DLP: Concepts and Solutions
                                                                   Ramsés Gallego
            ...
Agenda

                    • The problem: Data is lost or stolen everyday!
                    • Securing Data requires d...
The problem
                              Explosive Growth                                           Public Embarrassment
...
Increasing Risk of Information Theft

      • 19 people a minute become new victims of identity theft
        due to data ...
And it does happen…



                                                                       BREAKING NEWS!
             ...
Understanding the Risk
                                                                         The Market Value of Sensit...
Increasing Need for Mobile Access to Data
               Explosive Growth in Mobile Devices

                             ...
Increasing Regulatory Pressure

                                                                                 2008

   ...
The Major Endpoint Threats
                                                               1
                              ...
The Major Endpoint Threats




                © 2008 ISACA. All rights reserved

Wednesday, March 25, 2009
The Major Endpoint Threats


                                            “I’ve seen organizations spend hundreds
         ...
Today’s Security Solution Gap

                                                                                           ...
Current Approaches to Security Do Not Protect the Most
                                                                   ...
Data Protection Requires Different Thinking

               Data is not static, so security cannot be static – it must per...
Data Protection Requires Different Thinking

               Data is not static, so security cannot be static – it must per...
Throwing Point Tools at the Problem Doesn’t Work!

                                                                       ...
Data Protection Requires Different Thinking
                            Easy to Lose                    Easy to Transfer  ...
The Solution: Holistic Data Protection

                                                                                  ...
The Solution: Holistic Data Protection

                                                                                  ...
Methodology for DLP
                                                      Too many vendors, too many use cases, too overwh...
Endpoint Encryption
                                                    What is needed
                                   ...
Endpoint Encryption
                                                                                                      ...
Endpoint Encryption
                                                                                                      ...
Endpoint Encryption
                                                                                                      ...
Endpoint Encryption
                                                                      File and Folder Encryption



  ...
Endpoint Encryption
                                                                     Mobile Device Encryption


      ...
DLP
                                                                                       What is needed
                ...
Data Loss Prevention

                     Classify confidential data                      Build content-based, reaction
 ...
Device Control
                                                           What is needed
                                 ...
Device Control

                                                                                                  Centrali...
Encrypted USB
                                                    What is needed
                                         ...
Encrypted USB


                  • Deploy easily on an enterprise-wide
                   scale
                  • Easil...
The educational dimension



                                                    The legitimate access to information
    ...
The educational dimension



                                                    The legitimate access to information
    ...
Format handling

                                                                      Structure handling
                ...
Format handling

                                                                      Structure handling
                ...
Format handling

                                                                      Structure handling
                ...
Endpoint protection architecture overview




                © 2008 ISACA. All rights reserved

Wednesday, March 25, 2009
Now we can know


                                                    Who               What                 Where        ...
Now we can know


                                                    Who               What                 Where        ...
Now we can know


                                                    Who               What                 Where        ...
Summary




                © 2008 ISACA. All rights reserved

Wednesday, March 25, 2009
Summary

               1. There is increasing regulatory pressure to protect data




                © 2008 ISACA. All r...
Summary

               1. There is increasing regulatory pressure to protect data

               2. Insiders are the big...
Summary

               1. There is increasing regulatory pressure to protect data

               2. Insiders are the big...
Summary

               1. There is increasing regulatory pressure to protect data

               2. Insiders are the big...
Summary

               1. There is increasing regulatory pressure to protect data

               2. Insiders are the big...
Summary

               1. There is increasing regulatory pressure to protect data

               2. Insiders are the big...
Summary

               1. There is increasing regulatory pressure to protect data

               2. Insiders are the big...
THANK YOU
                                                    DLP: Concepts and Solutions
                                ...
Upcoming SlideShare
Loading in...5
×

DLP - Network Security Conference_ Ramsés Gallego

1,229

Published on

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,229
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide



  • There are hundreds of high profile cases of mobile device theft and loss reported every day. Confidential data, such as customers’ social security numbers and credit card information was lost, intensifying the impact of this customer problem.
    The Identity Theft Resource Center reported 2007 that 19 people a minute become new victims of identity theft due to data breaches affecting all types of organizations.
    Over 217 million Americans were victims of identity theft or exposure in a 3 year period ending January 2008.
    According to the 2007 Ponemon Institute Cost of Data Breach study, each data breach costs an average of $6.3 million. A typical Fortune 1000 company can’t locate 2% of their PC’s.
    A typical Fortune 1000 financial institution loses 1 laptop a day. Can you imagine how confidential information on that laptop such as personal customer records, strategic information, financial data, or personnel files could damage shareholder value?







