This document discusses data loss prevention (DLP) systems and solutions. It outlines key challenges in securing confidential data, including identifying where data is stored and located, monitoring where data is going, and enforcing data security policies. The document compares several DLP vendors and their solutions for discovering and protecting data at rest and in motion. It also provides examples of common data security incidents and evaluates risks to prioritize data types for protection. Overall the document promotes DLP systems as an important tool for securing organizations' confidential and regulated data.
2. Scope
Business Problem and Requirements
Data Loss Prevention (DLP) Solutions
Proposed Solution
Vendor Comparisons and Architecture
Company implementation & Conclusion
3. ID Theft Tops FTC's List of Complaints
• For the 5th straight year, identity theft ranked 1st of all fraud
complaints.
• 10 million cases of Identity Theft annually.
• 59% of companies have detected some internal abuse of their
networks
5. Top 10 Most Frequent Incidents
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Patient PHI sent to partner, again, and again
Employee 401k information sent outbound and inbound
Payroll data being sent to home email address
Draft press release to outside legal council
Financial and M&A postings to message boards
Source code sent with resume to competitor
SSNs…and thousands of them
Credit Card or account numbers….and thousands of them
Confidential patient information
Internal memos and confidential information
7. Data Loss Prevention
Three Key Customer Challenges
1. Where is my confidential data
stored?
–
Data at Rest
2. Where is my confidential data
going?
–
Data in Motion
3. How do I fix my data loss
problems?
–
Data Policy Enforcement
8. Why Data Loss Prevention is a
Priority
• Compliance
• Brand and Reputation Protection
• Remediation Cost
1:400 messages contain
The Risk
confidential information
1:50 network files are
wrongly exposed
9. Unified Data At Rest and Data in
Motion Protection
Intellectual Property
Source Code
Design Documents
Patent Applications
Patient Data
Employee Data
Corporate Data
Social Security Numbers
Non-Public Information
Credit Card Numbers
Social Security Numbers
Employee Contact Lists
401K and Benefits Info
Financials
Merger & Acquisitions
Strategy and Planning
10. Discover and Protect Confidential
Data at Rest
Define
Confidentia
l
Data Policy
1
Run
Scan and
Discover
Exposed
Data
2
Enforce
Policy by
Automatica
lly
Protecting
Files
3
Remediate
Incidents
Report on
Risk and
Compliance
4
5
11. Monitor and Prevent Confidential
Data in Motion
Employee
Sends
Confidentia
l Data
Vontu
Detects or
Prevents
Incident
1
2
Vontu
Notifies
Employee
3
Vontu
Workflow
Automates
Remediatio
n
4
Report on
Risk and
Compliance
5
15. Data Loss Prevention Data Insight
The majority of your data exists as unstructured files located on file
servers.
Analysts predict the growth of unstructured data to continue at over
60% per year, and in many organizations it accounts for more than 80%
of all data.
•content-aware discovery to scan and find the data you have identified
as sensitive.
•identify who owns the Data.
•You also need to discover file shares that suffer from overly permissive
access rights and are therefore at risk of incursion.
Data Insight giving you insight into usage patterns and access
permissions[2]
17. Symantec DLP Overall
• Detection
a) Described Content matching
b) Finger printing
a) Exact data matching
b) Indexed document matching
c) Vector machine learning
• Group
• Response
a) Smart response
b) Automatic Response
27. Alternative Vendors (Comparison)
Vendor
Strengths
Weaknesses
Symantec
Industry-leading network discovery and
endpoint protection
Supports localization in 16 languages
Mature deployment methodology
Most expensive enterprise license costs
Admin Console is not localized (English
only)
Websense
Robust on network discovery and endpoint
protection
Supports localization in multiple languages and
already has global presence
Subscription based or perpetual licensing
Most appealing to current WebSense
clients wishing to leverage existing
products
RSA(EMC)
Robust on network discovery
Providing a broad range of DLP inspection
capabilities
Document fingerprinting content-inspection
capabilities.
