Combining Classification and DLP

White Paper

Combining Classification and DLP To Prevent Information Leaks

Combining Classification and DLP To Prevent Information Leaks | 2 www.titus.com www.mcafee.com

Information in this document is subject to change without notice. Complying with all applicable copyright laws is the responsibility of the user. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written consent of Titus. Titus may have patent applications, trademarks, copyrights or other intellectual property rights covering subject matter in this document. Copyright 2011 Titus Inc. Microsoft Windows, Windows 2000, Windows XP, Windows Server 2003, Microsoft Windows Rights Management Services, and Microsoft SharePoint are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries. At Titus we work to help businesses better manage and secure valuable corporate information. Our focus is on building policy management solutions that make it easier for IT administrators to protect and manage corporate correspondence including email and documents. For further information, contact us at (613) 820-5111 or email us at [email protected] http://www.titus.com

http://www.titus.com/�

http://www.mcafee.com/�

mailto:[email protected]�



Table of Contents

1.0 | Introduction ......................................................................................................................................... 4

2.0 | Background .......................................................................................................................................... 5

3.0 | Classification Enables Controls ........................................................................................................... 6

4.0 | Integrated McAfee/Titus Solutions .................................................................................................... 7

4.1 | Titus Message Classification and Document Classification .............................................................. 7

4.2 | McAfee Host Data Loss Prevention and ePolicy Orchestrator ......................................................... 7

4.3 | Solution Overview ............................................................................................................................ 8

5.0 Conclusion ............................................................................................................................................ 12

6.0 About McAfee ...................................................................................................................................... 12

7.0 About Titus ........................................................................................................................................... 12




1.0 | Introduction Rapid sharing of electronic information is crucial to effective collaboration and decision making. When that information is sensitive in nature great care must be taken to safeguard it without overly impacting the work of those who rely on it. The task would be greatly simplified if mistakes and malicious behavior did not need to be considered. Unfortunately they are part of the reality of information protection, and will continue to be as long as humans are involved. Recent events involving WikiLeaks have clearly illustrated that and have shown that additional data leakage controls are required to account for the identified exposures. This paper will discuss a number of information security advances made possible through the combination of commercially available products from McAfee and Titus. The paper will specifically address leakage of sensitive information originating from user desktops. An important aspect of these technologies is the ability to prevent data loss without resorting to mechanisms which would impede rapid and efficient collaboration. The approach described combines information classification techniques with data leakage prevention tools.




2.0 | Background Protection of sensitive information has recently come to the forefront as a result of the exposure of sensitive information on the WikiLeaks site. Based on the alleged flow of events, two security issues were central to the leakage of information related to Afghanistan, Iraq, and diplomatic cables:

1. Analysts had access to everything at their security clearance level, with minimal consideration given to ‘need to know’ or relevance.

2. Removable media was enabled with no controls on what information could acceptably be removed through this channel. This risk can also be extended to other methods of removing information such as webmail, email, printing and other techniques.

The first issue will require a long term effort to redesign information sharing systems. Post 9/11 there is a greater understanding of the need to provide broad, seamless information sharing to allow analysts to do their job. Enforcing overly strict ‘need to know’ policies may be counterproductive. There are certainly ways to reduce the risks inherent with this approach without impacting analysts’ work, but many are longer term and require significant changes to infrastructure and workflow.

This paper addresses the second issue – what can be done to prevent the removal (exfiltration) of sensitive information. Disabling removable media and other exfiltration channels is an option, but may also have impacts on day to day productivity of users. A more palatable approach is to enforce controls on the types of information that can acceptably be removed from workstations. This requires that information is consistently and reliably classified, and that the classification metadata be readily available to security systems.




3.0 | Classification Enables Controls Important considerations in securing information are an understanding of what information is truly sensitive, who that information can be shared with, and how to safely handle it. Individuals creating content such as emails or documents in government and military contexts generally have a good understanding of how that information should be classified. Tools that assist those users to quickly and consistently apply visual labels based on classification are critical to avoiding clerical errors. These tools can also provide in-context guidance to aid users unsure of policy, as well as applying machine readable metadata containing classification information. Many existing classification tools add only a visual label within the document, but do not add any classification metadata to the information. A classification tool that also adds metadata is a much more powerful tool for security. Once applied this classification metadata is an extremely powerful asset since it remains with the information and can be used by automated systems to enforce security controls. Many people have a good understanding of how such controls work at network boundaries and in cross domain guards. In most cases sensitive content is blocked from crossing while non-sensitive content is allowed to pass. In the alleged scenario of a security analyst in a remote facility inappropriately removing sensitive information, no network boundary was crossed and no cross domain guard was involved. The exfiltration channel used was removable media. To address this scenario a technology called host-based data leakage prevention is required (hDLP), and the hDLP must be aware of the classification policy. Consistent data classification metadata allows hDLP to be even more effective as it provides a source uniformity and context to data that might not otherwise be so structured. Once the hDLP system is aware of classification metadata, exfiltration policies can be defined and enforced to block specific classifications, to block non-classified information, and to allow non-sensitive communications and information to pass. Such technologies prevent the leakage of sensitive information without preventing information sharing within the organization.