  • Some highlights from the press
  • For another way to look at the growing problem of data loss, consider the black market value for various forms of stolen identities…
    $980-$4,900 Trojan program to steal online account information
    $490 Credit Card Number with PIN
    $78-$294 Billing data, including account number, address, Social Security number, home address, and birthdate
    $147 Driver's license
    $147 Birth certificate
    $98 Social Security card
    $6-$24 Credit card number with security code and expiration date
    $6 PayPal account logon and password
    *****www.informationweek.com*****

    Extra data points
    $40 standard credit card number
    $120 signature card (one step beyond platinum and corporate)
    Or 100 in mixed batch for $30 each
  • The business environment has spread beyond the ‘traditional’ workplace as more employees are traveling and working offsite. The result has been an explosive growth of mobile devices including laptops, PDAs, smart phones and USB storage devices. Users and the information they carry are more portable, pushing data beyond the network perimeter.
  • There are a growing number of privacy regulations and laws driving organizations to employ a more stringent approach to data loss prevention. Organizations must deal with the many aspects of exposed and lost data. Yet they lack the visibility and control to prove compliance and avoid public disclosure. Disclosure of lost, unencrypted data is required even if there is no evidence that sensitive data has been accessed by unauthorized users or used in a malicious way. Publicity resulting from security breaches has led to public disclosure, financial loss, brand damage, competitive disadvantage and lost customers.
    However, when encrypted, the loss of a data is not considered exposed. It doesn’t present a security or reputation risk requiring public disclosure, or result in costs associated with the loss of confidential data. It doesn’t matter how big or how small the breach – the effects on your reputation and recovery from disclosure remains the same. The laws do not differentiate based on scope of a breach.
  • So what exactly are the major threats to your data, especially at the endpoint with explosive growth of laptop use and mobile devices? I call the threats companies face the “unlucky 7:”
    Laptops or mobile devices are lost or stolen – exposing the data on them
    Users (intentionally or unintentionally) transfer sensitive data to external media devices such as iPods, smartphones, USB thumb drives
    Users post sensitive information to websites, send via public e-mail accounts, etc.
    Users with “super-user” or “privileged” access are able to breach large amounts of data.
    Users print, burn to CD, etc. sensitive information.
    Users applications are hacked.
    Trojans/key loggers/malware breach sensitive information.

    All of these threats put your data at risk.
    Which one of these threats most keeps you up at night?
    What risk level would you assign to each one of these threats?
    Do you have a solution in place today to address these threats?
  • (quote courtesy of “Boss, I Think Someone Stole Our Data,” Harvard Business Review, September 2007).
  • So why is all of this happening? Why, given all the money spent on security, do these problems continue?
    The answer is surprisingly simple. They exist due to “perimeter-centric” approaches to information security.
    The majority of today’s security solutions are perimeter-centric in the sense that they secure
    Perimeters (firewalls, VPNs, etc.)
    and resources (laptops, servers).
    While these solutions are necessary components of a comprehensive security strategy, they protect proxies to information, rather than the information itself.
    A Perimeter-centric approaches ignores the fact that information lives and moves throughout its lifecycle.
    When data leaves the protected assets, or perimeters, it is no longer secured.
    What has been done to date is necessary, but insufficient.
    What we need is a new approach that also secures the information itself, complementing the perimeter-centric approach
    Provides layered protection that defends in depth
    Keeps security decisions in the hands of security experts
    Enables your data and infrastructure to protect itself against security threats
  • Most companies do a very good job at authentication and access control – and this has been their security solution to solving data protection issues. However, the breaches keep mounting and its obvious this approach is not working. Your data and infrastructure need to be able to protect themselves – you cannot depend on your users to become security experts!
  • Forrester states that security priorities are shifting to focus on locking down vulnerable data elements wherever they are and less about security of a particular application or system
    This is an inversion of traditional security philosophy – and it puts encryption, data loss prevention, and device control front-and-center in security strategy. Such a strategy is what is necessary to enable your data and infrastructure to protect itself.
  • Forrester states that security priorities are shifting to focus on locking down vulnerable data elements wherever they are and less about security of a particular application or system
    This is an inversion of traditional security philosophy – and it puts encryption, data loss prevention, and device control front-and-center in security strategy. Such a strategy is what is necessary to enable your data and infrastructure to protect itself.
  • Forrester states that security priorities are shifting to focus on locking down vulnerable data elements wherever they are and less about security of a particular application or system
    This is an inversion of traditional security philosophy – and it puts encryption, data loss prevention, and device control front-and-center in security strategy. Such a strategy is what is necessary to enable your data and infrastructure to protect itself.
  • Forrester states that security priorities are shifting to focus on locking down vulnerable data elements wherever they are and less about security of a particular application or system
    This is an inversion of traditional security philosophy – and it puts encryption, data loss prevention, and device control front-and-center in security strategy. Such a strategy is what is necessary to enable your data and infrastructure to protect itself.
  • In the absence of a comprehensive, centrally-managed solution, you end up with 5 major issues:
    High management cost – you end up having a lot of non security staff managing a myriad of point security systems. And think about how that problem is compounded as systems change, as personnel changes.
    No alignment policy – think back to that policy that we defined earlier in this discussion. How on earth do we correlate the configuration and settings of all these point tools back to that policy.
    Life cycle vulnerabilities – you end up not properly implementing life cycling of of your security rules and policies
    Broken business processes – Data is often shared across the infrastructure. Applications share data. We often share data with 3rd parties and partners. We replicate data. Point tools can further complicate and eventually break your business processes.
    Data loss risk – this is top of mind. I don’t encrypt my least valuable data --- I encrypt my most valuable data. I don’t prevent behavior that enables my business – I prevent behavior that damages my business.

