Zdravko Stoychev, CISM CRISC                                      10th regional Information Security and Storage conferenc...
The need of new skills      What a DLP system is?      To DLP or not to DLP? – Questions, Risks, Outcomes      Examples – ...
“Ab ovo (usque ad mala)”                                                 - From the beginning to the end10th regional conf...
RSA appoints its first CSO    » EMC’s security division RSA has plucked its first chief security officer (CSO) from NetWit...
Source: World Economic Forum10th regional conference Information Security and Storage, 2011 – Sofia, Bulgaria             ...
Technical knowledge—that connects to business operations    » While technical expertise is something a CISO has always nee...
“Et ipsa scientia potestas est”                                                - And knowledge itself, is power           ...
"                                  #Data leakage/loss prevention (DLP) is:                                              DL...
$                       %&The first and the foremost thing is to answer the question: What problem space are wetalking abo...
$                       %&The third question that comes to mind, where is our enterprise in this Data LeakageProblem space...
“Amat victoria curam”                                                       - Victory loves preparation                   ...
(                        )DLP solutions help mitigate following risks: Identifying insecure business processes. For exampl...
* &                   & +Data Classification efforts can be very easy for a small enterprise, and a beast for largeenterpr...
“A bove maiore discit arare minor”                                           - A good example makes a good job10th regiona...
!, &In most of the cases, the company exchanges information with third parties (customers,partners, authorities etc) using...
!   Lack of or insufficient security policies & procedures;   Appropriate security measures not implemented (perimeter, en...
! -   Based on the policies and rules, the DLP Email Prevent system          » Releases the message (no violation of polic...
! -10th regional conference Information Security and Storage, 2011 – Sofia, Bulgaria         18
!   Proxy server forwards all web traffic to the DLP Web Prevent system;   Based on the policies and rules, the DLP system...
!10th regional conference Information Security and Storage, 2011 – Sofia, Bulgaria       20
Related security projects to consider for minimizing the risks of Data Leakage:  Discover where the sensitive Information ...
“Prudens quaestio dimidium scientiae”                                - To know what to ask is already to know half        ...
. &                                          Thank you for your time!                                                     ...
Upcoming SlideShare
Loading in...5
×

Data leakage prevention EN Final

931

Published on

Data leakage prevention, or what kind of animal is this? Risks, Benefits, Strategy, Pitfalls, Examples.

Published in: Technology, News & Politics
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
931
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
76
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Data leakage prevention EN Final

