Gtb Dlp & Irm Solution Product And Deployment Overview

GTB Data Loss Prevention and Information
Rights Management Solution

Product and Deployment Overview

Table of Contents

Description Page
GTB Technologies – What we do? 3
GTB DLP Suite - An Overview 4-5
GTB's Key Competitive Differentiators 6
GTB DLP Suite Architecture 7
Elements of the GTB DLP SUITE 8 - 13
Deploying the GTB DLP Suite 14
The GTB Inspector – Optional Integration 15
GTB’s DLP Project Lifecycle Phases 16 - 17
GTB – Product Support Structure 18
GTB – Sample Customers 19

GTB Technologies, Inc - Confidential - 2012 2

GTB Technologies – What we do?
Insider Threat Protection - Accuracy on all ports and protocols
The Gartner Group estimates that 70 percent of security incidents which actually cause financial losses to enterprises involve insiders. 60% of those
are unintentional. The Federal Bureau of Investigation asserts that "Insider threats to data security, which have received considerably less notice
than external security risks, need more attention".
Identity Theft incidents are increasing in an alarming rate. Such incidents are not only embarrassing, but actually cause financial harm to companies.

Federal and States' Governments enforce laws and regulations designed to protect such data: Sarbanes Oxley, FISMA, GLBA, HIPAA, CA SB1386, CA
AB1950, CNPI, Payment Card Industry (PCI) Data Security Standard, The Patriot Act, FERC/NERC and other. In any modern enterprise, core assets
reside in Intellectual Property. In fact, your IP resides in many different digital forms on your network. That includes customers’ data, financial
reports, business plans, internal memos, technical designs, source code etc. And all of it is only a few clicks away from exposure by a sloppy or a
disgruntled employee.
Your confidential content may be transmitted through many different Internet Protocols and through several means: E-Mail, Instant Messengers,
Web Servers, Private Blogs, Hacker Tools, Spyware and many other applications.
Installing the GTB Reverse Content-Aware Firewall Inspector on your network would prevent any attempt to transmit confidential data in violation of
your security policy. Independent evaluations confirm GTB's AccuMatch™ detection algorithms are the most accurate and fastest detection
algorithms on the market. Unlike competitive solutions that require risky changes to network architecture to prevent data breaches, the GTB
solution works out of the box and requires no changes to your network.


GTB DLP Suite - An Overview
GTB DLP Suite, accurately prevents data leakage, secures business processes, and manages compliance and risk. The system discovers data on file shares and users’
machines and automatically applies IRM Policies for such files. Organization may also fingerprint pertinent tables form Databases (any database) for PII or PHI
protection. GTB DLP Suite is the only data loss prevention (DLP) solution that provides content, context, detailed sources and destination awareness, allowing
administrators to manage the DLP like a “Content-Aware Reverse Firewall”.
There are many use-cases for DLP and we list some of them here:
Control a broken business Detect or Block encrypted
Demonstrate Compliance Automate Email Encryption
process content
Should I allow encrypted data to
Who is sending, what data and I have no way of enforcing data How do I automate encrypting
leave without content
to whom? loss compliance regulation emails which require it?
inspection?
Detect/Block TCP from Non-
Severity Blocking Visibility to SSL Employees' Education
trusted users
My employees are not
Some breaches are so severe I have no visibility to SSL in How do I detect transmissions
complying with the Written
that I prefer to altogether block general and HTTPS in from non-trusted users
Information Security Policy
them! particular! (Malware/Viruses/Trojans)
(WISP)