    Today, over 30% of organizations are recording keys manually in Excel spreadsheets or in various isolated systems all around the enterprise. This is a big risk.
  • Protecting your data effectively requires different thinking. Data is easy to lose, easy to transfer, and very enticing to steal. Your security infrastructure must enable your data to protect itself regardless of how it is used, where it is located, what devices access it, and how users access it.
  • The McAfee Data Protection Solution includes four major components:
    McAfee Endpoint Encryption: the flexibility of full-disk, mobile, and file/folder encryption to meet your specific needs.
    McAfee Data Loss Prevention: visibility and control over user behavior.
    McAfee Device Control: prevent unauthorized usage and transfer of data to external media devices such as iPods, USB sticks, etc.
    McAfee Encrypted USB: secure, encrypted removable storage devices that support multiple strong authentication methods.

    McAfee Endpoint Encryption, McAfee Data Loss Prevention, and McAfee Device Control are combined into one integrated endpoint data protection suite: McAfee Total Protection for Data (ToPS Data).

    NOTE: McAfee Encrypted USB is not part of the ToPS Data Suite license – it is only licensed separately from the suite.
  • The McAfee Data Protection Solution includes four major components:
    McAfee Endpoint Encryption: the flexibility of full-disk, mobile, and file/folder encryption to meet your specific needs.
    McAfee Data Loss Prevention: visibility and control over user behavior.
    McAfee Device Control: prevent unauthorized usage and transfer of data to external media devices such as iPods, USB sticks, etc.
    McAfee Encrypted USB: secure, encrypted removable storage devices that support multiple strong authentication methods.

    McAfee Endpoint Encryption, McAfee Data Loss Prevention, and McAfee Device Control are combined into one integrated endpoint data protection suite: McAfee Total Protection for Data (ToPS Data).

    NOTE: McAfee Encrypted USB is not part of the ToPS Data Suite license – it is only licensed separately from the suite.
  • The McAfee Data Protection Solution includes four major components:
    McAfee Endpoint Encryption: the flexibility of full-disk, mobile, and file/folder encryption to meet your specific needs.
    McAfee Data Loss Prevention: visibility and control over user behavior.
    McAfee Device Control: prevent unauthorized usage and transfer of data to external media devices such as iPods, USB sticks, etc.
    McAfee Encrypted USB: secure, encrypted removable storage devices that support multiple strong authentication methods.

    McAfee Endpoint Encryption, McAfee Data Loss Prevention, and McAfee Device Control are combined into one integrated endpoint data protection suite: McAfee Total Protection for Data (ToPS Data).

    NOTE: McAfee Encrypted USB is not part of the ToPS Data Suite license – it is only licensed separately from the suite.
  • The McAfee Data Protection Solution includes four major components:
    McAfee Endpoint Encryption: the flexibility of full-disk, mobile, and file/folder encryption to meet your specific needs.
    McAfee Data Loss Prevention: visibility and control over user behavior.
    McAfee Device Control: prevent unauthorized usage and transfer of data to external media devices such as iPods, USB sticks, etc.
    McAfee Encrypted USB: secure, encrypted removable storage devices that support multiple strong authentication methods.

    McAfee Endpoint Encryption, McAfee Data Loss Prevention, and McAfee Device Control are combined into one integrated endpoint data protection suite: McAfee Total Protection for Data (ToPS Data).

