Ciso round table on effective implementation of dlp & data security


Published on

  • Be the first to comment

Ciso round table on effective implementation of dlp & data security

  1. 1. CISO Roundtable:Effective Implementation ofDLP and Data Security
  2. 2. ©2013, Cognizant | All rights reserved. The information contained herein is subject to change without notice.Venkatasubramanian RamakrishnanDirector- Global Information SecurityCognizant Technology SolutionsInformation Security and DataProtection Strategy
  3. 3. | ©2013, Cognizant2Contents2 Inflection Point3 Key Disrupting Factors4 Role of Information SecurityFunction5 Data Security Strategy6 Key Points7 Big Picture8 Threat Modeling9 Sample Threat Modeling
  4. 4. | ©2013, Cognizant3Inflection Point
  5. 5. | ©2013, Cognizant4Key Disrupting Factors1.Greater Business Partner Responsibility for Technology Projects2.Workplace of the Future3.Sharper Executive Focus on Risk Management4.Core Responsibility Overlap with the Legal Function5.Sophistication of External Threat Vectors
  6. 6. | ©2013, Cognizant5Role of Information Security Function2000-2004 2005-2012 2012 & BeyondControl OwnerDecision OwnerDecision FacilitatorRiskManagementPhilosophy
  7. 7. | ©2013, Cognizant6Data Security Strategy
  8. 8. | ©2013, Cognizant7Key Points1.New Era requires information security system design with acounter-intelligence mind set!2.Competitive economic pressures and national security issues drivevarious entities to seek information and Intellectual Property3.Counterintelligence awareness of the security leaders is the firststep to improve the protection of proprietary information
  9. 9. | ©2013, Cognizant8Big PictureTHREATSBUSINESS MODELStrategy, people, process, technology andinfrastructure in place to drive towards objectivesOPPORTUNITIESOBJECTIVESstrategic,operational ,customer,complianceobjectivesOPPORTUNITIESMANDATORY BOUNDARY(laws, government regulations and other mandates)VOLUNTARY BOUNDARY(organizational values, contractual obligations, internalpolicies and other promises )
  10. 10. | ©2013, Cognizant9Threat ModelingCapabilitiesCompetitionStrategic Plans Political, Economic& Social ForcesMarkets CustomersTechnologyDevelopmentsIndustryStructureCompetitiveintelligenceCollectorsTerrorists“Ethically Flexible”EmployeesCritical Elements ofBusiness IntelligenceState SponsoredAttackResourcePoachingThreatsEconomic orIndustrial EspionageMonitor External Environment• Monitor social media for any chatter on new methods or targets ofattacks.• Engage in peer conversations to share knowledge and stay up-to-dateon threat vectors, new techniques, known bad IP addresses, etc.• Understand what kinds of activities and news reports are likely toincrease the chances of an incident.
  11. 11. | ©2013, Cognizant10Sample Threat ModelingList of data orinformation thatmay be underthreatWho may want itHow motivated are they toget it(Ask these questions)Priority for IncidentResponse Planning(Determined by theprevious threefactors)Client credit cardnumbersHacker-thievesEtc.What kind of clients do youhave?Etc.Low/Med/HighIntellectualproperty dataCompetitorsForeigngovernmentsinterested in aparticular IP ortechnologyEtc.Will this IP significantlyalter the market sharelandscape on the industry?Is the IP capable ofproviding extensivecompetitive advantage?Are there ideologicalreasons for stealing suchinformation?Etc.Low/Med/HighManage Potential Threats• Determine what assets, data, information, etc. the organization owns thatmay be of particular interest to attackers. Also determine how importantthis information or data is to the business.• Determine who may want such information, how sophisticated they are,and what channels they may use to attempt to cause an incident.• Determine how motivated potential attackers may be.