Weak on endpoint protection
Limited localized detection and support
29. DLP Market Analysis
• Growth of IT based Healthcare Systems
that's $10 billion in market growth in just five years. clinical
information systems, hospital information systems, electronic
medical records, picture archiving and communication systems
•
•
•
•
Growth of Software development industry
BOYD
Banking & Online payment Systems – PCI DSS
Government sector
33. Risk Assessment Scorecard
Priority Data
Severity of Loss
Data at Rest
Frequency
HIPAA
Patient Data
High
High
Data in Motion
Risk
High
721 incidents
Frequency
High
Very High
High
256 incidents
High
2178 incidents
Very High
Very High
Medium
78 incidents
9 incidents
Very High
CA 1386
High
Medium
High
Medium
Medium
939 incidents
132 incidents
High
Research
Very High
High
10,178 incidents
Very High
Physician Referral
Risk
High
High
High
624 incidents
24 incidents
High
Severity x Frequency = Risk
High
34.
35. The Bigger Truth
• The iPad has seen great success, but the tablet and mobile device
revolution is just getting started. Since business managers see
boundless potential, CISOs need to wrap their arms around risk
management and security controls as soon as possible. Many
security managers believe that DLP is the best logical first step as
it not only offers data security, but also aligns with security
policies and regulatory compliance requirements.
37. References
[1] Chapter 2 - The Concept of DLP - Monitoring and Blocking Confidential Data | Symantec Connect Community.
2013. Chapter 2 - The Concept of DLP - Monitoring and Blocking Confidential Data | Symantec Connect Community. [ONLIN
Available at: http://www.symantec.com/connect/articles/chapter-2-concept-dlp-monitoring-and-blocking-confidential-da
[Accessed 28 June 2013].
[2] 2013. . [ONLINE] Available at:http://eval.symantec.com/mktginfo/enterprise/fact_sheets/b-symc_dlp_data_insight_DS
[Accessed 28 June 2013].
[3] Enterprise Endpoint Backup Protection & Availability Druva inSync. 2013.Enterprise Endpoint Backup Protection &
Availability Druva inSync. [ONLINE] Available at: http://www.druva.com/insync/. [Accessed 28 June 2013].
Editor's Notes
Here are the notes for the 1st slide
Introduction: Scott
Industry Solution: Angel
Data Loss Example
DLP Industry / Introduction
Establishing data security policy
Identification of Sensitive Data
Data in Motion
Data at Rest
Data at End Points
Leak Prevention
Business Requirements: Scott
What does the business need to accomplish?
Control access to information
Control data transfer and use
Provide review process
Workflow
Solution Parameters: Angel
Feature list / Criteria (General solution)
Policy based controls
Control of saving, printing, emailing, coping
Logging
Quarantine / reprocessing
Monitoring vs. Prevention
Centralized Management
Backup and Storage Requirements
Ease of Integration
Market Presence / Vendor Selection / Proof of Concept
Staffing Needs
Proposed Solution: Koonal
Websense
- Feature Review
- Modules
- Implementation
Pro/cons of this solution
How to Deploy/implement and deploy WebSense Wander
Define Policies
Define User Groups
Define data classifications
Solution Architecture
Alternative to vendor solutions Wander
Conclusion Wander
(*) You can run through the numbers here.
(*) Key take aways: Data loss is on the rise, ID theft is becoming a national crisis. Healcare companies are targets
(*)Costing consumers $5 billion and businesses $48 billion annually.
Terror ties: About 5 percent of identity thieves are tied to terrorist organizations.
Violent crimes: About 15 percent used identity theft to facilitate a violent crime.
Drug trafficking: Drugs were related to at least 15 percent of the cases.
(*) Over 23 States have drafted or approved notification laws
(*) There are over 6 NATIONAL notification laws in House and Senate committees. Most likely a national notification standard will happen this year.
(*) Are you ready?
Shift in Data Security Threats
Up until last year, securing the perimiter from hackers #1 privacy and security priority
2005 Changed That
Over 70 incidents over 53 million exposed
Cases of ID theft: Over 10 million
What is the insider threat?
Vontu Risk Assessment. 96% from inadvertent
Less than 1 % malicious
Companies are focusing on are new ways to establish and enforce data protection policies.
(*) So what are the most common incidents that happen every day, hundreds of times a day? Any guesses (make a joke about we won’t assume its from your company just because you said it…we’ll go with the “a friend told me” rule here)
(*) Any guesses?