    NOTE: McAfee Encrypted USB is not part of the ToPS Data Suite license – it is only licensed separately from the suite.
  • The McAfee Data Protection Solution includes four major components:
    McAfee Endpoint Encryption: the flexibility of full-disk, mobile, and file/folder encryption to meet your specific needs.
    McAfee Data Loss Prevention: visibility and control over user behavior.
    McAfee Device Control: prevent unauthorized usage and transfer of data to external media devices such as iPods, USB sticks, etc.
    McAfee Encrypted USB: secure, encrypted removable storage devices that support multiple strong authentication methods.

    McAfee Endpoint Encryption, McAfee Data Loss Prevention, and McAfee Device Control are combined into one integrated endpoint data protection suite: McAfee Total Protection for Data (ToPS Data).

    NOTE: McAfee Encrypted USB is not part of the ToPS Data Suite license – it is only licensed separately from the suite.
  • The McAfee Data Protection Solution includes four major components:
    McAfee Endpoint Encryption: the flexibility of full-disk, mobile, and file/folder encryption to meet your specific needs.
    McAfee Data Loss Prevention: visibility and control over user behavior.
    McAfee Device Control: prevent unauthorized usage and transfer of data to external media devices such as iPods, USB sticks, etc.
    McAfee Encrypted USB: secure, encrypted removable storage devices that support multiple strong authentication methods.

    McAfee Endpoint Encryption, McAfee Data Loss Prevention, and McAfee Device Control are combined into one integrated endpoint data protection suite: McAfee Total Protection for Data (ToPS Data).

    NOTE: McAfee Encrypted USB is not part of the ToPS Data Suite license – it is only licensed separately from the suite.
  • The McAfee Data Protection Solution includes four major components:
    McAfee Endpoint Encryption: the flexibility of full-disk, mobile, and file/folder encryption to meet your specific needs.
    McAfee Data Loss Prevention: visibility and control over user behavior.
    McAfee Device Control: prevent unauthorized usage and transfer of data to external media devices such as iPods, USB sticks, etc.
    McAfee Encrypted USB: secure, encrypted removable storage devices that support multiple strong authentication methods.

    McAfee Endpoint Encryption, McAfee Data Loss Prevention, and McAfee Device Control are combined into one integrated endpoint data protection suite: McAfee Total Protection for Data (ToPS Data).

    NOTE: McAfee Encrypted USB is not part of the ToPS Data Suite license – it is only licensed separately from the suite.
  • The McAfee Data Protection Solution includes four major components:
    McAfee Endpoint Encryption: the flexibility of full-disk, mobile, and file/folder encryption to meet your specific needs.
    McAfee Data Loss Prevention: visibility and control over user behavior.
    McAfee Device Control: prevent unauthorized usage and transfer of data to external media devices such as iPods, USB sticks, etc.
    McAfee Encrypted USB: secure, encrypted removable storage devices that support multiple strong authentication methods.

    McAfee Endpoint Encryption, McAfee Data Loss Prevention, and McAfee Device Control are combined into one integrated endpoint data protection suite: McAfee Total Protection for Data (ToPS Data).

    NOTE: McAfee Encrypted USB is not part of the ToPS Data Suite license – it is only licensed separately from the suite.
  • The McAfee Data Protection Solution includes four major components:
    McAfee Endpoint Encryption: the flexibility of full-disk, mobile, and file/folder encryption to meet your specific needs.
    McAfee Data Loss Prevention: visibility and control over user behavior.
    McAfee Device Control: prevent unauthorized usage and transfer of data to external media devices such as iPods, USB sticks, etc.
    McAfee Encrypted USB: secure, encrypted removable storage devices that support multiple strong authentication methods.

    McAfee Endpoint Encryption, McAfee Data Loss Prevention, and McAfee Device Control are combined into one integrated endpoint data protection suite: McAfee Total Protection for Data (ToPS Data).

    NOTE: McAfee Encrypted USB is not part of the ToPS Data Suite license – it is only licensed separately from the suite.
  • McAfee’s data protection offerings enable you to phase your implementation of data protection over time to meet the specific needs of your business. McAfee is your trusted advisor to help you define your risk and implement the data protection solution that is going to be most appropriate to your needs.

  • Encryption of the full-disk happens transparently to users in the background. Performance impact is minimal and all data on disk is rendered useless in the event of loss or theft.

  • More granular encryption of individual files and folders to provide flexibility to encrypt only the most critical information versus entire disks. Most useful in workgroup environments.
  • Creates encrypted space on both internal and removable storage on mobile devices, protected by strong authentication. Managed centrally and renders sensitive data on the device useless in the event of device loss or theft.

