Starting Points:
Strategically add policies
Strategically add protocols and
exit points
Strategically add
repositories
Strategically add users and
endpoints
Greatest Potential for
Loss Endpoint / Data-In-Use:
– Users with access to
highly sensitive data
– At-risk employees
– Portable computers
Network / Data-In-Motion:
– High-volume, high-risk
protocols and egress
points
Storage / Data-At-Rest:
– High-access, high-volume,
public repositories
16 The Malicious Insider and Data Loss
SYMANTEC VISION 2012
Continuous Risk Reduction 1000
800
600
400
200
0
Employee and Business Unit Communication
Sender Auto Notification
Business Unit Risk Scorecard
Refine Policies
Enable EDM/IDM
Fix Broken Business Processes
Refine Policies
Refine Policies
Enable Lookups
Business Unit Risk Scorecard
Identify Broken
Business Processes
Inci
de
nts
Pe
r W
ee
k Prevention/Protection Notification Remediation Baseline
Risk Reduction Over Time
Enable blocking
The Malicious Insider and Data Loss
SYMANTEC VISION 2012
Incident Response Workflow
90% of DLP is Incident Response
Right Automation Resolution, Enforcement, Notification, Integration Right Person Route Incidents to Right Responder Right Order High Severity Incidents First Right Information 5 Second Test Right Action 1 Click Response Right Metrics Prove Results to Execs and Auditors
The Malicious Insider and Data Loss
SYMANTEC VISION 2012
Next Step: Know Where Your Information Is and Where It’s Going
– A technical assessment that will help quantify your business data loss risks.
– Symantec DLP software is deployed into your network to:
• monitor outgoing traffic
• identify sensitive data used by the organisation
• scan shared network storage areas
– Analyse the results and create an executive report about data at risk and security incidents
Information Protection Risk Assessment
The Malicious Insider and Data Loss
Thank you!
SYMANTEC PROPRIETARY/CONFIDENTIAL – INTERNAL USE ONLY Copyright © 2012 Symantec Corporation. All rights reserved.
Contact [email protected] or [email protected] to get a copy of the whitepaper „Data Loss Prevention and Monitoring in the Workplace: Best Practice Guide for Europe” and to get further information on Information Protection Risk Assessment
The Malicious Insider and Data Loss