Optimize Your Data Protection Investment for Bottom Line Results.
-
Upload
terence-briggs -
Category
Documents
-
view
215 -
download
0
Transcript of Optimize Your Data Protection Investment for Bottom Line Results.
Providing DLP Since 2002
Deployed 400+ DLP Projects
Completed 500+ Assessments
Manage DLP Solutions in 22 Countries
Provide Daily Management of 1,000,000+ Users Globally
DATA LOSS PREVENTION EXPERTISE
QUICK FACTS
Symantec Master Specialization DLP Partner
RSA’s Only Authorized Managed DLP Partner
1st Managed DLP Services Provider (2008)
Localized Chinese DLP Practice (2011)
Global Support in 130 countries
Data Mining, Custom Policies, & Scripting
SYMANTEC DLP COMPONENTS
Endpoint Prevent
Symantec Data Loss Prevention Endpoint Prevent monitors files downloaded to local drives; transferred over email, IM, Web or FTP; copied to USB, CompactFlash®, SD, or other removable media; burned to CD/DVD; copied or pasted; captured via Print Screen; and printed or faxed electronically. With Symantec Data Loss Prevention, you can monitor and block:
• Instant messages sent to a partner containing confidential M&A information• Web mail with product plans attached going to a competitor• Customer lists being copied to USB or other removable media devices• Email containing PII sent via hosted email security services • Source code that is copied to a local drive• Mobile devices for email sent containing confidential data• Product design documents being burned to CD/DVD• Price lists being printed or faxed to a competitor
WHAT WE WILL COVER TODAY
Developing the DLP Program
DLP Use Cases – How Did They Get There?
Developing the DLP Program
Avoiding Common DLP Pitfalls
Open Q&A
HOW TO GET STARTED WITH DLP
Processes
Developing the DLP Program Scope
Understanding Work Place Monitoring Requirements
Designing and Implementing the DLP Program
Measuring the DLP Program
What incidents or events are retained?
Who develops reports?
Are DLP system generated reports adequate?
Who drives report requirements? Requestors, Reviewers, others?
Report accuracy tied into QA process?
USE CASE 1: INCIDENTS DETECTED 2 MONTHS INTO DLP PROGRAM
Captured group of emails going to Gmail with unencrypted data: Combination of design standards, CAD files and pro-forma product business plans
including unit costs, forecasted revenue and margin data Customer and vendor lists, proprietary development processes and procedures, and
pricing data from similar current product lines
Performed real-time DLP correlation analysis: Identified 78 design standards focused on “highly classified” next-gen product
development Downloaded to personal USB with no legitimate business use within 1 hour after
Incidents reported to information security team within 2 hours of both incidents generated and correlated
Employee was in manager’s office submitting resignation as InfoSec notified the manager
What incidents or events are retained?
Who develops reports?
Are DLP system generated reports adequate?
Who drives report requirements? Requestors, Reviewers, others?
Report accuracy tied into QA process?
USE CASE 1: OBTAINING BUSINESS BUY-IN
Compliance & Risk Management tasked with implementing DLP in organization of 50,000+employees
Needed to develop DLP Program allies: Key technology stakeholders: Desktop, Networking, Messaging and Storage Strong relationship with key Business Units within the DLP Program Scope Generate awareness of program with key senior leadership (not excessive on front end)
Targeted one business unit as early adopters and used their success to expand the DLP program into neighboring business units or processes.
Earned Business Unit, Data Owner or Process Advocate’s trust and leveraged their internal relationships to navigate corporate structure and help message value proposition.
18-months into DLP Program there is 100% business unit involvement.
What incidents or events are retained?
Who develops reports?
Are DLP system generated reports adequate?
Who drives report requirements? Requestors, Reviewers, others?
USE CASE 2: INCIDENTS DETECTED 14 DAYS INTO DLP PROGRAM
Vendor provides upgrade on enterprise HIS system, follows all change management procedures and obtains sign-off from customer on upgrade.