  • Confidential data classification
    By location (file server, shared drives, etc.)
    By content characteristics (keywords, regular expressions, even setting of thresholds—i.e. if more than 5 credit card numbers in an email)
    By file-type (specifically if a specific application generated data—i.e. SAP, BusinessObjects, etc.)
    By fingerprint (unique digital signature, hash)

    Content-based, reaction rules
    Monitor sensitive data transfer
    Prevent confidential data from leaving the enterprise
    Notify administrator and end users
    Quarantine confidential data
    Enforce encryption (send to encryption service)

    Data loss prevention visibility
    Forensic logs, analysis, and event monitoring
    Real time end user alerts (education and training)
    “Bypass” option and policy exceptions
  • Network Associate10/7/2007
    There is more to the story than just enabling the use of authorized devices. While that is important, organizations need to still enforce control over what data actually gets onto these authorized devices. Our combined solution of SafeBoot and DLP makes us unique in enabling this to happen. Caveat, we need DLP and SafeBoot integration to have this work so it is \"futures\" in terms of capabilities. I have included my positioning on this: MFE is the first to safely enable (or unlock) the use of valuable employee productivity tools such as USB drives by offering granular control over which devices are allowed to connect while at the same time enfocring control over what data can be copied onto them.
  • Prevents sensitive information from being transferred or copied to external devices such as iPods, smartphones, USB sticks, etc. Controls user behavior with these devices and prevents unauthorized devices from connecting to user systems. Makes use of DLP’s content tagging technology to provide more granular policy control.

  • McAfee Encrypted USB devices are centrally managed and deployed easily on an enterprise-wide scale. Administrators can easily track devices through one back-end database. This helps to streamline the workflow to save customers time and money. Encrypted USB can leverage Active Directory to match users and devices and will support any organization from 10 to an unlimited number of users.











