Raleigh ISSA: "Optimize Your Data Protection Investment for Bottom Line Results" by BEW Global


Published on

Raleigh ISSA February 2013 presentation by Robert Eggebrecht, President and CEO, BEW Global. Topics: DLP

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • No IT/IS/PMO coordination – treating DLP like an install rather than a project.
  • No project mgmt… no project team…
  • Treating DLP like a less powerful and invasive tool…
  • User MRN / Healthcare, banking and account number, and State Data Privacy examples.
  • Raleigh ISSA: "Optimize Your Data Protection Investment for Bottom Line Results" by BEW Global

    2. 2. DATA LOSS PREVENTION EXPERTISEProviding DLP Since 2002 Completed 500+ AssessmentsDeployed 400+ DLP Projects Manage 40+ DLP Solutions in 22 Countries Provide Daily Management of 1,000,000+ Users Globally Q U I C K FA C T S Symantec Master Specialization DLP Partner RSA’s Only Authorized Managed DLP Partner 1st Managed DLP Services Provider (2008) Localized Chinese DLP Practice (2011) Global Support in 130 countries Data Mining, Custom Policies, & Scripting
    3. 3. MARKET EVOLUTION - 2005/2006 GARTNER RESULTS BEW Global forms partnership with Vericept in 2002. At the time of this report, BEW had 38 deployments of Vericept in the US and UK. BEW Global and Vontu form a partnership. BEW Global is the first Vontu reseller. Vidius changes name to PortAuthority and accelerates product development and US presence. Reconnex enters market with forensics approach.
    4. 4. MARKET EVOLUTION - 2007 GARTNER RESULTS Websense acquires PortAuthority. ($80M) Trend Micro acquires Provilla, October 2007. Raytheon acquires Oakley Networks, October 2007. Tablus touted for exceptional data-at-rest capabilities. “Grid Worker”
    5. 5. MARKET EVOLUTION - 2008 GARTNER RESULTS Vontu acquired by Symantec. ($350M) Tablus acquired by RSA. ($40M Approx.) McAfee acquires Reconnex for network DLP ($46M) and Onigma ($20M) for Host DLP. Verdasys and Fidelis announce strategic partnership.
    6. 6. MARKET EVOLUTION - 2009 GARTNER RESULTS CA acquires Orchestria, January 2009. GTB struggles to gain a significant customer base. Palisade Systems and Code Green Networks target SMB DLP market. Workshare late entry into DLP market lacks functionality. Vericept acquired by Trustwave.
    7. 7. MARKET EVOLUTION - 2010 GARTNER RESULTS Symantec releases 10.5 and DataInsight to enhance DAR capabilities. RSA releases 8.0 with enhanced endpoint capabilities. Strategic partnership with Varonis. Websense releases 7.5 with upgraded management interface. Claims DLP in 30-minutes…. McAfee releases 9.0 with greater integration with network and host DLP into ePO console.
    10. 10. BEW GLOBAL METHODOLOGY Risk Assessment ASSESS QUANTIFY IMPLEMENT OPTIMIZE REVIEW BEW GLOBAL‟S CORE DIFFERENTIATORS Methodology based on the cornerstones of ISO Plan-Do-Check-Act Leverage our proven Quality Management System (QMS) to drive continuous improvement Reduce risk and increase operational efficiencies
    11. 11. USE CASE: DLP PRE-PROJECT STATE Organization Overview: Medical Device & Pharmaceutical Manufacturer, 40,000 employees globally DLP Scope: Protection of Intellectual Property (General) DLP Primary Issue: Customer overwhelmed with inaccurate incident data, no meaningful information Application Management: Operated and managed by IT Security with limited input from business. Policy Governance: Failure to use a lifecycle software development process for policy construction Incident Triage: Infrequently reviewed by IT with little to no review by business owners. Event Management: Hard to accomplish due to large # of false positives. No “gold nuggets.” Reporting and Metrics: Zero customized reports. No relevant business analysis provided. Status: System generates 25,000 incidents/day / 750,000 incidents/month
    12. 12. APPLICATION SUPPORT & INTEGRATION Primary System DLP Management = Human Resource / Expertise Requirements Integrated System Management = Cross Department Collaboration Processes Health Check & System Validation Management = System Resource Requirements Vendor Management = Primary and Integrated Technology Vendor Relationships
    13. 13. POLICY & RULE GOVERNANCE Who requests rules & policy Who reviews rule requests? What‟s the process for requirements? converting a rule request into a Criteria for approved rule? policy? Are business owners engaged? Who‟s responsible for converting What is the formal policy a rule into technical policy? development process? Is there a process to relay production policy metrics to Do they have technical policy First drafts rarely work as stakeholders? authoring expertise? expected!
