機密圖檔與敏感資料庫資料防洩漏方案
Upcoming SlideShare
Loading in...5
×
 

機密圖檔與敏感資料庫資料防洩漏方案

on

  • 2,023 views

不改變檔案內容, 非侵入式 ...

不改變檔案內容, 非侵入式
不改變使用行為
機密變造仍可被判讀
不是採用關鍵字, 而是採用專利技術根據內容特徵萃取, 辨識率極高.
道成資訊
張賜賢

Statistics

Views

Total Views
2,023
Views on SlideShare
2,023
Embed Views
0

Actions

Likes
1
Downloads
69
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • For more information on this Corporate Presentation Toolkit please direct your questions to the following people: Main presentation deck and content: csaunders@websense.com Financial information, analyst or case study content: rzarkos@websense.com Product messaging and positioning: dmeizlik@websense.com Use and sales cycle: jsharer@websense.com
  • I’d like to say a few words about Websense in case you are not familiar with our company. Over the last year, Websense has achieved a number of milestones. Websense is the global market share leader in Web Filtering according to leading IT market research firms such as IDC. Today, more than 24 thousand customers, representing over 19 million protected users, have come to rely on Websense technology for managing their employee computing resources. Websense also had its best year financially in 2004. In fact, our annual billings have grown by 35% year over year for the last 2 years. Forbes recently recognized Websense as one of the fastest growing technology companies for 2005. And most importantly, Websense remains committed to product research and development. This focus on R&D enables our products to win awards like the 2004 PC Magazine Editor’s Choice.
  • Websense provides fundamentally solid CMF/DLP functions for data in motion (network) and at rest (discovery) in the same appliance. The company uses advanced detection techniques, including partial document match, data fingerprinting and statistical analysis to detect character replacements. Competitive differentiators include network printing analysis and watermarking as a response, offered through a partnership with SourceMedia (formerly Thomson Media). The ability to offer end users self-remediation for quarantined e-mails, such as encrypt and forward, can reduce operation costs. The product is internationalized to be able to detect content in double-byte character sets — a capability that is already in use in Japan — but the user interface is not localized. Websense acquired PortAuthority in January 2007 after a strategic partnership in 2006 and has announced that it intends to integrate the two companies' technologies in 2007. Before the acquisition, PortAuthority provided host functions through a partnership with Safend. The integration with Websense technology will likely involve integrating content awareness capabilities into the Websense Client Policy Manager host agent. Given the stability of its host based technology, Websense should be well-positioned to provide a comprehensive solution for data in motion, at rest and endpoint.
  • Websense provides fundamentally solid CMF/DLP functions for data in motion (network) and at rest (discovery) in the same appliance. The company uses advanced detection techniques, including partial document match, data fingerprinting and statistical analysis to detect character replacements. Competitive differentiators include network printing analysis and watermarking as a response, offered through a partnership with SourceMedia (formerly Thomson Media). The ability to offer end users self-remediation for quarantined e-mails, such as encrypt and forward, can reduce operation costs. The product is internationalized to be able to detect content in double-byte character sets — a capability that is already in use in Japan — but the user interface is not localized. Websense acquired PortAuthority in January 2007 after a strategic partnership in 2006 and has announced that it intends to integrate the two companies' technologies in 2007. Before the acquisition, PortAuthority provided host functions through a partnership with Safend. The integration with Websense technology will likely involve integrating content awareness capabilities into the Websense Client Policy Manager host agent. Given the stability of its host based technology, Websense should be well-positioned to provide a comprehensive solution for data in motion, at rest and endpoint.
  • To ensure uninterrupted business operations, more and more customers must overcome the challenges of data security. There are several distinct areas of focus: Managing Compliance and Risks – Many business are now required to meet specific compliances. Data loss (accidental or targeted) can often result in non-compliance, fines and lawsuits. Of course, non-compliance can disrupt business operations having negative impact to the bottom line. Visibility – The first thing business must understand is the type of data stored in the network and end-points along with what type of communication methods are considered valid. The fact that data is stored and accessed from databases, document repositories, file share, end-user file systems, portable storage devices, etc… makes visibility to such information very complex. Securing Business Processes – Inability to implement controls to protect against accidental data loss and targeted attacks aimed at stealing sensitive data challenges businesses to establish and meet their business processes. Aside from business impact, loss of sensitive data can also adversely effect the company brand and reputation.
  • Key Points: Whenever the PortAuthority Server receives a message from messaging server or application, the PortAuthority Server (via its fingerprint engine) creates a real-time fingerprint of that message and its associated attachments in memory. That real-time fingerprint is compared against the existing database of known fingerprints looking for any full or partial matches. This fingerprint library can be created through an automatic fingerprinting process that updates on a regular basis or when records are added, modified or deleted.