GTB DLP Suite includes four, fully integrated modules. All modules share the same powerful Inspection engines as well as Policies. Policies may be modified
for each component without affecting others.
GTB Inspector
The GTB Inspector is a dual mode device which can be connected either in passive or in-line (bridge mode). It monitors all business communications including Web,
email, FTP, instant messaging and more. Once a data violation is identified, it automatically enforces the security policy including Log, Encrypt, Quarantine or Block.
GTB eDiscovery
GTB Data eDiscovery discovers the location of confidential information on laptops, desktops and fileservers. Utilizing Microsoft’s File Classification, it can also classify
data based on content. Additionally it can call on GTB IRM to enforce Identity Rights policies on detected files. Most importantly, GTB eDiscovery can monitor such
computers and report file’s violations in real-time. This avoids lengthy quarterly scan of machines.
GTB IRM
GTB IRM enforces Identity Rights policies on protected files:
Control WHO- which information owners can control the information i.e. people, groups.
Control WHAT- actions are allowed on such files, i.e., view, edit, print, copy-paste, screen capture (print screen, screen grabbing tools, screen sharing tools),
macros and offline controls.
Control WHEN- information usage can start and stop based on time i.e. dates, timespans...
Control WHERE- information can be locked to networks and locations i.e. office, branches and/or specific customer locations.
The system provides full reporting on the chain of custody for any file for forensics and security purpose.


GTB DLP Suite - An Overview

GTB Endpoint Protector
GTB Endpoint Protector provides data loss prevention at the endpoint with full USB and removable Media controls: Discovers devices, Protects
devices, Audits devices, Controls devices, Content-Aware. The system is also able to automatically encrypt files saved to USB media as well as
maintaining a copy of saved file in a shadow location. Administrators have complete visibility to actual files that were blocked by the Endpoint
Protector.
The GTB DLP Suite prevents data loss, demonstrates compliance and secures business processes. Each of the four integrated modules provides
unparalleled visibility into communications, compliance auditing and measures and mitigates the risk of data loss.

Communication Visibility - GTB DLP Suite’s provides administrators with full control and visibility for secure content. It
controls who is able to send, what data and to who. Complete reporting provides Sources, Destinations, Protocols, Ports, and
File Owners with Active Directory integration for reporting usernames. The system also reports the username of the webmail
violator for better forensics.

Detection Accuracy - Utilizing Recursive Transitional GapsTM, the GTB DLP Suite provides unparalleled accuracy for
detecting sensitive data. Intellectual Property such as Source Code, Engineering designs, Audio and Video files are accurately
identified and classified by any of the DLP components.

Solution Coverage - GTB DLP Suite monitors all outbound transmission form trusted and non-trusted users on all 65,535
ports. It is file format agnostic and can identify data in any file type including images, audio and video files.

Management and Reporting - Enterprise Management and Reporting provides analysis tools and searches as well as
complete work-flow for events remediation.


GTB's key competitive differentiators
The highest precision of breach detection: offering virtually no false positives and
nearly a 100% catch rate and data modification resiliency.
1GB speed
Can detect and prevent sensitive data in all kind of languages
Can detect and prevent all kind of data , structure, un-structure, binary files – which depending on the model, GTB's
Content Aware Reverse Firewall, the Inspector appliance, can protect up to 700 million elements of stored data in
databases and up to 5 terabyte of source data across more than 600 different file formats, including Microsoft Office
documents, CSV files, CAD drawings, image files, rich media and other industry-specific application formats.
Support for ALL protocols including Email, Instant Messengers, FTP and even unknown protocols such as RDP (any
terminal server), Telnet and any Unknown TCP Protocol.
Monitoring and blocking in real time all the 65,535 ports :

 The Well Known Ports - from 0 through 1023.
 The Registered Ports - from 1024 through 49151
 The Dynamic and/or Private Ports - from 49152 through 65535

Virtually no false positive OR no false negatives** for detecting both Personal Identifiable Information and partial file
matching (**on fingerprinted data) - thus allowing customers to Block content from exiting!
Multi-language support
Detection of Encrypted Content
Scalability to outbound and inbound network bandwidth
Workflow for event remediation – no one can delete the event from the central consul management
Multi-location Central Management Console – being protected from hacking
SIEM integration
No need to re-write the rules and policy from the beginning whenever there is any update and upgrade of the system.
Designed for unattended, maintenance free operation
Available as a Portable "all-in-one " device - to quickly move the appliance between networks (internal or external)
Changes in the network architecture are not required


GTB DLP Suite Architecture
The GTB DLP Suite is best known for operating with a Minimum Change requirement that is able to translate into Maximum Accuracy and
Efficiency!
Which means: The GTB DLP Suite deployment requires minimum infrastructure changes. The GTB Inspector itself is a Plug and Play device
that runs on any VM Image and sits on the edge of the network.
The Endpoint Protector and eDiscovery agents are easily deployed via Microsoft Active Directory or any other LDAP’s.
Endpoint and eDiscovery Agents are installed through Domain via Group Policies or GTB Console and is available as a service for all users of
the PC. It will work even for local users.

