Your SlideShare is downloading. ×
0
Enterprise Information Security... a Different view<br />Nullcon (Dwitiya)<br />Goa<br />26 Feb 2011<br />Deepak Rout<br />
Agenda	<br /><ul><li> Data Leakage Prevention …a new paradigm
 IBA instead of RBA  …turning ‘The Standard’ around
 What’s in store for us!
 Q & A</li></li></ul><li>Shortcomings of a Readymade DLP Solution<br />Very high false positives <br />Long gestation peri...
Data Leakage Preventions - Essentials<br /><ul><li>Business/Management Concerns on Security of Data
Statutory and Regulatory Imperatives
Contracts and Agreements
Data Protection - a Security Manager’s KPI
Avoiding the Silver Bullet Syndrome
Holistic & Proactive Data Protection Framework</li></li></ul><li>Holistic Approach to Reduce Data Leakage<br />Closing dat...
Suggested Data Leakage Prevention Framework<br />
DLP - Do Not & Do<br />Do Not<br />As a remedial measure in the aftermath of a particularly nasty incident<br />Business d...
Agenda	<br /><ul><li> Data Leakage Prevention …a new paradigm
 IBA instead of RBA  …turning ‘The Standard’ around
Upcoming SlideShare
Loading in...5
×

nullcon 2011 - Enterprise Paradigm for Controlling Data Leakage

657

Published on

Enterprise Paradigm for Controlling Data Leakage by Deepak Rout

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
657
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
27
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Analyzing under the radar transactions to re-set thresholds
  • Analyzing under the radar transactions to re-set thresholds
  • Analyzing under the radar transactions to re-set thresholds
  • Transcript of "nullcon 2011 - Enterprise Paradigm for Controlling Data Leakage"