  • DLP - Network Security Conference_ Ramsés Gallego

    1. 1. DLP: Concepts and Solutions Ramsés Gallego CISM, CGEIT, CISSP, SCPM, ITIL, Six Sigma Black Belt Certified General Manager Entel Security & Risk Management rgallego@entel.es © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
    2. 2. Agenda • The problem: Data is lost or stolen everyday! • Securing Data requires different thinking: new challenges • The DLP ‘ecosystem’ • Steps for implementing a DLP solution • Summary © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
    3. 3. The problem Explosive Growth Public Embarrassment Escalating Privacy of Mobile Devices and Disclosure Cost Regulations USB Memory Sold Sticks Units BlackBerry SmartPhone + Palm/Treo PocketPC Laptops Desktops 1995 2000 2005 2010 Data Protection: #1 CISO Priority Today 2007 CISO Survey © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
    4. 4. Increasing Risk of Information Theft • 19 people a minute become new victims of identity theft due to data breaches1 • During a 3-year period, over 217 million Americans were victims of identity theft or exposure2 • Each data breach costs an average of 4,3 million Euros3 • A typical Fortune 1000 company can’t locate 2% of their PC’s4 • A typical Fortune 1000 financial institution loses 1 laptop a day5 1. Identity Theft Resource Center, 2007 2. 2007 Ponmon Institute Cost of Data Breach study 3., 4., 5. www.privacyrights.org © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
    5. 5. And it does happen… BREAKING NEWS! Boeing Breach quot;Police reported findin g a thumb drive that w as connected to his co cord that ran along the mputer terminal via a back of the terminal to USB the storage device tha drawerquot; in his desk.” 7 t was quot;hidden in a /11/07. Fidelity NIS Theft quot;To avoid detection, th e administrator appea rs to have downloaded device rather than tran the data to a storage smit it electronically.quot; 7 /03/07. © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
    6. 6. Understanding the Risk The Market Value of Sensitive Data 980€-4.900€ 147€ Trojan to steal account Birth certificate information 98€ 490€ Social Security card Credit Card Number with PIN 6€-24€ 78-294€ Credit card number Billing data 6€ 147€ PayPal account Driver's license logon and password © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
    7. 7. Increasing Need for Mobile Access to Data Explosive Growth in Mobile Devices USB Sold Memory • Information and data moving out of Sticks Units corporate ‘perimeter’ BlackBerry • Storage capacity grows as devices SmartPhone become smaller Palm/Treo • Advances in mobile device PocketPC technology will continue to produce Laptops new and more powerful devices Desktops 1995 2000 2005 2010 © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
    8. 8. Increasing Regulatory Pressure 2008 US Government • Growing in number and OMG Initiative US Senate Bill 1350 (USA) Proposed complexity (USA) Data Protection Act (Japan) California SB 1386 • Public disclosure is (USA) Sarbanes- Oxley required in the event of (USA) Government Network Security Act data loss (USA) Gramm-Leach-Bliley (USA) • Intellectual property loss Data Protection Act (UK) HIPAA and theft is also a (USA) GISRA concern (USA) Directive on Protection of Personal Data (EU) Datenschutz (Germany) 1996 © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
    9. 9. The Major Endpoint Threats 1 Physical loss or theft of laptops and 2 mobile devices Unauthorized transfer of data to external devices 7 Unintentional distribution via e-mail, web, etc. 3 Privileged users breach the data 4 User applications 6 Information hacked 5 escapes via print, Trojans/key CD-ROM, DVD, etc. loggers/malware © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
    10. 10. The Major Endpoint Threats © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
    11. 11. The Major Endpoint Threats “I’ve seen organizations spend hundreds of millions of dollars on security safeguards that were penetrated by a knowledgeable person with a handheld device.” Bill Boni CSO, Motorola © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
    12. 12. Today’s Security Solution Gap Anti-virus • Most “information security” products don’t actually “secure information” Change/Patch Authentication Management –They are designed to protect networks and Threat VPN Detection servers Anti-virus –They do little to protect the confidentiality LAN Clients and integrity of information Web Filtering Anti-spyware Servers • Information is in constant motion — Firewall making it difficult to be locked down © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
    13. 13. Current Approaches to Security Do Not Protect the Most Valuable Asset: Data System-centric view of data protection: Protect the perimeter, one system at a time User Authentication Sensitive Data Access Control © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
    14. 14. Data Protection Requires Different Thinking Data is not static, so security cannot be static – it must persist with the data itself. This is Data-Centric Protection. © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
    15. 15. Data Protection Requires Different Thinking Data is not static, so security cannot be static – it must persist with the data itself. This is Data-Centric Protection. Encryption Strong Authentication Data Loss Prevention Device Control © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
    16. 16. Throwing Point Tools at the Problem Doesn’t Work! Non-security staff must manage a myriad of point High Management security systems. Compounds with changes in Cost personnel and systems No Alignment You are unable to align needs with security policy requirements to Policy Life Cycle Managing the lifecycle of security rules becomes overly complex, increasing infrastructure vulnerability Vulnerabilities Broken Business Businesses processes break as systems go their own way on security Processes Lack of centralized monitoring and auditing opens Data Loss Risk vulnerabilities that could lead to data loss © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
    17. 17. Data Protection Requires Different Thinking Easy to Lose Easy to Transfer Enticing to Steal $147 $490 $98 $147 ® Bluetooth Cybercrime “Black Market” Value Data must be protected regardless of: Location Access Usage Device © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