DLP detects unencrypted patient information being transferred via unsecured FTP site; had been configured for SFTP prior to change.
Information was detected the first time the bi-monthly batch-processing was completed. Comprehensive audit trail of incident data available to the organization for investigation.
Upgrade caused numerous unforeseen changes in the HIS application that created vulnerabilities and potential for inadvertent data leakage.
Information was sent to Business Associate but was exposed in an non-encrypted state.
What incidents or events are retained?
Who develops reports?
Are DLP system generated reports adequate?
Who drives report requirements? Requestors, Reviewers, others?
Report accuracy tied into QA process?
USE CASE 1: OBTAINING BUSINESS BUY-IN
Leveraged relationship between CISO, Internal Audit and Privacy to obtain the necessary funding - hard to get dollars being allocated to patient care.
Defined DLP Program scope around specific elements of primary concern, specifically infectious diseases. HIV/AIDS patient data had been leaked in the past causing significant impact to the organization.
Shared DLP Program Scope to skeptical physician lead healthcare management team. Senior leadership was in the loop on the project but once again, not too much information overload on the front-end.
CISO and IA/Privacy developed costs around previous breach as well as negative press as part of their DLP justification pitch. Clearly identified the previous costs and impacts to the organization, obtaining buy-in from senior leadership and board members.
What incidents or events are retained?
Who develops reports?
Are DLP system generated reports adequate?
Who drives report requirements? Requestors, Reviewers, others?
Report accuracy tied into QA process?
USE CASE 3: INCIDENTS DETECTED 72 HOURS INTO DLP PROGRAM
Company is approached in confidential manner in regards to a “hostile” takeover situation and has 48 hours to respond until public notice is provided.
Company crafted a set of policies within 2 hours to monitor all communication channels and endpoints within the DLP scope. Policy was enabled to:
Quarantine all email communication Block all web based traffic or any downloading of specific keywords or specific documents
related to the topic - management imposed gag order
Within 3 hours of the submission of the bid documents to the customer, 5 senior staff members had a attempted to disclose the existence of the transaction.
2 email transmissions to friends/family members (spouses) 2 instant message/chat messages to friends/family members 1 Google mail to friend at a investment bank who works for direct competitor of company
outlining the key terms of the offer. Employee was a Senior VP with access to term sheet.
What incidents or events are retained?
Who develops reports?
Are DLP system generated reports adequate?
Who drives report requirements? Requestors, Reviewers, others?
Report accuracy tied into QA process?
USE CASE 3: OBTAINING BUSINESS BUY-IN
CIO driven DLP program that “dragged” the COO, CFO and General Counsel to demo and presentation of the capabilities of DLP.
General Counsel set-up meeting with CEO and Board to bring visibility to the “real dangers of a digital commerce environment”.
CEO and executive team allocated discretionary budget to build out a DLP pilot system at corporate headquarters to monitor for pre-disclosed earning information, M&A activity and competitor communications. 100 employees at HQ out of 10,000 global employees.
Recent trend seems to be more top down approach in regards to the assessment and adoptions of DLP programs. Had no problem with rapid deployment, policy development and building the supporting incident response program.
USE CASE: DLP PRE-PROJECT STATE
Organization Overview: 40,000 employees globally, Manufacturing
DLP Scope: Protection of Intellectual Property (General)
DLP Primary Issue: Customer overwhelmed with inaccurate incident data, no meaningful information
Application Management: Operated and managed by IT Security with limited input from business.
Policy Governance: Failure to use a lifecycle software development process for policy construction
Incident Triage: Infrequently reviewed by IT with little to no review by business owners.
Event Management: Hard to accomplish due to large # of false positives. No “gold nuggets.”
Reporting and Metrics: Zero customized reports. No relevant business analysis provided.