The GTB DLP Suite architecture is comprised of five main components:
Central Console – Runs on any VM image.
The GTB Inspector – a 1U server based on Dell PowerEdge R210 or higher. (Also available as VM image).
GTB Endpoint Protector Agent[s]
GTB eDiscovery Agent[s]
GTB IRM
The GTB Inspector works with any ICAP clients such as Blue Coat or Microsoft ISA/TMG. It also includes its own SSL Proxy for inspecting SSL traffic.
Inspecting multiple egress points require at least one GTB Inspector at each location. Events from each location are reported in the Central Console.

More than 2,000 user accounts are advised to Deploy 2 Inspectors, one for MTA and one for inspection of all other traffic. The GTB Inspector is a full
MTA and a Smart Host.


Elements of the GTB DLP SUITE
The GTB Central Console

The GTB Central Console is based on Red Hat Linux and is available in any Virtual Machine Image. As such, it runs on any server that VM
runs on. The Central Console includes management, reporting and a full work-flow for any incident. The Console is a Role Based and is fully
integrated with Active Directory for defining Administrators, Event Reviewers and Event Handlers. It receives events from any all of the DLP
Suite and provides alerts to special security respondents and events reviewers. The Console provides unparalleled search capabilities for
events correlation and detailed events data for any incident.

The GTB Inspector – A Content-Aware Reverse Firewall

Based on patent pending, proprietary technology; GTB's Inspector, a "Reverse Content-Aware Firewall" TM scans and analyzes ALL
outbound data transmissions from your network in real time. Once a threshold amount of protected data is detected, it stops the violating
transmission and/or alerts the designated security officer or administrator.

New programs requiring the use of unconventional protocols are becoming increasingly more prevalent. Furthermore, despite company
policies forbidding the practice, employees frequently utilize peer to peer applications. Microsoft Networks and similar protocols, initially
designed for LAN, are perfectly capable of working over the Internet.

Malicious applications (e.g., viruses and worms) can be utilized to transfer data across a broad variety of protocols. So supporting just
SMTP, HTTP, FTP and IM is a real limitation for the majority of DLP Solutions and is not DLP.

Protected data may include bank accounts, credit card numbers, and passwords. The Data Loss Prevention (DLP) device is completely
opposite to the secure location. It is installed on the network edge and more than one device can be installed if necessary. The Reverse
Content-Aware Firewall offers mass communication features and is compatible with multiple devices and multiple protocols.


Data-in-Motion is all traffic on the network. GTB's "Reverse Content-Aware
Firewall" TM Inspector analyzes this traffic for pieces of source code; all
communication channels are scanned, such as: e-mails, instant messages, web logs,
etc. If a violation is attempted, the transmission is blocked and then logged on the
security report. You can also elect to have the network administrator notified
through an alert email.

Accuracy and Precision
• Virtually zero false positives
• Virtually 100% detection rate
• Resilient to data manipulation, including:
• Data extracting – only a small part of a file or a subset of a database table is
copied and pasted from one document to another
• File format conversion
• Compression
• Embedding – the data from a protected file is inserted into another file
• File extension changes
• Re-typing – text is re-typed from a printed document
• Language encoding changes, especially conversion between Unicode and
plain English
• Different representation -, i.e., a social security number may be
represented in the form ‘777-77-7762', ‘777 77 7762' or ‘777777762''

