Enabling Dropbox for Business
•Download as PPTX, PDF•
1 like•608 views
Box has revolutionized how employees can access, share and manage company data and collaborate more effectively. But while the distributive nature of cloud based file sharing makes it invaluable to business productivity, it also adds increased risk of malicious or accidental leakage of business-critical data. Today’s cloud sharing services like Box require a complete rethinking of traditional security practices to ensure proper access control, security, and compliance as corporate assets migrate outside the enterprise boundary into 3rd party cloud apps. Implementing these security practices starts with gaining visibility into how cloud apps are being used by employees, identifying sensitive content and how it is being shared, uncovering risky or anomalous behavior, and proactively enforcing policies to protect against internal or external threats.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Enabling Dropbox for Business
Similar to Enabling Dropbox for Business (20)
Recently uploaded
Recently uploaded (20)
Enabling Dropbox for Business
- 1. • Introduction • Discussion • Demo • Q&A – If you have any questions during the event, please type them into the panel on the right side of your screen. Agenda elastica.net Speaker Santiago Polo Sr. Systems Engineer
- 2. Copyright (C) 2015 Elastica, Inc. Confidential Information. Do Not Distribute! Enabling Dropbox for Business
- 3. Copyright (C) 2015 Elastica, Inc. Confidential Information. Do Not Distribute. Excellent security team and controls in place to protect your data from hackers More and more enterprises are confident trusting their data with Dropbox Can be deployed with a Single Sign-On solution Dropbox for Business is a secure solution Johnny.B.Good •••••••••••••••
- 4. Copyright (C) 2015 Elastica, Inc. Confidential Information. Do Not Distribute. Johnny.B.Good ••••••••••••••• What is not secure… Password-based authentication has inherent limitations Human Nature – intentional or accidental misuse of a valuable tool Even if the tool is secure, organizations need to govern their use of the tool Compliance Risks? Compromised Credentials? Malicious Insiders? Data Governance? Malware Threats? Unsecured BYOD Access?
- 5. Copyright (C) 2015 Elastica, Inc. Confidential Information. Do Not Distribute. No malicious intent just bad practice Determined internal threat Compromised devices or credentials Inappropriate sharing of critical content Broad sharing of data outside of specified groups Moving restricted data between services Sending data to external sources without considering implications Failing to limit collaborators to appropriate groups Disgruntled employee Dishonest Employee Employee leaving to join competitor Terminated employee who still has access Uploading critical data to personal storage Phishing attacks Man in the middle Keystroke loggers Stolen device Stolen credentials Socially engineered theft Threat Vectors 12%7%80% Aberdeen Group report SaaS Data Loss — The Problem You Didn’t Know You Had (2014)
- 6. Copyright (C) 2015 Elastica, Inc. Confidential Information. Do Not Distribute. Zeus-style malware hidden under user https session Illegal transactions made. Data stolen and uploaded under https session! No visibility Malware Example Zeus-like Malware targets Cloud Apps
- 7. Copyright (C) 2015 Elastica, Inc. Confidential Information. Do Not Distribute. 7 Who Controls Sharing? Sharing has become democratized (no longer top- down controls) Even file owners no longer fully control how their files are shared Alice shares a file with Bob Shadow Data Bob shares that file publicly without Alice’s knowledge READ WRITE READ ONLY READ ONLY READ ONLY READ ONLY READ ONLY READ WRITE READ WRITE READ WRITEREAD WRITE READ WRITE READ ONLY READ WRITEREAD ONLY READ WRITE READ ONLY READ ONLY READ WRITE READ ONLY READ WRITE READ ONLYREAD WRITE READ WRITE READ ONLY READ ONLY READ ONLY READ WRITEREAD WRITE READ WRITE READ ONLY READ ONLY READ ONLY READ ONLY READ ONLY READ ONLY READ ONLY READ ONLY READ ONLY READ ONLY READ ONLY
- 8. Copyright (C) 2015 Elastica, Inc. Confidential Information. Do Not Distribute. Inadvertent Sharing Legacy Sharing Over Sharing Public Shares /“Loose” Shares Inherited File & Folder Permissions Forgotten Shares Shadow Data former staff freelance contractor media contact with access to master “marketing” folder
- 9. Copyright (C) 2015 Elastica, Inc. Confidential Information. Do Not Distribute. files stored in the cloud per user (average) All Company 68% files per user are broadly shared (average) External 19% 13% Public contain compliance related data PII 56% 29% PHI 15% PCI 20%of these files 2037 185 5% of users responsible for 85% of risk! Shadow Data
- 10. Copyright (C) 2015 Elastica, Inc. Confidential Information. Do Not Distribute. Bob Shared Payroll.docx with Alice But it’s not that simple Alice is an External Collaborator Using Dropbox From an Unmanaged Device The File Contains PII Risk From an Anomalous Location Required Granularity of Visibility and Control
- 11. Copyright (C) 2015 Elastica, Inc. Confidential Information. Do Not Distribute. Relies on outdated perimeter concept Does not understand cloud app activity at a granular level Is not context aware Many times ignores encrypted traffic Assumes links are safe Traditional Security Approaches Fall Short Traditional Company Environment ?
