Regulations & Compliance - (PCI-DSS, ISO 27001, HIPAA, SOX, Data Privacy Act, IT Act, GLBA etc), Data stored in multiple location – (Desktops/Laptops/Servers/DB/Web/Cloud etc). Names of Company who have been hacked in recent past - Google / RSA / Twitter / Facebook Hack etcAdoption of SAAS / PAAS business models / offerings
DLP should take care of incoming data transfers too
Regular release of default policies in a defined frequency, Reporting & Logging should be quick, reliable etc as forensic information to be captured and retained will be huge based on the logging & retention policy of the Organization, Support for Windows, Unix & Mac systems
Approach 1: Think, Plan & Try BIG (Big Bang Approach Fails in most of the cases as every stakeholder has their own priority, project & business to deal with and maybe this will be successful in Process Centric Organization) Approach 2: Think BIG, Plan smaller action’s to create visibility, to make stakeholders understand the business impact & to commit & then drive faster adoption (This will work in almost all Enterprises)
The 80:20 principle
Most customers looks at DLP project as a large black box that you trough everything on it (Data Classification, Access management, Encryption, Discovery, DRM) and hope for the best – problem is that this leads to a massive investment, on infrastructure, resources, planning and they don’t see results in a long time – when Executive asking for the results the answer is usually “this is still in process”Websense suggests a different approach where we recommend our customers to build small boxes (Box have 3 dimensions : Channel , Data, Business unit/region) – if the customer starts with focus target, let say Financial data over email coming from the corporate They will see quick results , reason is that this is manageable , focused and will show quick ROI Results will also create appetite to other business units to get into to project
Most DLP solution can alert administrators if a specified type of sensitive information reaches a predefined threshold of data transmission. For example, any transmission which is suspected of having more than 5 credit card numbers could alert the administrator. However, most DLP solutions cannot support a similar scenario of policy violation; 5 or more transmissions with each transmission containing a single credit card number.Smart Detection feature enables administrators to define policies that span multiple incidents over a specified period of time. As the graphics shows, 5 email from the same user throughout the course of a day, with each email containing credit card information can alert the administrator as possible violation.Websense is the only vendor providing this level of sophistication.
While many focus on USB drives when it comes to endpoint protection, there are several other channels of possible data loss.
For discovery, there are several remediation actions available. Actions such as tombstone (delete file and leave a note indicating its been deleted), ransom note (indicating where/how to get the file) as well as encryption and application of electronic digital rights management are supported.With remediation action for discovery, we support custom scripts enabling high flexibility to meet specific customer requirements.
Comprehensive data security is multi-faceted. Despite some misnomers of focusing primarily on the data itself, a comprehensive solution must address the entire flow of data.First, you must understand who should have access to particular data.Second, the data itself must be well identified.Third, the valid location of where such data can reside must be defined.How such data can and cannot be transmitted must be then defined.Finally, all the previous steps are all for nought unless you can granularly control the action associated with each scenario.As you can see, comprehensive data security must consider various factors requiring simple and unified management. Websense is the only vendor offering Unified Policy Design covering all facets of data security.
Ciso round table on effective implementation of dlp & data security
CISO Roundtable:Effective Implementation ofDLP and Data Security
13Agenda Enterprise – Growing Challenges Business Drivers for DLP DLP Specific Challenges & Misnomer Solution Decision Making Approaches / Solutions to solve Data SecurityChallenges Approach & Methodology Critical Success Factor Project Outcome Key Learning’s
14Enterprise - Growing Challenges Growing Employee base and across locations Enabling Employee friendly environment to keep themmotivated & achieve work-life balance Governed by different regulations and compliance requirement Data Residing in multiple locations Multiple Stakeholders Involved & lack of understanding Everyone thinks all their data is critical and important (not soimportant) Evolving Dynamic threat landscape (Government agencies,Fortune 100 companies, Enterprises are being constantlytargeted & some of them successful too) Outsourcing & its related discrete requirements /commitments Growing adoption of public cloud / infrastructure / networks
15Drivers Why it matters?Business ConfidentialityRegulatory ComplianceBusiness Drivers for DLP To comply with Regulatory and Compliancerequirements Avoid penalties for non-compliance Prevent data breaches / infiltration Protect business interests, includingcustomer confidence Protect Company & Customer IPR Protect Brand Value
16DLP Specific Challenges & Misnomer “All” our data is critical and confidential IT department should be able to identify and classify criticalbusiness information Lets fingerprint all our data Lets configure DLP to protect all data Lets block all sensitive information from going out and allowinformation transfer only on senior management approvals We have defined 200 policies but the DLP solution is notraising any meaningful alerts
17Approaches to solve Data Security Challenges There are multiple solutions available in the market to addressthe Data Security requirement and most of them work incomplementary fashion to one another. DLP solution to be adopted to address the missing piece / gapcreated in other data security solutions as highlighted below.Solutions Area it Covers Missing PieceFull Disk Encryption Works on the Disk level toencrypt the driveAll these solutions cannotdifferentiate the data (i.e.)the classified information –Private / Confidential &Public dataDevice Control Works on the device levelagain to either allow ordisallow the driveAccess Control & RMS Works based on rights /privileges enabled for user /IP or User Intervention isrequiredEmail Encryption Works based on user /domain as per policyDLP Works on the ClassifiedInformation to enable