Protects ALL Protocols Reporting
•SMTP • Microsoft Messenger • Built in table reports
• HTTP • ICQ • Built in Crystal Reports
• HTTPS • AIM • MS Access format for exporting
• Web Mail • Google Talk
• HTTP Server • Jabber
• POP3 • Peer-to-Peer applications (20+ applications and
• FTP protocols)
• SSL (capable of decryption) • All protocols, sending data in clear
• Instant Messengers • Capable of blocking on all protocols
• Yahoo Messenger


GTB Endpoint Protector - Agent(s)
GTB's Endpoint Protector is an innovative DLP solution addressing the growing problem of secure data leaving the organization through removable media devices such
as iPods, CD/DVD's, or USB Drives.
Rather than restricting devices that connect to the network and passively auditing data transfers, the GTB Endpoint Protector offers organizations the ability to control
what content can be transferred between the network and removable media devices. The GTB Endpoint Protector has four main functions: controlling removable
media devices connecting to the network, providing detailed removable media auditing of hardware and file transactions, protecting data by selective encryption of
specific file types or protected content, and optionally integrating with the GTB Inspector to monitor and control data before it is transferred to removable media.

Provides complete access control addressing all removable media
Manages detailed file auditing
Offers both online and offline protection mode

Result: The GTB Endpoint Protector client monitors any I/O activity on a PC for all removable media activity, enforcing access policies created in the management
console. All data sent to removable media is intercepted and inspected by the GTB inspection engine. Various enforcement actions can then be taken, such as
blocking, alerting, encryption, etc.
Supported Devices Features
Data-in-Use is data that is saved on removable media devices. GTB's Endpoint
• USB Drives • LDAP Integration
Protector scans data for sensitive content before it is saved and then can block
• iPod, other mp3 players • Files Encryption
unauthorized transfers. The Endpoint Protector can also detect activities such as copy
• CD/DVD • Detailed File Auditing
and paste, or use of sensitive data in an unapproved application, such as someone
• Fire wire • Detailed Hardware Auditing
encrypting the data in an attempt to bypass the Endpoint Protector's block.
• SD Cards • Two way file control
• Floppy Drives • Online and Offline modes
• Other I/O devices
Actions
Access Control • Block
• Individual Users • Log
• User Group • Audit
• Computer Group • Encrypt
• Port
• Device Type Reporting
• File Type • Built in Table Reports
• Drive Serial Number • Built in Crystal Reports
• MS Access format exporting


GTB eDiscovery/GTB IRM - Agent(s)
Accurate Scans provide Accelerated review time and Lower Costs
Utilizing the most state-of-the-art detection algorithms; GTB eDiscovery, is an eDiscovery tool for data at rest protection, data classification, categorization,
early case assessment (ECA) and search for Enterprises and SMB organizations.

GTB eDiscovery can scan every location on the network, including file servers, desktops and laptops. Confidential data is discovered with the same precision
and performance of the GTB Inspector. GTB eDiscovery is fully integrated with the GTB DLP suite, providing a complete DLP suite.

GTB eDiscovery scans the whole hard drive and finds files even in the Recycle Bin, ensuring that what is expected to be deleted was actually deleted.
Accurately monitor, protect and report violations any time a file is saved and/or blocked from saving; essentially eliminating the necessity to endlessly scan
machines for data violations.

GTB eDiscovery reports detailed information for each violating file, including location, actual content, context, file owner, file name, last accessed/modified
time, policy violation and more. It includes a complete Workflow functionality which allows to simultaneously respond to multiple violations.

Enterprise wide scans can be performed on demand or on a batch schedule for continuous compliance.

Using the GTB AccuMatchTM technology, eDiscovery firms can now focus on reviewing the most relevant ESI (electronically stored information), providing
accelerated review times & early case assessment (ECA) amounting to lower costs.

Combined with GTB IRM, eDiscovery is able to automatically enforce information Rights policies on files that violate corporate policies or industry data
regulations.

Result. GTB eDiscovery detects potential violations of data security and compliance before it becomes a security incident. This mitigates consequences of
laptop loss, intrusions and potential malware. GTB's technology is unique in that it not only exposes confidential data but also positively establishes its
absence.