  1. 1. Zdravko Stoychev, CISM CRISC 10th regional Information Security and Storage conference “The New Cross-Section”, Sep 28th, 2011 – Sofia, Bulgaria10th regional conference Information Security and Storage, 2011 – Sofia, Bulgaria 1
  2. 2. The need of new skills What a DLP system is? To DLP or not to DLP? – Questions, Risks, Outcomes Examples – Business needs, Insider threats, Implementation Questions10th regional conference Information Security and Storage, 2011 – Sofia, Bulgaria 2
  3. 3. “Ab ovo (usque ad mala)” - From the beginning to the end10th regional conference Information Security and Storage, 2011 – Sofia, Bulgaria 3
  4. 4. RSA appoints its first CSO » EMC’s security division RSA has plucked its first chief security officer (CSO) from NetWitness, the company it acquired shortly after admitting it was hacked; » Following RSA offer to replace as many as 40 million SecurID tokens, three Australian banks s have dumped their tokens, including Australia largest bank, Westpac; s » Eddie Schwartz, RSA’s new CSO: “Only job more public and challenging at the moment would be CSO of Sony.”Sony promised its first CISO » In response to its equally devastating breach, Sony promised to appoint its first chief information security officer (CISO) to ensure the company could avoid a repeat; » However, “Lulzsec” is claiming to have attacked the servers yet again and say that they have walked away with unencrypted security information. “At this point in time we are not in the position to say one way or another what the impact will be in full." Source: itnews, ghacks10th regional conference Information Security and Storage, 2011 – Sofia, Bulgaria 4
  5. 5. Source: World Economic Forum10th regional conference Information Security and Storage, 2011 – Sofia, Bulgaria 5
  6. 6. Technical knowledge—that connects to business operations » While technical expertise is something a CISO has always needed, in fact, it is this level of knowledge that will broaden the gap and continue to differentiate senior information security leaders, from their counterparts with backgrounds solely in physical security, and make them more attractive in the selection process.Business acumen—at a whole new level » While you may be an expert in application security, comparing yourself to a group of application security professionals will only keep you in application security and wonget you elevated to t management. In the past ISO used their peer group of security pros to be their benchmark of ve what their skills should be; now that is really the executive team.Communication ability—including the skill of listening » In order for a security program to be implemented correctly you have to be able to get that message to everyone. Everybody has to develop some kind of security conscience. The listening skills may be even more important than speaking in the first stages of communicating with others throughout the organization.Leadership skill—no matter your current position » Of all the skills today employer is looking for from their CISO or security manager, it is s leadership. And many companies may be hiring a CISO because they are seeking change within an organization and they want a CISO who can drive their security in a new direction. And that takes someone with leadership ability. Source: CSO Magazine10th regional conference Information Security and Storage, 2011 – Sofia, Bulgaria 6
  7. 7. “Et ipsa scientia potestas est” - And knowledge itself, is power !10th regional conference Information Security and Storage, 2011 – Sofia, Bulgaria 7
  8. 8. " #Data leakage/loss prevention (DLP) is: DLP products use business rules toA set of information security tools that examine file content and tagis intended to stop users from sending confidential and critical information sosensitive or critical information outside that users cannot disclose it.of the corporate network. Tagging is the process of classifyingAdoption of DLP, variously called data which data on a system is confidentialleak prevention, information loss and marking it appropriately.prevention or extrusion prevention, isbeing driven by significant insider Example: A user who accidentally orthreats and by more rigorous state maliciously attempts to discloseprivacy laws, many of which have confidential information thats beenstringent data protection or access tagged will be denied, e.g. prevent acomponents. sensitive financial spreadsheet from being emailed by one employee to another within the same corporation.10th regional conference Information Security and Storage, 2011 – Sofia, Bulgaria 8
  9. 9. $ %&The first and the foremost thing is to answer the question: What problem space are wetalking about when we talk about Data Leakage? » The Data Leakage problem can be defined as any unauthorized access of data due to an improper implementation or inadequacy of a technology, process or a policy.Next, the second question to answer is what part of the problem space defined abovedoes the DLP product market solve? » In the above definition of data leakage, the DLP solutions are designed to prevent unauthorized access of data due to inadequacy or improper implementation of a process or a policy, but not technology. They are not designed to address data leakage issues resulting from external attacks.Hence the DLP systems primarily help enforce “acceptable use” policies and processesfor an enterprise.What you don’t have is that: » They are not designed to solve the part of data leakage problem space that is related to technology–the information security aspect. So, it is not an information security data leakage issue that the DLP solution is trying to solve. Source: InfoSecIsland10th regional conference Information Security and Storage, 2011 – Sofia, Bulgaria 9
  10. 10. $ %&The third question that comes to mind, where is our enterprise in this Data LeakageProblem space? » Surprisingly, one will notice that Data Leakage is already a part of one enterprise security s strategy in the form of deployed firewalls, encryption solutions, IDS, LDAP etc.Next, getting to the real question – does my enterprise need to invest in a DLP solution? » And this is a million dollar question which requires comprehensive evaluation specifically to the current state of enterprise security technology investments, and of course the data type the enterprise processes/stores.Hence the DLP system should be/ is implicitly a part of an enterprise security strategy.What you should do/ have is: Enterprise Data Classification – if you cannot answer the question where is my sensitive data, you need to first work on a data classification effort for your enterprise; Streamline or Implement Processes and Policies in support of data leakage prevention; Perform a gap assessment on current security infrastructure that already implicitly supports DLP or can be leveraged to support DLP – purely for cost savings.10th regional conference Information Security and Storage, 2011 – Sofia, Bulgaria 10