  • Here’s a great example why locking down the infrastructure is not a great idea. When you first put in data loss prevention solutions you find interesting things like this. Now this is an real life incident that triggered off one of the 800 or so built in policies that are built in, come ready made if you like, into our data loss prevention module. What we see here is a file of passwords for a good many systems which was zipped and encrypted by a user who then went on to send the zipped file to yahoo mail. Now that incident, quite frankly, at first blush looks quite malicious. Somebody is sending the passwords to your systems to a yahoo mail account and they are obscuring it by zipping the file so maybe they don’t want anybody to see what they are doing. The reason why we like this example is that it is very illustrative of a few concepts. The most important concept is, do you know who caused this problem? Not as you might think the person who actually sent the email, this was inadvertently caused by the IT organization and policies that created this. The company in question had a policy that you couldn’t have distribution lists in the email system with external people on them, since that might allow data to leak. They also had another policy to rotate the passwords every 30 days, which is a great way to encourage sticky notes and password leakage but that was the policy. However this person had to get the passwords to all the [CLICK] business partners who needed these passwords to gain access to all the back end systems so they could conduct business with them. The couldn’t use their own email system because the IT policy forbade external email addresses, so to prove the point that business will find a way, the enterprising employee was using yahoo mail, created a distribution list to circumvent this restriction and send the passwords to all his business partners. They were doing this for a couple of years before we put our [CLICK] system in and found this going on. So it’s very illustrative and shows how IT security policies that say lock things down can create opportunity for people to work around these restrictions to get their jobs done and in doing so create some pretty significant risks for their organizations. It also shows that once you transact in this open manner, the IT department could lock down web mail and the employee would find another way, maybe as Facebook or LinkedIn friends or similar and use that as a distribution mechanism. So the morale is we really need to be able to get a hold of the CONTENT that is transiting our networks here.
  • DLP methodology and available solutions have implemented some or all features of this process. This process is normally discussed in the context of network scanning for confidential data, but as highlighted previously, user mobility and privileged access to confidential data, combined with the need for timely and accurate scanning for this data - makes a strong case for executing the discovery process with a local software agent, where possible: Identify: a sound DLP discovery project requires prior knowledge of the data important to your organization, whether it is source code, formulas, CAD drawings or customer data. This type of data is usually created and stored in known locations. Other types of data like healthcare, credit card data may be stored within these known locations or they may be stored in bits and pieces, in the form of files or emails throughout the enterprise. Regardless, if any of these data types are unsecured, a breach could be devastating w/o proper controls. Fingerprint: take a snapshot of the business confidential data; at minimum, this is a hash of the bits, but more sophisticated technology is needed for accurate detection of files Discover: run a network scan and if needed, use endpoint software agents to run local scans of all confidential data Network-based: widest coverage and providing best overall visibility into multiple data stores, finding confidential data in often unexpected places Agent-based: scalable since individual discovery jobs on endpoints run independently of each other and report results back to a centralized server once completed; Report: Business policies for data protection as well as industry regulations mandate current inventory, knowledge of where sensitive data resides. This requires compliance reporting. Even without specific regulations or policies, need for risk management in the area of business data is needed. Trending across top violators and most frequent violations important to help prioritize remediation tasks Remediate: Ultimately, it is the responsibility of the data owner to set the policies and controls for how data is created, stored, used and even secured. In many cases, a compliance report concludes the automated discovery process and requires handoff to data owners, who then use their own tools or techniques to further secure the data. This can be complicated across numerous instances of confidential data storage. need, benefits, our features/functions, differentiation, etc. of our discovery product.  Built a methodology for discovery, data id, data scan, data remediation planning, data enforcement.  Call out the steps along the way, like fingerprinting via ODBC, automated scanning, distributed deployment and endpoint for parallel scanning, the need for recurring scans, flexibility of enforcement w/ tombstoning and ransom notes, etc.
  • v7 Architecture header Architecture-