(*) Build the list
NPI - Non Public Information
Objective of Slide
--------------------
Explain what Vontu means by Data Loss Prevention
Understand prospects data security priorities, especially as it relates to encryption and access control.
Position “Encryption, Access Control, and Data Loss Prevention” as the three legged stool of Data Security.
Explain how Vontu complements these priorities
Script
-------
Data Loss Prevention is a new class of security software that gives companies insight and control over both data at rest and data in motion. As reported by the analysts and media, in 2006, data security has become the #1 priority for companies. Companies are realizing that network defense is not enough – companies need to protect their data and prevent it from getting outside their organization.
They are putting in place solutions to help them protect both their data at rest as well as data in motion. Solutions like encryption, access control and identity management, and data loss prevention.
Solutions that allow companies to have insight and control over…
Where is my confidential data? (Vontu Discover)
Who has access to it? (Access Control and ID Mgt.)
Where is it going? (Vontu Monitor)
How do you prevent it from leaving? (Vontu Prevent)
Help me understand what you are doing in each of these areas…..
DISCOVERY DISCUSSION around access control, encryption, policy enforcement.
Discuss where they are with each of these initiatives and how Vontu fits as part of this solution.
Objective of Slide
--------------------
Explain what Vontu does
Understand data protection priorities
Discovery
----------
Further discovery on data types
Script
-------
2005 has brought a shift in data security priority. For the first time, the insider threat passed the threat of hackers or intruders as the number one cause of security breaches. Of the 107+ security breaches so far in 2005, over 52% were caused by insiders.
The risk and cost of the insider threat drove the demand for a new class of security software called Data Loss Prevention.
Vontu has software that exposed data and stops confidential data loss across all types of data: intellectual property, company confidential information, and customer, employee or patient non-public personal information.
As we just discussed, X, Y, and Z are important to you. What else is important?
Vontu data loss prevention discovers confidential data that is exposed in your network, and monitors and stops confidential and classified information, including customer (civilian) data and intellectual property, from being sent outside the corporate network via email, web, IM and other Internet communications.
The risk of the insider threat includes both data at rest and data in motion.
Let’s look first at data at rest. Why do companies need to protect data at rest? Simply put, data at rest is one click away from being data in motion.
Organizations don’t have an accurate view of where all of their confidential data is stored.
Organizations don’t have a systematic way to evaluate the effectiveness of access control and encryption policies.
Undetected, unsecured data may be accessed by unauthorized employees, leading to data loss incidents.
Proliferation of unsecured confidential data increases the risk of data loss.
Lost or stolen laptops put data and company at risk. (major source of breaches in 2005)
We are all well aware of the challenges of securing data in motion. Employees have ready access to both data and the Internet.
Vontu is the only DLP solution that covers both data at rest and data in motion.
Vontu 6.0 helps Fortune 500 companies and government agencies discover and protect confidential data at rest, monitor and prevent data in motion from wrongful disclosure, and automatically enforce Data Loss Prevention policies. Only Vontu is proven to scale to meet the needs of global organizations across industries and government markets. By reducing the frequency and severity of both inadvertent and malicious data loss incidents, Vontu helps protect a company’s brand and reputation, reduce compliance risk and protect brand and reputation.
Only Vontu delivers on the requirements of business and government leaders and data security teams:
Vontu Discover: Detect confidential data at rest on shared file servers, web servers, desktops and laptops.
Vontu Protect: Quarantine or remove exposed confidential data at rest.
Vontu Monitor: Accurately detect all confidential information over all network protocols including encrypted web traffic (HTTPS).
Vontu Prevent: Stop confidential data loss via email, FTP, HTTP or secure HTTP.
Vontu Enforce: Automatically enforce data security policies with centralized management, remediation and compliance reporting.
Purpose
Educate on How Discover and Protect work so prospect has context for demo slides to follow
Script
We’re going to take a few minutes to go through an example of Vontu Discover and Protect in action. Before we do that, let’s take a minute to make sure you understand how Vontu Discover and Vontu Protect work to secure your data at rest.
First, you use Vontu’s pre-built policy templates and implement your confidential data policies.