18Solution Decision Making Adopt solution which is easy to understand and implement DLP solution deployment should not call for architectural /design / product changes for existing services like email &web rather it should integrate seamlessly with minimum or nochanges Proper Categorization of vanilla DLP policy based onIndustries & Countries Solution should be scalable & reliable from architecturestandpoint Support for multitude of systems used in the Corporateenvironment Easy and straight-forward integration should be possible withexisting internal systems (Directory Services, MonitoringServices & SIEM etc) Vendor support & good Roadmap / vision is the key Availability of Reliable Partner for the vendor in the localcountry with good deployment and process experience inrolling out DLP
19Approach & Methodology Act on all the Outcome coming fromanalysis Initiate work on long term strategy Enable custom policy as perrequirement Fine tune policy Make Deployment inline Expand the coverage and footprint Repeat entire cycle (ContinuousProcess) Establish Policy, Process & Procedure Review Identified & Classified Data Establish Infrastructure Enable shortlisted default policy tocreate visibility Deploy DLP for identified channel Role Segregation Enable Console Access for differentstakeholder to create impact Enable Incident Monitoring &Response Delivery weekly & monthly report formanagement & stakeholder visibility Establish Governance Initiation Establish Objective & goals (short& long term) Plan Infrastructure Establish Design Identify Matching Default Policies Identify Critical Channels Stakeholder Analysis Communicate Awareness & Training Define Ownership Establish Procedure forCritical Data Identification& Classification List Actions to beperformed Analysis whether Data classificationprocedure is being followed Analysis the need for more trainings Analysis the visibility created bydefault policy Analysis effectiveness of existing policyenabled Check whether short term goal is met andanalysis triggering of strategy for longterm goal Analysis stakeholder involvement &support obtained Decide whether enabling protection orinline mode can be doneDLPApproach
20Critical Success Factor IT is a facilitator and not the business data owner of the DLPproject DLP Project Success is directly proportionate to business userinvolvement, buy in, contribution and approvals Enable DLP in Monitor mode First & then Block Later based onmonitoring outcome Understand Data Classification & Policy Definition is not anone time exercise. Repeat PDCA principle (Plan, Do, Check &Act) on a defined periodicity Realize that DLP can not eliminate security breaches but helpsreduce the risk by detecting and preventing incidents
21Project Outcome All Critical Channels like web, email & mobile devices are beingcovered & monitored Data movement within Organization is getting tracked better 365*24*7 monitoring in place to handle high / mediumseverity incidents reported in DLP Awareness among Employees Improved and this resulted inimproved compliance & reduction in data related incidents Happy Customers & Auditors
22Key Learning’s DLP Approach should be chosen based on the Culture of theOrganization Establishing frequent connects with stakeholders & employeesis the key to success Enabling visibility for Business stakeholders resulted inquicker adoption DLP Journey will not be an One Time exercise / project ratherit will be ongoing process / operation to be strictly followed &adhered by all stakeholders Establishing an Governance Organization dedicated to DLPJourney helped in driving & communicating change to wow’s
Understanding of Technology Architectureand Solutions for Data Security.Maheswaran.S, Manager, Sales Engineering,SAARC
Image Detection• Detects Sensitive Text within Images– Screen captures– Scanned checks– Scanned receipts– Applications which has image outputs– Fax pages– etc.
Data Drip DetectionDetects multiple instances of small data leaks overtimeJohn DoeJoe Smith3:01 PMCustomer InformationJoe,Here is a customer information:John DoeJoe Smith3:14 PMCustomer InformationJoe,Here is a customer information:John DoeJoe Smith3:17 PMCustomer InformationJoe,Here is a customer information:John DoeJoe Smith4:45 PMCustomer InformationJoe,Here is a customer information:Mike McDonald CCN: 1111-2222-3333-4444John DoeJoe Smith4:50 PMRe: Customer InformationJoe,Here is another customer information:Jane Brown CCN: 1234-2345-3456-4567John DoeJoe Smith3:01 PMCustomer InformationJoe,Here is a customer information:Low ImpactIncident High ImpactEventWithin 2 Hours
Data in Motion – Network DLP30• Look - Don’t Touch• See’s unencryptedOutbound TrafficPort-Span• Look AND Touch• Proxy for Web & FTP• MTA for Email• ActiveSync forMobileIn-Line• Network PrintersAgent
Channel Detection and Response31Network DLPWebAudit*BlockAlertNotifyEmailAuditBlockQuarantineEncryptAlertNotifyFTPAuditBlockAlertNotifyNetworkPrinterAuditBlockAlertNotifyActiveSyncAuditBlockAlertNotifyIM&CustomChannelsAuditBlockAlertNotifyRESPONSE OPTIONS BY CHANNEL
SSL Decryption32SSL DynamicContentControlDynamicThreatProtectionSSLWebSecurityDLP39 percent ofmalicious Web attacksincluded data-stealingcode
Data in Use - Endpoint DLP ChannelsUSB DrivesLocal PrinterLAN StorageInternetPrintServerNetwork Printer 2Network Printer 1RemovableMediaApplications
Detection and Response34Endpoint DLPApplicationsPermitConfirmBlockEmail QuarantineAlertNotifyRemovableMediaPermitConfirmBlockEncrypt to USBAlertNotifyStorageAlert/LogScripts- Encrypt- TombstoQuarantin- EDRMRESPONSE OPTIONS
Data at Rest - Discovery35- Network-based Discovery- Conducted over LAN/WAN- Manage by Schedule and/or bandwidth- Leverage VM’s as Multipliers- Perform Discovery Locally- Fastest Discovery- Manage by Schedule, CPU Utilization, PowerSupply- The Best of Both Worlds- Leverage any combinationAgentlessAgentHybrid
Advanced Remediation CapabilitiesDiscovery• Remediation Scripts– Several predefined scripts available– Customizable for highest flexibility• Common Remediation Action** Requires 3rd PartyMove/Quarantine Encrypt** Classification Tag(Microsoft FCI)Apply EDRM** Purge/Delete