    18. 18. The Solution: Holistic Data Protection Device Control Data Loss Protection/ Leak Prevent unauthorized use of Prevention removable media devices Full control and absolute visibility over user behavior Data Loss Device Control Protection/ Data Leak Integrated technologies for a Prevention total data protection solution. Encrypted USB Encryption Encrypted USB Endpoint Encryption Secure, portable external storage Full-disk, mobile device, and file and devices folder encryption coupled with strong authentication © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
    19. 19. The Solution: Holistic Data Protection Device Control Data Loss Protection/ Leak Prevent unauthorized use of Prevention removable media devices Full control and absolute visibility over user behavior Data Loss Device Control Protection/ Data Leak Integrated technologies for a Prevention total data protection solution. Holistic Data Protection Encrypted USB Encryption Encrypted USB Endpoint Encryption Secure, portable external storage Full-disk, mobile device, and file and devices folder encryption coupled with strong authentication © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
    20. 20. Methodology for DLP Too many vendors, too many use cases, too overwhelming There has to be a guided, phased deployment path to complete data protection Block Monitor & Encrypt Multilayer Encrypt mobile unauthorized Secure All Laptops Protection data devices Channels ® Increasing Protection and Compliance © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
    21. 21. Endpoint Encryption What is needed •Encryption for laptops, desktops, and mobile devices with the flexibility to choose full-disk or file/folder encryption •Confidence in integrity of sensitive data when a device is lost or stolen •Safe Harbor protection (i.e. Loss of encrypted data = non-event and does not require public disclosure) What technology offers •Broad support for laptops, desktops, and mobile devices •Full audit-trails for compliance & auditing needs •Support for multiple strong authentication methods •Certifications: FIPS 140-2, Common Criteria Level 4 (highest level for software products), BITS, CSIA, etc. © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
    22. 22. Endpoint Encryption Full-Disk Encryption .XLS .APPS .DOC Files/Apps Files are in full text and fully viewable by the 1 authorized user(s) and application(s) 1 Lorem ipsum dolor sit amet Lorem ipsum dolor sit amet Files are Sectors are 2 Operating translated into assembled into 2 System sectors files 3 Encrypted Sectors are Encryption sectors are encrypted in 3 Driver decrypted in memory memory #$$%%#%%&& #$$%%#%%&& 4 Sectors are Sectors are stored in hard read from hard Hard Disk 4 disk disk © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
    23. 23. Endpoint Encryption Full-Disk Encryption Boot Records Highly Sensitive Files User Data Operating System Files MBR PBR Data System (PW Swap etc.) Files Encryption System Files MBR PBR Operating Data (PW Swap etc.) System Whole Disk Encryption Full Encryption Master Mandatory Modified System Files Operating Data Boot Access Partition (PW Swap etc.) System Record Control Boot Record © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
    24. 24. Endpoint Encryption Full-Disk Encryption Boot Records Highly Sensitive Files User Data Operating System Files MBR PBR Data System (PW Swap etc.) Open Information Secured Information Files Encryption System Files MBR PBR Operating Data (PW Swap etc.) System Whole Disk Encryption Full Encryption Master Mandatory Modified System Files Operating Data Boot Access Partition (PW Swap etc.) System Record Control Boot Record © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
    25. 25. Endpoint Encryption File and Folder Encryption 1 2 • Define policies more granularly than with full- Corporate disk encryption Directory Administrator • Full Windows Explorer integration 3 • Automatic encryption and decryption with no 4 performance loss, transparent to users Client Client Client Computer Computer Computer • Protect files and folders on desktops, laptops and servers 5 Terminal File Server Server © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
    26. 26. Endpoint Encryption Mobile Device Encryption • Protect corporate data assets as users go mobile • Creates encrypted, protected space on mobile devices to protect sensitive data • Supports multiple strong authentication methods • Renders data on mobile devices in the event of data loss or theft • Encryption policies on mobile devices all centrally managed © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
    27. 27. DLP What is needed Printer • To prevent users from accidentally or maliciously leaking sensitive data Peer-to- • Full visibility and control over usage & movement of Peer confidential data USB email • To enable the infrastructure and data to protect itself Copy-and- paste What technology offers CONFIDENTIAL DATA IM Hello, how • Protection against accidental leakage via everyday are you? user tasks • Complete spectrum of actionable responses upon https: detecting loss of confidential data such as ftp – Detailed logging & forensic evidence gathering – Real-time prevention & blocking – User and administrator notification – Quarantine of confidential data Wi-Fi © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
    28. 28. Data Loss Prevention Classify confidential data Build content-based, reaction rules Monitor sensitive data transfer By location Prevent confidential data from leaving the enterprise By content Notify administrator and end users By file type Quarantine confidential data By fingerprint Enforce encryption © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
    29. 29. Device Control What is needed • To monitor and allow only authorized devices to connect to endpoint • Restriction and blocking capabilities of the use of unauthorized devices such as iPods • Enforcement control over what data can be copied onto authorized devices What technology offers ® Fine-grained control of data and devices – Only allow company-authorized devices – Enforce control over what data can be copied to devices • Policies per user, group or department, i.e. allow CEO to connect any device while other employees can only connect sub-set of devices FireWire • Detailed user and device-level logging for auditing and compliance needs © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
    30. 30. Device Control Centralised Management • Part of DLP technology Console • Complete content-aware, and context- Device and Policies aware device-blocking capability Data Events • Regulate how users copy data to external devices • Increase productivity and the ability to Serial/Parallel Other safely use any USB devices as part of daily work activities • Ensure control of all external devices CD/DVD WI/IRDA FireWire Bluetooth USB © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