- 12. Copyright (C) 2015 Elastica, Inc. Confidential Information. Do Not Distribute. Gaining Visibility into Cloud Apps Gateway front door back door
- 13. Copyright (C) 2015 Elastica, Inc. Confidential Information. Do Not Distribute. StreamIQ™ Deep visibility into encrypted cloud traffic Extracts all cloud service objects and activities (upload, download, share, delete) Understands internal vs. external collaborators ContentIQ™ Machine learning, semantic analysis, natural language processing, etc. used to provide accurate file classification and risk assessment (PII, PCI, HIPAA, Source Code, etc.) Use the above in policy to easily alert, block, or remediate ThreatScore™ Dozens of machine learning models run per-user against StreamIQ™ events to tease out weak signals indicating compromise, intentional malicious activity, or accidental risky behavior Never before possible at this scale 100’s of thousands of users harnessing the power of the cloud Data Science Enables File Sharing in the Cloud
- 14. Copyright (C) 2015 Elastica, Inc. Confidential Information. Do Not Distribute. StreamIQ™ Event Extraction & Recording Applying Data Science to Analyze User Behavior
- 15. Copyright (C) 2015 Elastica, Inc. Confidential Information. Do Not Distribute. Applying Data Science to Analyze User Behavior a unique graph for each individual What happens when suspicious activity occurs? deviation Analyze User Behavior
- 16. Copyright (C) 2015 Elastica, Inc. Confidential Information. Do Not Distribute. Applying Data Science to Analyze User Behavior given based on severity of suspicious activity ThreatScore™ deviation Dynamically Assign ThreatScore™
- 17. Copyright (C) 2015 Elastica, Inc. Confidential Information. Do Not Distribute. ContentIQ™ — Classifying the data ContentIQ™ ? ? ? ?
- 18. Copyright (C) 2015 Elastica, Inc. Confidential Information. Do Not Distribute. Minimize False Positives ContentIQ™ — Classifying the data
- 19. Copyright (C) 2015 Elastica, Inc. Confidential Information. Do Not Distribute. Data Science PoweredTM Cloud App Security Elastica GW Cloud APIs FW Logs Elastica CloudSOC™ Business Readiness Rating™ ThreatScore™ Content Classification Granular Cloud Usage PII PCI PHI Source Code StreamIQ™ Machine Learning Semantic Analysis Natural Language Processing Graph Theory Data Science Powered™ Cloud App Security
- 20. Fully understand how files are being shared in your organization Quick and Easy – setup in minutes. Start seeing results in a couple hours! Expose risky content and develop policy/coach users Find PII, PCI, HIPAA, Encrypted/Compressed Files, Source Code and more Drill down on risky behaviors and perform immediate incident response Find compromised user accounts, suspicious behavior, malware Get your Shadow Data Risk Assessment from your local Elastica team today! Visit us to learn how you can find risks and protect critical content in your file sharing apps. elastica.net Enabling Dropbox for Business
Editor's Notes
- Welcome everyone and thanks for joining today’s webinar on enabling Dropbox for Business. As Martin mentioned Today we’ll cover a few topics on some of the challenges we see around securing Dropbox for enterprise use, how we here at Elastica address these challenges, and we’ll do a brief demo. As Martin mentioned, your questions are welcomed, so please type those into the question field to the right of your screen in the GoToWebinar control panel.