Second, you define what you are scanning and how often you want your scans to occur. Vontu Discover is agentless, and as the scans run, Vontu Discover identifies unsecured confidential data exposed on shared file servers, web servers, and individual desktops and laptops.
Next, as incidents are discovered, Vontu automatically enforces your security policies.
Then, your incident responders use Vontu Workflow to remediate the incidents.
Finally, as scans are repeated, you can use Vontu reporting to measure and track your risk reduction efforts over time.
Discovery/Traps
Is part of your data protection strategy to identify and reduce the amount of confidential information on your network?
Isn’t it important for you to partner with a vendor that allows you to reduce risk across both data at rest and data in motion?
Are you doing anything like this today? If so, how? What do you like about it? What could be improved?
Purpose
Educate on How Monitor and Prevent work so prospect has context for demo slides to follow
Script
Data at rest is half the story. For data in motion, people often think its malicious insiders, when actually our customers have seen that 95% of all incidents are inadvertent. Meanwhile, according to our most recent data, we have see about 1 in 400 outbound messages contain confidential information.
Now we’re going to take a few minutes to go through an example of Vontu Monitor and Protect in action. Before we do that, let’s take a minute to make sure you understand how Vontu Monitor and Prevent work to secure your data in motion.
First, an employee sends some confidential data out of the company. It could be over email, or even another protocol, such as IM or HTTPS (as we’ll see in our example).
Second, Vontu detects this incident and according to the policy, also may prevent the message from leaving the company.
Next, as incidents are discovered, Vontu notifies the employee in real-time.
Then, your incident responders use Vontu Workflow to remediate the incidents.
Finally, you use Vontu reporting to measure and track your risk reduction efforts over time.
Discovery/Traps
What protocols are you most concerned with?
CUSTOMER EXAMPLE: Vontu’s Risk Assessment data shows that 27% of incidents happen over the web, 5% FTP and other protocols, and 68% of incidents are over email.
Is your executive management team concerned with reducing incidents over only email or are they looking to reduce the risk of data loss across all business processes?
Do you know what information is leaving your network today? If so, how? What do you like about it? What could be improved?
RSA strength
Support distributed discovery agents
Objective of Slide
--------------------
Get prospect to agree to a risk assessment/evaluation
Drive to a joint Discover/Protec and Monitor RA
Script
-------
How we typically work with our customers is by starting with a Risk Assessment consulting engagement
The goal of the project is to help understand what if any risk your company has and how your risk compares to others in our industry.
Deliverables include a risk summary by data type, benchmark comparison, and business case to justify the investment in Vontu
A typical engagement lasts for approximately 48 hours monitoring for a selected site of highly sensitive information over email (http, ftp, and IM can also be monitored)
Vontu professional services team helps to set up the policies and scheduled reports
After the 48 hours of monitoring, we deliver a risk assessment report showing key metrics and statistics of risk, build an overall business case for investing in Vontu and build a preliminary Best Practices solution recommendation (implementation/rollout plan)
This will include:
How much and what type of confidential data is leaking?
Who is leaking data from your company?
What protocols carry the most violations? (email, instant message, etc)
What compliance regulations are being violated?
What is <COMPANY>’s overall risk profile compared to industry averages
What effort is required to implement the solution?
What business processes are needed and what effort is required to operate?
What is the net value and benefit of the solution?
IF RA INCLUDES DISCOVER
Highlights vulnerabilities of information and people
What is posted where it should not be
Who has access to information they should not
Who has access to high value information
How effective is your access control
Prioritization of data security and education efforts
What we ask of your company is a Dedicated Project Manager, Remediation team with defined process, Access to executive decision making team, Access to your network.
Who else would it make sense to include in Risk Assessment process?
Explaining the Scorecard
-------
Risk is defined as frequent exposure to possibly damaging events.
This is an example of one of the deliverables from the Risk Analysis
The first part of this process was to Interview the customer for severity of impact for data type.
Then, in the pilot we went to a direct measurement of the frequency of exposure.
The assessed risk is a function of frequency of exposure and severity.
So for example, in this case, even a medium frequency of exposure of a highly severe impact scenario like M&A plans going to a unauthorized destination is a very high risk.