    31. 31. Encrypted USB What is needed • Secure external storage media for your power users • Ability to ensure sensitive data transported via external media is continuously protected What technology offers • A range of secure portable storage devices • Strong Access Control and Encryption • Centralized Management • Internal and External Compliance Support © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
    32. 32. Encrypted USB • Deploy easily on an enterprise-wide scale • Easily deploy and track devices through a single console • Streamline workflow to save time and money • Leverage Active Directory to match users and devices • Encrypt data ‘on-the-fly’ • Enable secure data portability © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
    33. 33. The educational dimension The legitimate access to information DOES NOT GRANT the right to take it out of the company © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
    34. 34. The educational dimension The legitimate access to information DOES NOT GRANT the right to take it out of the company • Classical approach to security: Access Control (Pre-Admisssion) • Non-authorized data transmission: Data Loss Prevention (Pre and Post–Admission) © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
    35. 35. Format handling Structure handling Data handling Hidden data Dataflow Copy-and-paste Hidden files © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
    36. 36. Format handling Structure handling Data handling Hidden data Dataflow Copy-and-paste Hidden files © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
    37. 37. Format handling Structure handling Data handling Hidden data Dataflow Copy-and-paste Hidden files © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
    38. 38. Endpoint protection architecture overview © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
    39. 39. Now we can know Who What Where How FTP Human Resources Source Code Benefits Provider HTTP Customer Service Business Plans Spyware Site IM Marketing Customer Records Business Partner P2P Finance M&A Plans Blog SMTP Accounting Patient Information Customer Network Printing Sales Financial Statements Financial Chat Board Legal Employee Information North Korea Technical Support Technical Documentation Competitor Engineering Competitive Information Analyst © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
    40. 40. Now we can know Who What Where How FTP Human Resources Source Code Benefits Provider HTTP Customer Service Business Plans Spyware Site IM Marketing Customer Records Business Partner P2P Finance M&A Plans Blog SMTP Accounting Patient Information Customer Network Printing Sales Financial Statements Financial Chat Board Legal Employee Information North Korea Technical Support Technical Documentation Competitor Engineering Competitive Information Analyst © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
    41. 41. Now we can know Who What Where How FTP Human Resources Source Code Benefits Provider HTTP Customer Service Business Plans Spyware Site IM Marketing Customer Records Business Partner P2P Finance M&A Plans Blog SMTP Accounting Patient Information Customer Network Printing Sales Financial Statements Financial Chat Board Legal Employee Information North Korea Technical Support Technical Documentation Competitor Engineering Competitive Information Analyst © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
    42. 42. Summary © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
    43. 43. Summary 1. There is increasing regulatory pressure to protect data © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
    44. 44. Summary 1. There is increasing regulatory pressure to protect data 2. Insiders are the biggest threat to your data – and they are increasingly more mobile © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
    45. 45. Summary 1. There is increasing regulatory pressure to protect data 2. Insiders are the biggest threat to your data – and they are increasingly more mobile 3. A breach, no matter how big or how small, puts businesses at risk © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
    46. 46. Summary 1. There is increasing regulatory pressure to protect data 2. Insiders are the biggest threat to your data – and they are increasingly more mobile 3. A breach, no matter how big or how small, puts businesses at risk 4. How many communication vectors is the company protecting? © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
    47. 47. Summary 1. There is increasing regulatory pressure to protect data 2. Insiders are the biggest threat to your data – and they are increasingly more mobile 3. A breach, no matter how big or how small, puts businesses at risk 4. How many communication vectors is the company protecting? 5. Traditional approaches to data security won’t work – data-centric security that enables your data and infrastructure to protect itself is needed © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
    48. 48. Summary 1. There is increasing regulatory pressure to protect data 2. Insiders are the biggest threat to your data – and they are increasingly more mobile 3. A breach, no matter how big or how small, puts businesses at risk 4. How many communication vectors is the company protecting? 5. Traditional approaches to data security won’t work – data-centric security that enables your data and infrastructure to protect itself is needed 6. Continuing to use point tools to solve the problem creates inconsistencies in enforcement, can break business processes and increase operational costs © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
    49. 49. Summary 1. There is increasing regulatory pressure to protect data 2. Insiders are the biggest threat to your data – and they are increasingly more mobile 3. A breach, no matter how big or how small, puts businesses at risk 4. How many communication vectors is the company protecting? 5. Traditional approaches to data security won’t work – data-centric security that enables your data and infrastructure to protect itself is needed 6. Continuing to use point tools to solve the problem creates inconsistencies in enforcement, can break business processes and increase operational costs 7. First, processes, then, tools. There is technology around which provides the comprehensive solution needed to address the risks to corporate data © 2008 ISACA. All rights reserved Wednesday, March 25, 2009
    50. 50. THANK YOU DLP: Concepts and Solutions Ramsés Gallego CISM, CGEIT, CISSP, SCPM, ITIL, Six Sigma Black Belt Certified General Manager Entel Security & Risk Management rgallego@entel.es © 2008 ISACA. All rights reserved Wednesday, March 25, 2009

    ×