GTB eDiscovery allows businesses, government and educational organizations to secure data and demonstrate compliance with GLBA, Sarbanes Oxley, PCI DSS, HIPAA,
HITECH Act, FISMA, FERC/NERC and other regulations. Additionally, it provides a much less expensive way to perform legal discovery and react to data loss incidents.


GTB eDiscovery – Features and benefits


GTB IRM Network Architecture (Deployed Model)


Deploying the GTB DLP Suite
This section is based on best practices as achieved in many banks, industrial companies and government accounts. The goal of the initial deployment is to
create custom policies, fingerprint, monitor, and report on specific data violations. Such behavior is reported in the Central Console with details on Locations,
Protocols, Port, User-name (or IP, or DNS machine name), Destinations, Severity level, Action taken, Remediation status, Data Classification, Policy
violated and Email status if the MTA is used. See Figure 1 below:

Figure 1 – Central Console Network incidents


The GTB Inspector – Optional Integration
Additional integration into the corporate infrastructure is also available: Integration in to the Active Directory domain
structure, Directory Services via LDAP, SIEM, Web URL Filtering systems and web proxies supporting ICAP.

Exchange/Email gateway – Emails may be received
from any SMTP source to the MTA of the GTB
Inspector. Such emails may be quarantined or
rerouted to an encryption gateway, a new host, or to
the Cloud.

Proxy Server (ICAP Client) – ICAP handoffs from any
Proxy server may be routed to the GTB Inspector for
full HTTPS visibility. DKSH may use the GTB SSL Proxy
(inside the GTB Inspector) for the same purpose.

SIEM – The GTB Inspector may send all events to a
syslog enabled SEIM.

Active Directory/LDAP - DKSH may run the Network
Resource Helper script using GPO to integrate with
Active Directory. This way the Inspector will report
the actual username at the time of the violation.
Without the NRH, the GTB Inspector will report the IP
Address and the Reverse DNS lookup of the LAN host.

Secure Mail Gateway – The GTB Inspector is a Smart
Host and can route emails to the Encryption gateway
for those email that require encryption. Figure 2 – Additional optional integration


GTB’s DLP Project Lifecycle Phases
The Data Lifecycle represents various risks at each stage-

DLP Area Data in Motion Data in Use Data at Rest
Sensitive Data resides on
An file-shares and is accessed
Sensitive data may be
employee/consultant by authorized users, who
sent over any channel to
Risk copies sensitive data to may leak the file(s) by
the internet by trusted
USB storage on his/her sending them to the
or untrusted users
own computer Internet (Data in Motion)
or copying it (Data in Use)
Relative Risk
High Medium Low
Level

GTB’s multi-phased approach to deploying DLP has been proven to be the most effective across many deployments:

Phase 1: Monitoring – GTB recommends monitoring outbound network traffic with Administrator notifications to start.

Step 1: Connect the GTB Inspector to a span/mirror port and move the GTB Central Console to your VM inventory.
Step 2: Define what data is considered sensitive/confidential in your organization. This is a process and not a project. Depending on your COMPANY’s business you
may be interested in protecting Personal Identifiable information or Health Information, etc. You may be interested in protecting Intellectual Property, Source Code
Images, or audio and video. A GTB Senior DLP engineers will be able to consult with you on the best practices to define policies for your data.
Step 3: Fingerprint your Data (can be also part of Step 2). Data fingerprinting provides the most accurate and efficient detection of policy violations.
Database fingerprinting (Structured data sources):
Content policies are defined for specific data table or combinations thereof. Policies are configured as combinations of fields and thresholds for a given
number of matches. A HIPAA violation may be defined as the combination of both the Last_Name and the Social Security Number.
Higher severity levels may be defined for such policies since such detection does not have false positives.
Files Fingerprinting- (Unstructured data sources)
GTB’s Security Manager utilizes the most advanced detection engine for file fingerprinting. Any file type may be fingerprinted or entire Directories. Such
Directories may be set as “Lock Box” where anytime a file is dropped the data shall automatically be fingerprinted. The detection engine shall identify any
partial data match in any file format even if the data was modified. Some limitations apply for changed images.