機密圖檔與敏感資料庫資料防洩漏方案 機密圖檔與敏感資料庫資料防洩漏方案 Presentation Transcript

  • 如何因應新版個資法 保護資料安全 林秉忠 Websense 技術經理
  • Websense 公司簡介
  • 市場領導者 : Websense® 簡介
    • Leading Provider of Web, Messaging and Data Security Solutions
      • IDC, Gartner, and Frost and Sullivan 共同評選為全球網頁過濾市場領導廠商
        • 根據 Gartner 統計在網頁過濾全球市占率超過 70%
      • IDC, Gartner 評選為網頁安全以及網頁防護閘道器市場領導廠商
      • Gartner, Forrester 評選為資料外洩防護 (Data Loss Prevention) 的領導廠商
    • 全球超過 50,000 個客戶以及四千兩百萬個以上的使用者
    • 成立於 1994 年 (Nasdaq: WBSN)
    • 總部位於加州聖地牙哥
      • 共有約 1250 名員工
      • 全球有五個研發中心、威脅研究中心以及技術支援中心
      • 全球有 100 個以上的專職內容安全研究人員
    • 主要併購案
      • Port Authority (Jan 2007)
      • SurfControl (Oct 2007)
  • Gartner/Forrester Magic Quadrant for Content Monitoring and Filtering and Data Loss Prevention
    • Gartner Magic Quadrant for Content Monitoring and Filtering and DLP, 2008, 2009 and 2010
    Websense Is The DLP Market Leader
  • The need of DLP – 台灣個人資料保護法
  • 個資法修正案規範了什麼 ?
  • The need of DLP – 個資洩漏層出不窮
  • 個資外洩 – 我們面臨的挑戰
    • 管理風險及確保法規遵循
      • Delays in generating audit reports and compliance requirements
      • Difficulty uncovering broken or bad business processes
    • 確保資料的可視性 – 不論是資料正在移動或是儲存於媒體內
      • Unknown types of data
      • Uncertain risks for each communication channels
    • 確保正確的企業流程
      • Cannot enforce who can send what
      • Possible damage to company brand and reputation
    在管理風險及確保法規遵循、避免資料外洩、確認企業流程 的同時,確保企業流程不致中斷 © 2010 Websense, Inc. All rights reserved.
  • 我該如何選擇 ? 問題 我該先安內 ( 管理使用者 ) 還是壤外 ( 防止駭客攻擊 ) ? 問題 我該封鎖管道 (USB/Web?) 還是監控內容 ?
  • 市場上號稱可協助個資法規的產品 內部使用者 外部使用者 內容 管道 Web FW IPS Anti-Malware Firewall DB 加密 DB 稽核 流量側錄 NAC 周邊控管 DRM 文管系統 垃圾郵件 郵件側錄 檔案加密 Data Loss Prevention 網頁過濾
  • 碰到資安問題時我們可採取的措施
    • 拒絕風險 (Deny Risk)
    • 降低風險 (Reduce/Mitigate Risk)
    • 接受風險 (Accept Risk)
  • 市場上號稱可協助個資法規的產品 內部使用者 外部使用者 內容 管道 Web FW IPS Anti-Malware Firewall DB 加密 DB 稽核 流量側錄 NAC 周邊控管 DRM 文管系統 垃圾郵件 郵件側錄 檔案加密 Data Loss Prevention 網頁過濾
  • DLP 專案如何規劃 ?
  • Websense Data Security Solutions 導入實務探討–該如何規劃 DLP 專案 ?
    • 從網路著手 ?
      • 優點
        • 佈署較為單純
        • 可以大量的涵蓋網路中的電腦並分析行為
      • 缺點
        • 離開公司網路後行為無法稽核
        • 周邊控管
    • 從端點著手 ?
      • 優點
        • 離開公司後也可控管
        • 可控管端點資料行為
      • 缺點
        • 影響電腦效能
        • 與現有端點軟體相容性 ?
        • 影響使用者日常操作
        • 會觸發大量事件
        • 佈署較為困難
    © 2009 Websense, Inc. All rights reserved. Best Practice Websense 支援端點及網路兩種架構 建議初期由網路開始佈署 分析使用者行為 第二階段再於進行控管的主機佈署代理程式
  • Websense Data Security Solutions 導入實務探討 – 設計的考量