    1. 1. Enterprise Information Security... a Different view<br />Nullcon (Dwitiya)<br />Goa<br />26 Feb 2011<br />Deepak Rout<br />
    2. 2. Agenda <br /><ul><li> Data Leakage Prevention …a new paradigm
    3. 3. IBA instead of RBA …turning ‘The Standard’ around
    4. 4. What’s in store for us!
    5. 5. Q & A</li></li></ul><li>Shortcomings of a Readymade DLP Solution<br />Very high false positives <br />Long gestation period <br />Data Leakage due to the DLP solution<br />Several data leakage avenues left out<br />Mass storage devices<br />Unmonitored Internet access<br />Uncontrolled Exception Management<br />Too many Admins/Super-Users<br />Differing Legal/Regulatory provisions - Globally<br />Result:Unintentional data loss gets detected, while planned Data Theft or Corporate Espionage agent remains a step ahead of DLP policies.<br />
    6. 6. Data Leakage Preventions - Essentials<br /><ul><li>Business/Management Concerns on Security of Data
    7. 7. Statutory and Regulatory Imperatives
    8. 8. Contracts and Agreements
    9. 9. Data Protection - a Security Manager’s KPI
    10. 10. Avoiding the Silver Bullet Syndrome
    11. 11. Holistic & Proactive Data Protection Framework</li></li></ul><li>Holistic Approach to Reduce Data Leakage<br />Closing data leak channels not required for business <br />Proactively monitoring channels required to be opened for business <br />Focus on known/suspected leak channels<br />Adhering to ‘need to know’<br />Controlling leakage by authorized users (e.g. End point solution) <br />Controlling leakage to unauthorized users (e.g. Rights management)<br />Using technology as well as process controls<br />Phased deployment approach<br />Strong management intent and business involvement <br />Educating users on DLP program and consequences of violation<br />Effective Consequence Management and exemplary treatment<br />Doing PDCA, if a DLP solution is deployed<br />Knowing limitations of DLP controls/tools, brief management to accept risk <br />Accepting that even after all controls, data leak incidents may happen:<br />Capability to audit user actions <br />Tools to investigate data leak incidents<br />
    12. 12. Suggested Data Leakage Prevention Framework<br />
    13. 13. DLP - Do Not & Do<br />Do Not<br />As a remedial measure in the aftermath of a particularly nasty incident<br />Business doing well &security gets to push through security investment <br />Getting entangled with a silver bullet DLP solution <br />Pure selling by DLP solution providers <br />As a mail filtering mechanism<br />Do<br />Deploy a comprehensive set of DLP technologies and processes as a risk mitigation measure which emerges from a systematic Risk Assessment based on business and security objectives<br />
    14. 14. Agenda <br /><ul><li> Data Leakage Prevention …a new paradigm
    15. 15. IBA instead of RBA …turning ‘The Standard’ around
    16. 16. What’s in store for us!
    17. 17. Q & A</li></li></ul><li>IBA instead of RBA for EIS<br /><ul><li> 'Risk Based Approach' (RBA) - PDCA approach of identifying & mitigating risks
    18. 18. 'Incident based approach' (IBA) is an alternate to RBA - PDCA cycle based on incident prevention
    19. 19. On occurrence follow steps - Triage, Investigate, CAPA, RCA, Implement
    20. 20. Digital Forensics play a anchoring role in all stages:
    21. 21. Triage - Preserve incident parameters
    22. 22. Investigation, CAPA & RCA - Diagnostics & Analysis
    23. 23. Prevention - Designing Enterprise Controls</li></li></ul><li>
    24. 24. Typical Chronology of Digital Investigation....1<br />Prepare a clean destination hard drive:<br /><ul><li> Difficult to distinguish between old data and new
    25. 25. Suspect can claim that incriminating evidence was planted
    26. 26. Specialised tools to wipe off past data (e.g. DriveWiperVoom)
    27. 27. Also generates reports to demonstrate that hard disk is clean</li></ul>2. Digitally image data from suspect system to target drive:<br /><ul><li> Bit-by-bit clone of original hard drive using specialized tools
    28. 28. Includes all files (OS, deleted, encrypted, password protected & hidden)
    29. 29. Data hidden surreptitiously within other files is also retrieved
    30. 30. OS independent tools, do not require a dedicated drive
    31. 31. Rapid imaging
    32. 32. Original hard drive is then sealed</li></ul>ACQUIRE<br />
    33. 33. Typical Chronology of a Digital Investigation....2<br />3. Fingerprint:<br /><ul><li> To ensure that data copied from source drive to cloned drive is the same
    34. 34. Unique fingerprint created for each hard drive (hashing)
    35. 35. Suspect hard drive is seized along with hash value, known to suspect
    36. 36. Same hash value demonstrated on seized drive</li></ul>4. Write-protect data:<br /><ul><li> Using write-protect bridges
    37. 37. Then onwards, the drive can only be read but not written to
    38. 38. Guarantees purity of evidence</li></ul>5.Analyse/Investigate:<br /><ul><li> Specialised tools to scan hard drive and classify files as per category (encrypted files, password protected files, misnamed files, image files, compressed files etc).
    39. 39. Password-cracking tools are used on password-protected files
    40. 40. Steganography (camouflaging files within another file) can be countered with tools conforming to judicial and evidential requirements (analysed for hidden messages) </li></ul>AUTHENTICATE<br />ANALYSE<br />
    41. 41. Enterprise Capability Model for Digital Forensics<br /><ul><li> Highly developed internal capability not desirable
    42. 42. Minimum & potent internal capability (imaging, packet capture, logging etc)
    43. 43. Advanced capabilities on-demand (image analysis, link analysis, heuristics etc):
    44. 44. As appropriate for specific industry
    45. 45. Pre-configured per management/regulatory requirement
    46. 46. Pre-negotiated & with SLA
    47. 47. RoI & industry considerations for configuring model
    48. 48. Optimum model - limited internal & bulk outsourced capability
    49. 49. After Forensics, What???</li></li></ul><li>A View of the Future!!!<br /><ul><li>New criminal business models & malware sophistication:Criminal organizations worldwide are increasingly migrating business models online. Complexity of threats will increase & digital crimes will be more.
    50. 50. The problem will not disappear:</li></ul>Criminals online activities will continue to be hosted in distributed servers worldwide.<br /><ul><li>New targets:</li></ul>Newer attack methodologies including targeting of SCADA systems that control key infrastructure and economy sectors (petrol, gas, electricity, water, nuclear etc). <br /><ul><li>Economic impact.</li></ul>World economy’s relationship with online services is so strong that any failure could lead to complete chaos. Criminals know this and will take full advantage of it.<br /><ul><li>Ubiquitous Malware.</li></ul>Citizens will continue to depend on technology and ubiquitous online services (mobiles, PDA, laptops, 3G etc). We will see more attacks targeting these technologies.<br />It’s a very profitable business; returns exceed stock markets (3 digit growth)…<br />Security will be in Business!<br />
    51. 51. Q&A<br />rout.deepak@gmail.com<br />0-95821-58042<br />
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×