Status: System generates 25,000 incidents/day / 750,000 incidents/month
MANAGING WORKPLACE PRIVACY
1. Understand your company’s data flows 2. Identify your monitoring purpose3. Understand general principles underlying personal data
processing4. Determine if other countries law’s apply to your company5. Understand other countries approach to workplace
monitoring 6. Understand other countries requirements to workplace
monitoring7. Understand other countries laws 8. Implement technology that fosters compliance with legal
requirements
Framework
IDENTIFY PURPOSE FOR MONITORING
Generally Acceptable Business Reasons Include:
• Monitor & maximize employee productivity• Protect against unauthorized use, disclosure or transfer of PII• Monitor employee compliance with employer workplace policies• Investigate complaints of employee misconduct• Prevent industrial espionage• Prevent or respond to unauthorized access to employer’s computer
systems• Protect computer networks from becoming overloaded• Prevent or detect unauthorized utilization of employer’s computer
system for criminal activities & terrorism • Help prepare employer’s defense to lawsuits or administrative
complaints• Respond to discovery requests in litigation related to electronic
evidence
1. Does your company operate in that country?
2. Does your company have affiliates or subsidiaries that collect personal data in that country?
3. Does your company have employees residing in that country?
4. Does your company collect or process personal data in that country?
5. Does your company process personal data using equipment in that country?
DETERMINE IF COUNTRY LAWS APPLY TO YOU
INTERNATIONAL PRIVACY LAWS BUSINESS IMPACT
Must comply with privacy laws in countries where have operations, where laws can be significantly more restrictive than in the US
Transfer of personal information can be blocked in other countries unless specific requirements are met
Countries across the globe are adopting privacy laws
UNDERSTAND GENERAL PRINCIPLES: SAFE HARBOR
NOTICE - Individuals must be informed that their data is being collected and about how it will be used.
CHOICE - Individuals must have the ability to opt out of the collection and forward transfer of the data to third parties.
ONWARD TRANSFER - Transfers of data to third parties may only occur to other organizations that follow adequate data protection principles.
SECURITY - Reasonable efforts must be made to prevent loss of collected information.
DATA INTEGRITY - Data must be relevant and reliable for the purpose it was collected for.
ACCESS - Individuals must be able to access information held about them, and correct or delete it if it is inaccurate.
ENFORCEMENT - There must be effective means of enforcing these rules.
APPLICATION SUPPORT & INTEGRATION
Primary System DLP Management = Human Resource / Expertise Requirements
Integrated System Management = Cross Department Collaboration Processes
Health Check & System Validation Management = System Resource Requirements
Vendor Management = Primary and Integrated Technology Vendor Relationships
POLICY & RULE GOVERNANCE
Who requests rules & policy requirements?
Are business owners engaged?
Who reviews rule requests?
Criteria for approved rule?
What’s the process for converting a rule request into a policy?
Who’s responsible for converting a rule into technical policy? Do they have technical policy authoring expertise?
What is the formal policy development process?
First drafts rarely work as expected!
Is there a process to relay production policy metrics to stakeholders?
WORKFLOW DEVELOPMENT & MANAGEMENT
Who develops & manages policy “buckets”? False positive, inbound partner, outbound employee
Who defines thresholds that determine response rules for each “bucket”? Are 10 SSNs a high, medium or low severity incident?
Who designs & sets the policy response triggers?
Malicious, Inadvertent, Suspicious, above threshold.
Triage response options: Human notificationSystem notification (auto)Hybrid?
Who’s responsible for building alerts, alarms & notifications? Has business been engaged on event management?
Who manages the DLP policy & rules repository? Why recreate the wheel?
Who reviews volume & yield of incidents & events? What’s the review frequency?
How are events/incidents routed? Who owns the incident/event?
How does DLP fit in overall incident/event management process?
Can this be mapped to DLP system?
What metrics are developed to measure success of rules & related policy?
Who ‘s responsible for developing metrics?
Revision of rules based on quality of policy results.
Who manages policy optimization process?
How will integrated systems be tied together to yield valued info?
Secure mail, web gateway, GRC, SIEM
INCIDENT TRIAGE & EVENT MANAGEMENT
BUSINESS ANALYTICS
Who develops reports?