    14. 14. WORKFLOW DEVELOPMENT & MANAGEMENT Who develops & manages policy Who defines thresholds that “buckets”? Who designs & sets the policy determine response rules for response triggers? each “bucket”? False positive, inbound partner, outbound employee Malicious, Inadvertent, Are 10 SSNs a high, medium or Suspicious, above threshold. low severity incident? Who‟s responsible for building Triage response options: Who manages the DLP policy & alerts, alarms & notifications? Human notification rules repository? System notification (auto) Has business been engaged on Hybrid? Why recreate the wheel? event management?
    15. 15. INCIDENT TRIAGE & EVENT MANAGEMENT Who reviews volume & yield of How are events/incidents How does DLP fit in overall incidents & events? routed? incident/event management process? What‟s the review frequency? Who owns the incident/event? Can this be mapped to DLP system? What metrics are developed to Revision of rules based on quality How will integrated systems be measure success of rules & of policy results. tied together to yield valued info? related policy? Who manages policy optimization Secure mail, web Who „s responsible for developing process? gateway, GRC, SIEM metrics?
    16. 16. BUSINESS ANALYTICS Who drives report requirements? Requestors, Reviewers, others? Who develops reports? Do they have the expertise with 3rd party reporting tools? Are DLP system generated reports adequate? Are the metrics valuable & driving meaningful change? Report accuracy tied into QA process?
    17. 17. APPLICATION MANAGEMENT PITFALLInadequately Trained Infrastructu re Resources Inadequate Planning & Resources  Problem: Current IT infrastructure management is often inadequately trained for planning, deployment and ongoing operational management of DLP operation system. (Oracle vs. SQL, etc.)  Solution: Better internal planning & cross functional involvement. In addition to outsourced 3rd party management of on premise solution or fully managed cloud-based delivery. This provides you with instance expertise reducing the need for staffing and providing higher availability.
    18. 18. POLICY GOVERNANCE PITFALLNo Plan of Attack Inadequate Planning & Resources  Problem: A survey of 50 DLP customers in 2010 said 83% of firms did not consider the overall DLP system cycle & the necessary resources for optimal system usage prior to solution acquisition. Inadequate or lack of resources leads to poor policy construction & unmanageable incidents.  Solution: A well thought out DLP scope with a supporting policy governance process that is VERY inclusive of business unit input as well as involvement with the triage & event management process. There must be people budgeted for any DLP project as well as preparation for business unit buy-in.
    19. 19. POLICY GOVERNANCE PITFALLFailure to Engage the Business Stuck in the IT Department • Problem: A survey of 50 DLP customers in 2010 said 76% of firms stated the DLP system technical management & daily operations were the responsibility of a group directly involved with IT. In these cases it is very rare to find heavy involvement from business owners directly involved with the creation & usage of the data targeted for protection. • Solution: Designation of a primary business owner of the DLP solution, in conjunction with technical management, is the best recipe for success on the front-end planning phase of the project. Without direct & serious involvement from the business, it is very likely that the entire DLP will never get more than mediocre results.