    • 涵蓋現有的通訊管道 (Business Channel)
      • 解決方案應該要涵蓋現有的業務通訊管道,至少包含 SMTP, IM, and HTTP(s)
      • 其他的非業務相關管道 (e.g. P2P, backdoor) 應該可以被控管或是阻擋
    • 應該考慮與現有基礎建設的整合
      • 解決方案應該能跟現有的基礎建設投資整合 (Proxy Server, Mail Server [Linux MTA, Exchange, IIS SMTP, Notes ] , Web Filtering)
    • 隱藏在解決方案後的成本
      • 除了解決方案本身,是不是需要額外添購設備或是有額外的管理成本 ? 比如複雜的系統安裝流程、外掛的資料庫授權等
      • 進入阻擋階段是不是需要額外添購昂貴的硬體設備 ? 各階段需要投資的項目是否有清楚列出 ?
  • DLP 如何運作 ?
  • 機密內容防護策略
    • “ Unstructured Data”
    • 各種檔案
      • 智慧財產
      • 研發計畫
      • 併購案
      • Licensed IP
    • “ Structured Data”
    • 資料庫
      • CRM ( 客戶資料 )
      • ERP ( 成本資料、製程資料 )
      • 內部 DB ( 員工資料、薪資 )
  • 目前的資料流程 客戶個資 內部檔案分享 ( 智財、行銷企劃 ) USB, Copy&Paste, Print
    • Websense 解決方案
      • 由資料來源 ( 資料庫 ) 學習
      • 新增系統立即保護
      • 不影響現有流程
      • 提供端點以及閘道的防護
      • 監控”資料流”預防洩密
    內部入口網站 ( 內部資料 ) 資料特徵學習 PreciseID 掃描並 學習企業機密內容 網路事件 http/s, SMTP, IM, FTP .. 光碟燒錄 行為稽核及阻擋 內建規則庫 SOX 、 PCI 、 PIPEA 、 HIPPA 法規範本、檔案類型、 關鍵字等 600+ Database Websense DSS 0x5BD41 0x190C1 0x93005 Fingerprint Creation 0xB6751 0xB61C1 0x37CB2 0x5BD41 0x190C1 0x93005 0x590A9 0xA0001 0x5BD41 0x190C1 0x93005 Fingerprint Creation
  • PreciseID 如何學習及比對資料相似度 0x9678A 0x59A06 Detect: 0x1678A 0x461BD 0x66A1A 0x6678A 0x4D181 0xB678A 01011100110100110000101100 100100 1000111 01110101011010110110011 0111101 Database Record or Document Algorithmic Conversion One-way Mathematical Representation Fingerprint: Extract Fingerprint Storage & Indexing Real-Time Fingerprint Comparison Outbound Content (E-mail, Web, Fax, Print, etc.) Extract Algorithmic Conversion 01011100110100110000101100 100100 One-way Mathematical Representation 0xB6751 0xB61C1 0x37CB2 0x5BD41 0x190C1 0x93005 0x590A9 0xA0001 0xB6751 0xB61C1 0x37CB2 0x5BD41 0x190C1 0x93005 0x590A9 0xA0001 0x5BD41 0x190C1 0x93005 Fingerprint Creation
  • Websense 如何防護病患個資外洩 客戶名稱 身分證字號 聯絡電話 行動電話 出生日期 楊宗尾 N100145XXX (02)2325-58XX 0912-3456XX 1951/5/23 林幼佳 X100058XXX (02)2266-55XX 0987-6543XX 1923/9/15 潘欲聞 L200552XXX (02)2325-58XX 0912-3456XX 1953/5/11 梨會騎 N101290XXX (02)2266-55XX 0987-6543XX 1954/3/22 服窮音 L101832XXX (02)2325-58XX 0912-3456XX 1955/1/25 陶金銀 L121942XXX (02)2266-55XX 0987-6543XX 1962/12/2 利精 B120231XXX (02)2325-58XX 0912-3456XX 1961/6/20 王痣平 L200547XXX (02)2266-55XX 0987-6543XX 1938/12/23 小胖 B120897XXX (02)2325-58XX 0912-3456XX 1965/10/9 張與 B200002XXX (02)2266-55XX 0987-6543XX 1932/2/1 林稚齡 B200720XXX (02)2325-58XX 0912-3456XX 1927/7/16 蔡一零 L100580XXX (02)2266-55XX 0987-6543XX 1943/9/23 李啟龍 L200473XXX (02)2325-58XX 0912-3456XX 1950/4/12