  12. 12. ©2013, Cognizant | All rights reserved. The information contained herein is subject to change without notice.Thank you
  13. 13. 12Data Leakage Prevention (DLP) Project
  14. 14. 13Agenda Enterprise – Growing Challenges Business Drivers for DLP DLP Specific Challenges & Misnomer Solution Decision Making Approaches / Solutions to solve Data SecurityChallenges Approach & Methodology Critical Success Factor Project Outcome Key Learning’s
  15. 15. 14Enterprise - Growing Challenges Growing Employee base and across locations Enabling Employee friendly environment to keep themmotivated & achieve work-life balance Governed by different regulations and compliance requirement Data Residing in multiple locations Multiple Stakeholders Involved & lack of understanding Everyone thinks all their data is critical and important (not soimportant) Evolving Dynamic threat landscape (Government agencies,Fortune 100 companies, Enterprises are being constantlytargeted & some of them successful too) Outsourcing & its related discrete requirements /commitments Growing adoption of public cloud / infrastructure / networks
  16. 16. 15Drivers Why it matters?Business ConfidentialityRegulatory ComplianceBusiness Drivers for DLP To comply with Regulatory and Compliancerequirements Avoid penalties for non-compliance Prevent data breaches / infiltration Protect business interests, includingcustomer confidence Protect Company & Customer IPR Protect Brand Value
  17. 17. 16DLP Specific Challenges & Misnomer “All” our data is critical and confidential IT department should be able to identify and classify criticalbusiness information Lets fingerprint all our data Lets configure DLP to protect all data Lets block all sensitive information from going out and allowinformation transfer only on senior management approvals We have defined 200 policies but the DLP solution is notraising any meaningful alerts
  18. 18. 17Approaches to solve Data Security Challenges There are multiple solutions available in the market to addressthe Data Security requirement and most of them work incomplementary fashion to one another. DLP solution to be adopted to address the missing piece / gapcreated in other data security solutions as highlighted below.Solutions Area it Covers Missing PieceFull Disk Encryption Works on the Disk level toencrypt the driveAll these solutions cannotdifferentiate the data (i.e.)the classified information –Private / Confidential &Public dataDevice Control Works on the device levelagain to either allow ordisallow the driveAccess Control & RMS Works based on rights /privileges enabled for user /IP or User Intervention isrequiredEmail Encryption Works based on user /domain as per policyDLP Works on the ClassifiedInformation to enable
  19. 19. 18Solution Decision Making Adopt solution which is easy to understand and implement DLP solution deployment should not call for architectural /design / product changes for existing services like email &web rather it should integrate seamlessly with minimum or nochanges Proper Categorization of vanilla DLP policy based onIndustries & Countries Solution should be scalable & reliable from architecturestandpoint Support for multitude of systems used in the Corporateenvironment Easy and straight-forward integration should be possible withexisting internal systems (Directory Services, MonitoringServices & SIEM etc) Vendor support & good Roadmap / vision is the key Availability of Reliable Partner for the vendor in the localcountry with good deployment and process experience inrolling out DLP
  20. 20. 19Approach & Methodology Act on all the Outcome coming fromanalysis Initiate work on long term strategy Enable custom policy as perrequirement Fine tune policy Make Deployment inline Expand the coverage and footprint Repeat entire cycle (ContinuousProcess) Establish Policy, Process & Procedure Review Identified & Classified Data Establish Infrastructure Enable shortlisted default policy tocreate visibility Deploy DLP for identified channel Role Segregation Enable Console Access for differentstakeholder to create impact Enable Incident Monitoring &Response Delivery weekly & monthly report formanagement & stakeholder visibility Establish Governance Initiation Establish Objective & goals (short& long term) Plan Infrastructure Establish Design Identify Matching Default Policies Identify Critical Channels Stakeholder Analysis Communicate Awareness & Training Define Ownership Establish Procedure forCritical Data Identification& Classification List Actions to beperformed Analysis whether Data classificationprocedure is being followed Analysis the need for more trainings Analysis the visibility created bydefault policy Analysis effectiveness of existing policyenabled Check whether short term goal is met andanalysis triggering of strategy for longterm goal Analysis stakeholder involvement &support obtained Decide whether enabling protection orinline mode can be doneDLPApproach
  21. 21. 20Critical Success Factor IT is a facilitator and not the business data owner of the DLPproject DLP Project Success is directly proportionate to business userinvolvement, buy in, contribution and approvals Enable DLP in Monitor mode First & then Block Later based onmonitoring outcome Understand Data Classification & Policy Definition is not anone time exercise. Repeat PDCA principle (Plan, Do, Check &Act) on a defined periodicity Realize that DLP can not eliminate security breaches but helpsreduce the risk by detecting and preventing incidents
  22. 22. 21Project Outcome All Critical Channels like web, email & mobile devices are beingcovered & monitored Data movement within Organization is getting tracked better 365*24*7 monitoring in place to handle high / mediumseverity incidents reported in DLP Awareness among Employees Improved and this resulted inimproved compliance & reduction in data related incidents Happy Customers & Auditors
  23. 23. 22Key Learning’s DLP Approach should be chosen based on the Culture of theOrganization Establishing frequent connects with stakeholders & employeesis the key to success Enabling visibility for Business stakeholders resulted inquicker adoption DLP Journey will not be an One Time exercise / project ratherit will be ongoing process / operation to be strictly followed &adhered by all stakeholders Establishing an Governance Organization dedicated to DLPJourney helped in driving & communicating change to wow’s
  24. 24. Understanding of Technology Architectureand Solutions for Data Security.Maheswaran.S, Manager, Sales Engineering,SAARC
  25. 25. 24Data Security TechnologiesDataSecurityDRMDLP GRC/SOCAccessControl EncryptionFAM
  26. 26. 25Data Types & DLP ApproachSource :
  27. 27. DLP – Key Capabilities
  28. 28. Identification Methods27Described RegisteredDescribed RegisteredLearned
  29. 29. Image Detection• Detects Sensitive Text within Images– Screen captures– Scanned checks– Scanned receipts– Applications which has image outputs– Fax pages– etc.