    20. 20. POLICY GOVERNANCE PITFALLLack of Rule Customization Inaccuracy of Out-of-Box (OOB) Policies • Problem: The reliance of organizations to use OOB policies as the primary detection criteria for their DLP scope. In many cases data identifiers in OOB policies may never capture unique attributes of a organizations information targets, yielding a combination of false positives and false negatives which lead to an unmanageable incident yield. • Solution: Prior to enabling ANY managed production policies, it is highly recommended to select one primary data criteria to focus initial efforts. Once agreed upon, use business process mapping to capture how the data is used and stored, obtain examples, and then construct policies based on the collected data.
    21. 21. DATA-IN-MOTION PITFALLS:M i s s i n g t h e Ta r g e t – F a l s e S e n s e o f S e c u r i t y Mis-configured Tap Encryption – The Misfire of Network Network versus or Port Span Masked Data Discovery Scans Endpoint Discovery Problem Problem Problem Problem Missing segments of Analysis of data DID not Locations of sensitive Running DAR scans network traffic or protocols take place prior to data never targeted by using a combo of encryption. the organization for network & endpoint Solution Comprehensive scanning due to lack of without thinking about test plan that maps to in Solution an effective policy which policy types & scope business processes Comprehensive test plan governance process. detection methods are and related data types that proves ALL DLP data not the same. transmitted from various assessment takes place Solution network locations to prior to the gateway Identify potential data Solution ensure all relevant data encryption & implement stores by discussing the Prior to acquiring DLP streams are being managed “test” DLP DLP program with staff solution, have an captured. policies that identify to understand process. understanding of the encrypted transmissions data types that make up as part of the test plan. your target environment & then, decide on scanning method. .
    22. 22. DATA-IN-MOTION (ENDPOINT) PITFALLS:T h e P a n d o r a ‟s B o x o f D L P Environment Staying in User Performance Network/System Assessment Contact Impacts Performance Impacts • Problem • Problem • Problem • Problem No rigorous endpoint Failure to monitor Implementing same Failure to calculate & environment endpoint population & policies for network measure the impact of assessment prior to the their frequency of based & endpoint endpoint policy traffic selection of the “checking-in” to the assessments without across wide & local application & management server testing or modification. area network enablement. with validated results. connections. • Solution • Solution • Solution • Solution Address age of Phased deployment of Utilize a Thorough assessment environment, performa endpoint with comprehensive test of endpoint policies nce validation via test plan plan outlining specific that addresses all of capabilities, technical & on initial success of metrics (time to open the concerns including human issues, & load ALL agents & on- files, open/send policy design of applications, in going endpoint agent emails, open requirements, timing, fr conjunction with health reports. applications) prior to equency & delivery education on the DLP deployment. methods. endpoints.
    24. 24. USE CASE –POST PROJECT STATEOrganization Overview: Medical Device & Pharmaceutical Manufacturer, 40,000 employees globallyDLP Scope: Focused on 3 specific product lines linked to highest revenue & earningsDLP Primary Goal: Identification of unauthorized movement of specific elements of IPApplication Management: Operated by a combination of IT, messaging & desktop management teamsPolicy Governance: 100% customized policies based on data collected from business unitIncident Triage: Daily review of incidents by Information SecurityEvent Management: Incidents meeting severity criteria routed to business unit for investigationReporting and Metrics: Behavioral pattern analysis leading to preventive actionsStatus: R&D teams have high-level of confidence in ability to identify leakage of IP.
    25. 25. BEW GLOBAL SALES CONTACT Cole Harter Regional Account Manager 720.775.6984 | charter@bewglobal.com BEW GLOBAL HQ BEW GLOBAL EMEA BEW GLOBAL APAC 5613 DTC Parkway 3 Albany Court 520 Oxford Street Suite 810 Albany Park Level 23, Tower 1Greenwood Village, CO 80111 Camberley GU16 7QR Bondi Junction USA England Sydney 2022 (ph) +1 720 227 0990 (ph) +44 (0) 845 481 0882 (ph) +61 (2) 9513 8800 (fax) +1 720 227 0984 (fax) +44 (0) 871 714 2170 (fax) +61 (2) 9513 8888 www.bewglobal.com www.bewglobal.com www.bewglobal.com