  • Who 人資單位 客服單位 財務人員 會計人員 法務單位 業務人員 行銷單位 技術支援單位 工程研發 What 程式碼 Source Code 事業計畫 合併計畫 病患個資、病例 員工個資 財報 客戶個資 技術文件 競爭比較資訊 Where 競爭對手 網路硬碟 部落格網站 客戶 對案 間諜軟體網站 會計事務所夥伴 媒體 Web Mail 網站 How FTP 檔案傳輸 IM 即時訊息 P2P 檔案交換 網路印表機 Email Web 誰 傳了什麼 到哪裡 如何送 ( 人員解析 / AD 帳號 整合 ) ( 文件內容自然語言 比對 ) ( 網址 /IP 分類庫整 合,目的地感知 ) ( 支援完整的資料 通道 ) Websense DSS 政策管理邏輯,可對任何項目製定白名單或黑名單 What 隨身碟
  • Websense DSS 偵測功能說明
  • Websense DSS 偵測功能說明
    • 以下範例皆以 HTTP/HTTPS 為範本
    • Websense DSS 支援廣泛的通訊內容偵測,包括網頁、電子郵件、 IM 、 FTP 以及端點 (USB/ 光碟燒錄 ) 等等不同的通訊管道監控
    Desktop Laptop Database File Server Email HTTP FTP IM Print Custom Channels Block Encrypt Quarantine Notify Remediate
  • 情境 A 使用者上傳機密檔案
    • 政策範例 – 公司需要監控並阻擋所有機密文件的上傳
    • 範例
      • 使用者嘗試透過 USB 拷貝資料、壓縮、加密等方式穿透封鎖
      • 使用者嘗試使用電子郵件將檔案外傳
      • 使用者嘗試透過 webmail 將檔案外傳
        • 不更動檔名 - 可偵測原始內容出處並阻擋
        • 抽取文件部分內容 - 系統可偵測原始內容出處並阻擋
    原始資料出處
  • 情境 A 使用者上傳機密檔案
  • Example Incident Detail User zips up passwords file File of system passwords Passwords.zip sent via email to Yahoo Group © 2010 Websense, Inc. All rights reserved. Incident Intercepted by Websense Partners wishing to transact business
  • 結論
  • 總結 : Websense Data Security Suite
    • 針對 資料外洩防護 提供完整的功能。在不改變既有的網路架構下,即可達到 外送內容掃描、外洩事件稽核與管理、機密資料探勘、機密傳送時緩送代審或阻擋 等完整防護與政策落實能力
    © 2010 Websense & Docutek Solutions, All Rights Reserved. Websense DLP 解決方案的特色 分權的事件稽核機制與報表 : 讓稽核、管理者快速安全處理事件 PresiceID TM 智慧內容識別技術 : 高速、不因各種改變而逃避稽核 提供 1100+ 政策範本精靈 : 支援各國、各產業法規遵循範本 彈性 Endpoint 機制 : 同時控管應用程式間與外接儲存裝置 完整「管道」涵蓋率 : 郵件 , 上網 , 印表 , IM, USB, FTP 彈性阻擋與隔離選擇 : 稽核 ( 監控 ), 阻擋 , 隔離 , 導正
  • Planning of the implementation
  • Websense Data Security Solutions 導入實務探討 – 政策設計
  • Websense Data Security Solutions 導入實務探討–該如何規劃 DLP 專案 ? Confidential documents PCI DSS HIPAA GLBA, EU DPA Sarbox Customer data 機密分級 建立指紋資料庫 稽核 | 保護 Databases File servers 報表 檢討 | 修正 Compliance IT Risk Management Fingerprints Known locations Throughout the enterprise Confidential Data File, Record Removal Change file permissions Status, Inventory Assign to data owners Tombstones Ransom Notes > Chmod +r –w -x Encryption User Desktops Web Email IM 0x5BD41 0x190C1 0x93005
  • 導入 DLP 的優點
    • 彈性的政策,可以針對 “內容” 進行控管
      • 客戶身分資料
      • 信用卡資料
      • 內部機密文件監控
    • 可針對檔案轉換進行偵測
      • 內部人員查詢資料庫內容後外傳
      • 內部機密資料轉換檔案形式後外傳
    • 以 “人” 為基礎進行控管
      • 報表可以與內部目錄服務器整合顯示來源詳細資料
      • 可依照企業流程設定以人為基礎的黑白名單
  • Any Questions? v7 Architecture Architecture-