  11. 11. “Amat victoria curam” - Victory loves preparation #10th regional conference Information Security and Storage, 2011 – Sofia, Bulgaria 11
  12. 12. ( )DLP solutions help mitigate following risks: Identifying insecure business processes. For example, use of FTP for transportingpersonal data; Accidental data disclosure by employees. For example, employee sendingunencrypted email containing sensitive data; Intentional data leakage by employees. For example, disgruntled employees stealingdata or an employee leaving the company with sensitive data. The problem space is not solved comprehensively by DLP solutions! Example: an employee can still take a picture of sensitive data and leak it.So DLP are being systems that aid the enforcement of acceptable use policies andprocess with certain limitations.10th regional conference Information Security and Storage, 2011 – Sofia, Bulgaria 12
  13. 13. * & & +Data Classification efforts can be very easy for a small enterprise, and a beast for largeenterprise. Similarly, implementing a DLP solution is an easy and effective for a smallenterprise vs. a medium or large enterprise.The larger enterprises should always use a phased approach and also account for theextra manpower required to continuously configure, monitor and tune the DLP solution.This will reduce false positives and false negatives, which is usually the biggestproblem enterprises have reported once implementing the DLP solution. » Some of the features could result in serious business interruptions in the case of no data classification or a rules misconfiguration; » Also, it easy to get blown away by some of the rally features like copy-paste functions for certain s kinds of data, or pattern matching features, etc. Its not the tool which is a problem here, its the preparation and implementation shortcomings that result in such outcomes.Conclusion: the DLP solutions address only a subset of data leakage issues and onlyhelp enforce “acceptable use” policies and processes with a number of limitations. Theydo not prevent information security related data leakage issues.10th regional conference Information Security and Storage, 2011 – Sofia, Bulgaria 13
  14. 14. “A bove maiore discit arare minor” - A good example makes a good job10th regional conference Information Security and Storage, 2011 – Sofia, Bulgaria 14
  15. 15. !, &In most of the cases, the company exchanges information with third parties (customers,partners, authorities etc) using the E-mail and the Internet services;Sensitive Information is located at many places, such as in: central databases; workstations (local drives) and laptops; shared workplaces (file servers, SharePoint servers); USB sticks and external hard drives.The company provides E-mail and Internet services to the users of its own units (andprobably several group companies). The risk of inadvertent or deliberate data loss due to inadequate security measures and users negligence is present. Isn’t it?To answer that question we have to evaluate the existing threats…10th regional conference Information Security and Storage, 2011 – Sofia, Bulgaria 15
  16. 16. ! Lack of or insufficient security policies & procedures; Appropriate security measures not implemented (perimeter, endpoints); Lack of employees’ awareness & training; Lack of employees’ diligence; Disgruntled employees steal corporate data; Misuse of corporate computers, systems and passwords; Information destruction and recycling of media; Remote working & mobility; Economic crisis.10th regional conference Information Security and Storage, 2011 – Sofia, Bulgaria 16
  17. 17. ! - Based on the policies and rules, the DLP Email Prevent system » Releases the message (no violation of policies) » Blocks the message (unauthorized user) » Modifies the header of the message (authorized users). When the SMTP Gateway receives an email with this special header, forwards it to theencryption server. The encryption server encrypts the email and sends it back to the SMTP Gateway forforwarding it to the Internet. » No user (sender) intervention is required. » Different encryption options provided for the recipients.10th regional conference Information Security and Storage, 2011 – Sofia, Bulgaria 17
  18. 18. ! -10th regional conference Information Security and Storage, 2011 – Sofia, Bulgaria 18
  19. 19. ! Proxy server forwards all web traffic to the DLP Web Prevent system; Based on the policies and rules, the DLP system can: » block the file upload or remove the confidential content from the file; » release the traffic back to the proxy server. Main goal is to block the uploading of files using HTTP/S or FTP: » real-time monitoring of the ongoing traffic – transparent to the users; » blocking certain websites based on BlackLists / keywords, etc; » encrypted traffic is being monitored too (by replacing root CA). No additional protection (encryption) mechanism.10th regional conference Information Security and Storage, 2011 – Sofia, Bulgaria 19
  20. 20. !10th regional conference Information Security and Storage, 2011 – Sofia, Bulgaria 20
  21. 21. Related security projects to consider for minimizing the risks of Data Leakage: Discover where the sensitive Information is located across the company and takerelevant measures; Implement DLP at workstations with critical operations, in conjunction with the currentEndpoint security technology; Protection at the endpoint (workstations, laptops, removable storage devices, mobiledevices, smartphones); Protecting Databases from unauthorized access and actions (audit & prevent); Protection for shared information (file servers, backups, Databases) by usingencryption mechanisms; This is an ongoing process (Monitoring, assessment, optimization).10th regional conference Information Security and Storage, 2011 – Sofia, Bulgaria 21
  22. 22. “Prudens quaestio dimidium scientiae” - To know what to ask is already to know half . &10th regional conference Information Security and Storage, 2011 – Sofia, Bulgaria 22
  23. 23. . & Thank you for your time! Zdravko Stoychev, CISM CRISC http://twitter.com/zdravkos10th regional conference Information Security and Storage, 2011 – Sofia, Bulgaria 23
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×