- So let’s begin by stating that Dropbox for Business is a secure solution. The intention of this presentation is NOT to position Dropbox as a super-high-risk file sharing service and scare you into avoiding it. The fact is Dropbox has an excellent security team, and they have great security features, and they give you great controls to protect your data. I think their customers would agree with this by and large. Since Dropbox offers you an enterprise grade platform for storage and file sharing services, this is one less thing you have to worry about. One item you may want to consider is securing this using a single sign-on solution to authenticate your users regardless of where they’re coming from. Even with these two things in place, there are still some areas we need to cover. As many breaches have proven, user name and password is not enough! CLICK STOP However, there are some challenges here, and some elements we should look at that are not secure. To start, if you’ve read any news about many of the security breaches over the past couple of years, you already know the limitations of password-based authentication, but beyond this, you also have the human nature element, where either intentional or even accidental misuse of this great tool can result in unintended exposures. One of the things you have to worry about is using an application that’s secure, using enterprise grade, second thing is use a single sign on solution to authenticate regardless of where they’re coming form. But even with these two things in place there are still some areas that we need cover for. User name and password is not enough. door / build access panel Compliance Risks? Compromised Credentials? Malicious Insiders? Data Governance? Malware Threats? Unsecured BYOD Access? door / build access panel Compliance Risks? Compromised Credentials? Malicious Insiders? Data Governance? Malware Threats? Unsecured BYOD Access?
- There are some challenges here, and some elements we should look at that are not secure. To start, if you’ve read any news about many of the security breaches over the past couple of years, you already know the limitations of password-based authentication, but beyond this, you also have the human nature element, where either intentional or even accidental misuse of this great tool can result in unintended exposures. This causes us to look at our risks differently. Do we have compliance risks now? What happens in the case of compromised credentials or malicious insiders? Or with BYOD scenarios? Let’s take a look at some of these cases. door / build access panel Compliance Risks? Compromised Credentials? Malicious Insiders? Data Governance? Malware Threats? Unsecured BYOD Access?
- So there are three main threat vectors to think about… The first and most prominent threat vector is that of user error! *CLICK* Lots of people focus on compromised credentials, there’s also a lot of accidental sharing. A study last year discovered that 80% of the data loss in these SaaS applications like Dropbox were due to user mistake! The user had no malicious intent, they just clicked the wrong place, or publicly shared sensitive files just to make things easier for themselves or others. *CLICK* The second threat we see is the determined insider threat. This might be a disgruntled, or dishonest employee, or someone who’s leaving the company to join a competitor. This is now intentional mis-use by someone who has access. *CLICK* The third threat we see is that from a compromised credential. This of course, is the story that always makes the news and usually has dire results. This is usually the result of malware or social engineering efforts. Let’s take a look at this. *CLICK*
- So let’s take a quick peek at an example of hijacked or malware scenario. Let’s take a look at our Dropbox user here who ordinarily visits Dropbox to view or share files, but today things are different. Unfortunately, his machine has been infected with a zeus-like trojan that targets cloud apps. Now the user makes his requests to dropbox, and our next gen firewall, IPS systems, and URL filtering systems are perfectly happy to allow him to do this, since he’s allowed to go there. Unfortunately, since this traffic also SSL encrypted, they may not detect the malware signaling or the fact that his Dropbox session is now being hijacked. The malware in this case is now using the hijacked account to share these files with users outside of the corporate domain. Lots of questions remain outstanding here. What files were touched? What did the compromised machine do when it was logged in to Dropbox? Were files deleted, shared, exposed, downloaded? Hmm.
- So to expand on this, lets take a look at the other case. The non-malicious user who’s simply oversharing. So let me ask you this question: Do you remember back in the day when we had file sharing within our data center? We’d build a file server, and the IT admin or domain admin had full control over who had access to that file server and what could be shared with whom. When we work with applications like Dropbox, for all the wonderful things it brings us, it now also brings us the question of who controls sharing? Sharing has become democratized now, where you’re putting the controls in the hands of the user. Even file owners no longer fully control how their files are shared. *CLICK* Let’s look at this example where Alice shares a file with Bob, *CLICK* and then Bob decides to share the file with two friends. And they share with their friends, and so on, and so on, and so on. From here things get very complicated because permissions, control, file ownership, all get a little confusing. This is an example of what we call shadow data, or shadow IT. You’ll likely hear me use this term again.