Are DLP system generated reports adequate?
Who drives report requirements? Requestors, Reviewers, others?
Do they have the expertise with 3rd party reporting tools?
Are the metrics valuable & driving meaningful change?
Report accuracy tied into QA process?
DATA-IN-MOTION PITFALLS: Miss ing the Target – Fa lse Sense o f Secur i ty
Mis-configured Tap or Port Span
ProblemMissing segments of network traffic or protocols
Solution Comprehensive test plan that maps to in scope business processes and related data types transmitted from various network locations to ensure all relevant data streams are being captured.
Encryption – The Masked Data
Problem Analysis of data DID NOT take place prior to encryption.
SolutionComprehensive test plan that proves ALL DLP data assessment takes place prior to the gateway encryption & implement managed “test” DLP policies that identify encrypted transmissions as part of the test plan.
Misfire of Network Discovery Scans
Problem Locations of sensitive data never targeted by the organization for scanning due to lack of an effective policy governance process.
SolutionIdentify potential data stores by discussing the DLP program with staff to understand process.
Network versus Endpoint Discovery
Problem Running DAR scans using a combo of network & endpoint without thinking about which policy types & detection methods are not the same.
SolutionPrior to acquiring DLP solution, have an understanding of the data types that make up your target environment & then, decide on scanning method. .
DATA-IN-MOTION (ENDPOINT) PITFALLS: The Pandora ’s Box o f DLP
Environment Assessment
Staying in Contact
User PerformanceImpacts
Network/System Performance Impacts
• ProblemNo rigorous endpoint environment assessment prior to the selection of the application & enablement.
• SolutionAddress age of environment, performance capabilities, technical & human issues, & load of applications, in conjunction with education on the DLP endpoints.
• Problem Failure to monitor endpoint population & their frequency of “checking-in” to the management server with validated results.
• SolutionPhased deployment of endpoint with validation via test plan on initial success of ALL agents & on-going endpoint agent health reports.
• Problem Implementing same policies for network based & endpoint assessments without testing or modification.
• SolutionUtilize a comprehensive test plan outlining specific metrics (time to open files, open/send emails, open applications) prior to deployment.
• Problem Failure to calculate & measure the impact of endpoint policy traffic across wide & local area network connections.
• SolutionThorough assessment of endpoint policies that addresses all of the concerns including policy design requirements, timing, frequency & delivery methods.
USE CASE –POST PROJECT STATE
Organization Overview: Defined specific business units to initiate program
DLP Scope: Focused on 3 specific product lines linked to highest revenue & earnings
DLP Primary Goal: Identification of unauthorized movement of specific elements of IP
Application Management: Operated by a combination of IT, messaging & desktop management teams
Policy Governance: 100% customized policies based on data collected from business unit
Incident Triage: Daily review of incidents by Information Security
Event Management: Incidents meeting severity criteria routed to business unit for investigation
Reporting and Metrics: Behavioral pattern analysis leading to preventive actions
Status: R&D teams have high-level of confidence in ability to identify leakage of IP.
QMS SAMPLE QUARTERLY REPORT
Intelisecure DLP QMS: Six Month Trend
Application Management
Policy Governance
Incident Triage
Event Management
Reporting & Analytics
Time
Nu
mb
er o
f H
ou
rs
BEW GLOBAL HQ BEW GLOBAL EMEA BEW GLOBAL APAC
5613 DTC ParkwaySuite 1250
Greenwood Village, CO 80111USA
(ph) +1 720 227 0990(fax) +1 720 227 0984
www.bewglobal.com
3 Albany CourtAlbany Park
Camberley GU16 7QREngland
(ph) +44 (0) 845 481 0882(fax) +44 (0) 871 714 2170
www.bewglobal.com
520 Oxford StreetLevel 23, Tower 1
Bondi JunctionSydney 2022
(ph) +61 (2) 9513 8800(fax) +61 (2) 9513 8888
www.bewglobal.com