4.0 | Integrated McAfee/Titus Solutions Together McAfee and Titus products provide a powerful combination to extend defense in depth strategies addressing the problem of information leaks. The integrated solution can block information from being copied to removable media or transmitted over inappropriate network channels based on the classification metadata. Relevant Titus products include:

• Titus Message Classification™ for the classification of emails in Microsoft Outlook®, Outlook Web Access ®, and mobile devices

• Titus Document Classification™ for the classification of Microsoft Office Word®, PowerPoint®, and Excel® documents

Relevant McAfee products include:

• McAfee® Host Data Loss Prevention provides protection against theft and accidental disclosure of confidential data across networks, through applications, and via removable storage devices

• McAfee ePolicy Orchestrator® provides unified management of endpoint, network, and data security with end-to-end visibility and powerful automations that slash incident response times

4.1 | Titus Message Classification and Document Classification Titus Message Classification and Document Classification are information classification tools that embed classification metadata in emails and documents based on user input, in addition to applying visual labels and markings. These tools can also trigger additional levels of protection based on the classification, such as the automatic application of Microsoft Active Directory Rights Management Services® (AD/RMS) or S/MIME protection for email. With features like caveat support, signed trusted labels, guided classification for more complex classification processes, and customizable markings and metadata, Titus Message Classification and Document Classification products provide a full featured solution to government, military and commercial organizations which help them enforce their classification policies and prevent inadvertent disclosure of information.

4.2 | McAfee Host Data Loss Prevention and ePolicy Orchestrator McAfee Host Data Loss Prevention (hDLP) delivers unrivaled protection against theft and accidental disclosure of confidential data. Installed at the endpoint, hDLP protection works across networks, through applications, and through removable storage devices. This protection works both in and out of the office, while employees are using corporate networks, as well as when they are out of the office connected to non-corporate network resources, or disconnected entirely. McAfee ePolicy Orchestrator (ePO) is widely acknowledged as the most advanced and scalable security management software in the industry. With ePO software, organizations of all sizes can efficiently manage security across endpoints, networks, and data; integrate third-party solutions; and automate workflows to create efficiencies, streamline compliance, and provide visibility into security and compliance postures.



http://www.titus-labs.com/software/message-classification/index.php�

http://www.titus-labs.com/software/document-classification/index.php�

http://www.mcafee.com/us/products/host-data-loss-prevention-dlp.aspx�

http://www.mcafee.com/us/enterprise/products/security_management_console/epolicy_orchestrator.html�


4.3 | Solution Overview This sample configuration combines Titus and McAfee products to block content classified at sensitive levels from being copied to removable media. Titus Document Classification is used to prompt and guide users to make appropriate classification decisions. Once the user had made classification decisions the classification markings and labels are automatically applied in a consistent manner and classification information is also saved within the document in the form of metadata. This metadata is then used by McAfee hDLP to accurately determine whether the document can be removed from the computer.

Figure 1 - Classification Using Titus Document Classification

Figure 1 shows a document that has been classified by a user as SECRET/NOFORN. It includes visual markings in the top header as well as a watermark.




Figure 2 - Sample Classification Metadata from Titus Document Classification

Figure 2 illustrates how documents include classification metadata once a document has been classified and marked. Now that the information has been classified, the McAfee family of DLP solutions can be used to prevent leakage of certain classifications of information.




Figure 3 - Defining a McAfee policy to block the copying of sensitive files based on Titus classification metadata.

Figure 3 shows the McAfee ePolicy Orchestrator being used to define a policy that assigns specifically classified content to a category named ‘Sensitive’ based on the Titus metadata.

Figure 4 – hDLP Protection Rule To Block Sensitive Information in ePO




Figure 4 shows ePO protection rules defined to block copying of sensitive content to removable media. Additional protection rules can be defined to block exfiltration via web upload & webmail, instant messaging, network copy, etc.

Figure 5 - Sensitive Document Blocked from Copy to USB By McAfee hDLP

Once the policy is pushed to computers (end-points) running the McAfee hDLP agent, enforcement begins and all attempted file copy actions to removable media are screened for any content that matches the defined category of ‘SECRET’. In this example copying sensitive information to removable storage is blocked, and the user is notified via an optional popup message as shown in Figure 5. McAfee hDLP can also allow users to request exceptions via a helpdesk or simply by providing business justifications where appropriate.




5.0 Conclusion Sharing information and intelligence effectively requires that many users are given access to large amounts of sensitive information.

To mitigate the risks of accidental or malicious leakage of this information without overly restricting users a security approach combining information classification and data leakage prevention technologies from Titus and McAfee is recommended. This approach has classification information stored within the content in both human readable visual labels and machine readable metadata by Titus products. This metadata can then be consistently and reliably used to convey classification and sensitivity to McAfee data leakage prevention systems for enforcement.

6.0 About McAfee McAfee, Inc., headquartered in Santa Clara, California, is the world's largest dedicated security technology company. McAfee delivers proactive and proven solutions and services that help secure systems, networks, and mobile devices around the world, allowing users to safely connect to the Internet, browse and shop the Web more securely. Backed by unrivaled Global Threat Intelligence, McAfee creates innovative products that empower home users, businesses, the public sector and service providers by enabling them to prove compliance with regulations, protect data, prevent disruptions, identify vulnerabilities, and continuously monitor and improve their security. McAfee secures your digital world. http://www.mcafee.com/

7.0 About Titus Titus is the leading provider of email, document and SharePoint classification software solutions to help organizations share information securely while meeting policy and compliance requirements. Our solutions enable military, government, and large enterprises to raise awareness and meet regulatory compliance by visually alerting end users to the sensitivity of information. With over 200 military, government and enterprise customers worldwide including Dow Corning, NATO, Australian Department of Defence, and the U.S. Department of Veterans Affairs, Titus solutions are deployed to over one million users around the globe.

To learn more about how Titus can help your organization please visit www.titus.com, email us at [email protected], or call us at 1-866-530-5111.





mailto:[email protected]�

Combining Classification and DLP

Documents

Transcript of Combining Classification and DLP