  30. 30. Data Drip DetectionDetects multiple instances of small data leaks overtimeJohn DoeJoe Smith3:01 PMCustomer InformationJoe,Here is a customer information:John DoeJoe Smith3:14 PMCustomer InformationJoe,Here is a customer information:John DoeJoe Smith3:17 PMCustomer InformationJoe,Here is a customer information:John DoeJoe Smith4:45 PMCustomer InformationJoe,Here is a customer information:Mike McDonald CCN: 1111-2222-3333-4444John DoeJoe Smith4:50 PMRe: Customer InformationJoe,Here is another customer information:Jane Brown CCN: 1234-2345-3456-4567John DoeJoe Smith3:01 PMCustomer InformationJoe,Here is a customer information:Low ImpactIncident High ImpactEventWithin 2 Hours
  31. 31. Data in Motion – Network DLP30• Look - Don’t Touch• See’s unencryptedOutbound TrafficPort-Span• Look AND Touch• Proxy for Web & FTP• MTA for Email• ActiveSync forMobileIn-Line• Network PrintersAgent
  32. 32. Channel Detection and Response31Network DLPWebAudit*BlockAlertNotifyEmailAuditBlockQuarantineEncryptAlertNotifyFTPAuditBlockAlertNotifyNetworkPrinterAuditBlockAlertNotifyActiveSyncAuditBlockAlertNotifyIM&CustomChannelsAuditBlockAlertNotifyRESPONSE OPTIONS BY CHANNEL
  33. 33. SSL Decryption32SSL DynamicContentControlDynamicThreatProtectionSSLWebSecurityDLP39 percent ofmalicious Web attacksincluded data-stealingcode
  34. 34. Data in Use - Endpoint DLP ChannelsUSB DrivesLocal PrinterLAN StorageInternetPrintServerNetwork Printer 2Network Printer 1RemovableMediaApplications
  35. 35. Detection and Response34Endpoint DLPApplicationsPermitConfirmBlockEmail QuarantineAlertNotifyRemovableMediaPermitConfirmBlockEncrypt to USBAlertNotifyStorageAlert/LogScripts- Encrypt- TombstoQuarantin- EDRMRESPONSE OPTIONS
  36. 36. Data at Rest - Discovery35- Network-based Discovery- Conducted over LAN/WAN- Manage by Schedule and/or bandwidth- Leverage VM’s as Multipliers- Perform Discovery Locally- Fastest Discovery- Manage by Schedule, CPU Utilization, PowerSupply- The Best of Both Worlds- Leverage any combinationAgentlessAgentHybrid
  37. 37. Advanced Remediation CapabilitiesDiscovery• Remediation Scripts– Several predefined scripts available– Customizable for highest flexibility• Common Remediation Action** Requires 3rd PartyMove/Quarantine Encrypt** Classification Tag(Microsoft FCI)Apply EDRM** Purge/Delete
  38. 38. DLP - Management & Reporting
  39. 39. Business Intelligent Policy FrameworkWhoHuman ResourcesCustomer ServiceFinanceAccountingLegalSalesMarketingTechnical SupportEngineeringWhatSource CodeBusiness PlansM&A PlansEmployee SalaryPatient InformationFinancial StatementsCustomer RecordsTechnical DocumentationCompetitive InformationWhereBenefits ProviderPersonal Web StorageBlogCustomerUSBSpyware SiteBusiness PartnerCompetitorAnalystHowFile TransferInstant MessagingPeer-to-PeerPrintEmailWebAuditNotifyRemoveQuarantineEncryptBlockRemovable MediaCopy/PastePrint ScreenActionConfirm
  40. 40. Enforce Policy by Geo Location
  41. 41. Email-based Incident Workflow• Options to Click withinthe email notification to:– change severity– escalate– assign– ignore– etc.
  42. 42. Demonstrating Risk Reduction41Web Email FTP IMNetworkPrintingJan 200 150 50 10 45Feb 100 100 15 5 30Mar 60 76 5 2 1590-Day Risk Reduction 70% 49% 90% 80% 67%607652 1510010015530200 150 50 10 450%10%20%30%40%50%60%70%80%90%100%LikelihoodofDataLoss90-Day (High Impact) Risk Reduction
  43. 43. Incident Management & Reporting Dashboards42The following are samples of our weekly and monthly dashboardson incident management.
  44. 44. Thank You
  45. 45. Questions and Answers44