Policies for Fingerprinted Data of both Databases and Files are available to all the GTB Components: Network, Endpoint, eDiscovery and IRM.


GTB’s DLP Project Lifecycle Phases
Phase 2: Monitoring with user Notifications – at this stage, GTB recommends enabling email notifications to various stakeholders in the organization. You may
want to alert Security Administrators, Violators, Manager of Violators, and special Security Respondents. Alerting the Violator will decrease the number of incidents
over time as user become much more aware of data security in their transmissions.

Phase 3: Tuning (ongoing) – The key to successful DLP deployment is to reduce the number of incidents to a minimum by tuning the system to report only
pertinent violations. Many DLP systems fail in accurately detecting incidents, and instead, reporting thousands of irrelevant events. To make sure all incidents are
relevant and manageable, you may:
•Make sure the selected protocols are relevant for specific policies and detection engines
•Identify authorized transactions and make appropriate changes for Users, Channels and Data (e.g., allowing specific transmissions from certain sources to certain
destinations and for specific user/groups)
This is a good phase to assign a Special Security Responders for specific policy violations. For example, HR Manager receives alerts to handle HR violations and the
Compliance Officer receives an alert to handle a PCI violation.

Phase 4: Enforcement – Most GTB customers move to this phase after 2 to 3 weeks. Enforcement options are available for different protocols and Severity levels of
incidents.
•Email – You may start using the Inspector Mail Transport Agent (MTA) to Quarantine emails. You may have users remediated low severity violation and only have
Administrators remediate high severity ones.
•Email Encryption – You may route emails to your Encryption Gateway (locally or in the cloud).
•You may define specific actions for any protocol. The GTB Inspector works as a Reverse Firewall for Content). As such, you may define Objects such as Encrypted Files.
Then set rules to Block such files for specific users/groups. A GTB Engineer may advise on additional examples.

Phase 5: Data Discovery/IRM (can start in phase 1) – Run the GTB eDiscovery agents on any computer you want to protect. The eDiscovery agents shall identify
policy violations in files and automatically assign Information Right Policies on such files. Such policies are pre-defined in the GTB IRM policy Server. They include Read,
write, Forward, Print etc. Specific on-site training is available for this phase.

Phase 6: Endpoint DLP Deployment (can start in phase 1) – this phase is designed to control data in motion to Removable Media (any USB devices, Fire wire, I
pads etc. Agents may be deployed in stealth (invisible) mode through GPA or any agent installer program. All data policies previously define will automatically
propagate to the endpoint agents. Agents support off-line policies as well for users disconnected from network.


GTB – Product Support Structure
First and Second Level Support

CLIENT
GTB Technologies - Local Office: GTB Technologies - Online GTB Certified Local Partner:
Support:
First and Second First Level Support
Level Support First and Second
1. On-Site Support (Office Hours
1. On-Site Support (Office Hours
Level Support Only)
Only) 1. Telephone and Email 2. Telephone (Office Hours Only)
2. Telephone (Office Hours Only) -24 / 7 / 365 3. Email Support
3. Email - 24 Hours 4. Annual Maintenance Support
2. Remote Assistance
4. Annual Maintenance Support 3. Annual Maintenance Support and Upgrade.
and Upgrade. and Upgrade. Assigned to: Product
Assigned to: DLP Expert Assigned to: DLP Expert Engineer/Support Engineer


GTB – Sample Customers

Apple, Inc. 60,000 users

American Greetings 8,000 users

Bureau of Indian Affairs
7,500 users
(US Government DOI)

CITGO Oil Company 4,500 users

ESL Federal Credit Union 1,200 users

SAFE Credit Union 750 users

San Mateo Credit Union 650 users


Gtb Dlp & Irm Solution Product And Deployment Overview

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Gtb Dlp & Irm Solution Product And Deployment Overview

Similar to Gtb Dlp & Irm Solution Product And Deployment Overview (20)