- With this in mind, let’s take a look at a couple of other examples of those unintentional shares in more detail: First we have the oversharing scenario, where users will share files publicly to make things easier for themselves or others. It’s super easy to just click that button there that says “Anyone with the link” The second case here is where users will inadvertently share an entire folder of files, which then assigns those sharing permissions to all the files within it. Or, also inadvertently sharing files with collaborators that may be outside the corporate domain. For example, I wanted to share this presentation with my coworker Nick yesterday, and when typing in his name, it auto-populated another Nick at another company! I almost clicked the “Share” button before I caught the error. The third case here is legacy sharing. How many of you have former staff members that may still have access to their dropbox accounts? Or Freelance Contractors who haven’t been here for years? Or worse, folders being shared with folks that we’ve simply forgotten about. These are more Shadow Data cases where we absolutely risk exposure.
- So let’s take a look at the stats here: From data we’ve collected on our own customers that we’re monitoring, we see that the average user stores about 2037 files in cloud based storage accounts. *CLICK* Of these files on average about 185 of these are shared broadly. *CLICK* These may be public or externally shared or just shared with the whole company. If we take a look at those 185 files that are shared broadly, about 20% of these contain sensitive data! (PII, PHI or PCI) If we go back and look at it from perspective of which users are doing this, we see that 5% of our users are responsible for 85% of the risk exposure. So who are they? What are these files? Where are they? And how do we remediate this? As it turns out, we can solve these, problems, but we need the right tools. Manual remediation would take us lengthy amounts of time to resolve, but automated tools, can resolve this in seconds. So let’s take look at how we can do this. Average number of files per user 2037 About 9% broadly shared (company-wide, external or public) 20% of these contain compliance-related data! Average time to remediate risk exposures: Manual: 67 minutes per user Automated: 16 seconds per user (1/251)
- First let’s take a simple use case: Bob shares a file with Alice using Dropbox. If you’re using traditional tools like NGFW, IPS, or URL filtering, this is about all you’d see. Bob connected to Dropbox. But that’s not the entire story here. To have good visibility and control, you also need to know that 1. He shared it from an unmanaged device 2. He made Alice an external collaborator 3. The file contains sensitive information 4. The file was accessed from an anomalous location. but it’s no that simple
- The traditional tools, Next Gen Firewall, Proxies, DLP’s, these fall short since they’re primarily focused on data within your perimeter. This data is now outside your perimeter where these tools don’t understand this concept of application activity at a very granular level. Frequently these tools will also ignore SSL encrypted traffic and assume that the links are all safe, since when files are shared as links, there’s simply no content to inspect here. These tools may also not be context aware, meaning it’s not possible to tell if Alice is internal or external, or whether the context of keywords within a file constitute an exposure or not. Where does this leave us? Exactly. We don’t know. So how do we resolve this. NGFW/Proxies/DLP 1. Relies on outdated Perimeter concept • Doesn’t see the traffic from Mobile Devices 2. Does not understand cloud app activity at a granular level • Cannot detect sharing actions vs. uploads and downloads 3. Is not context aware • Cannot determine whether Bob is an internal or external collaborator • Does not understand the structure of the file to validate risk 4. Many times ignores encrypted traffic 5. Assumes links are safe • When files are shared as links there is no content to inspect
- First, here’s our administrator, who would like to have better visibility and control over his dropbox users who can be anywhere. CLICK CLICK Some may be in the office on managed corporate laptops, some may be on unmanaged BYOD style devices on a park bench or at a coffee shop. We start by steering this traffic through what we call our Elastica Gateway, which is a transparent forward proxy. The Elastica Gateway is now in line, in the flow of this Dropbox traffic, monitoring traffic as it comes through the the front door. But this isn’t enough, since we also have users who may not be going through our corporate network, and we’d still like to view activities and files that are being shared, or even view the contents of these files. For these we use an API that reaches directly into the application. Both these methods give us visibility and control into the cloud applications such as Dropbox, and allow us to create policy. Now that you know how we’re seeing the activity, let’s take a look under the hood and see how we apply data science to analyze user behavior.
- As it turns out, the best and only way to properly address these challenges is through Data Science. At Elastica, we’ve developed security methods that allow us to re-gain visibility and control of these applications. The engines we use are Data Science powered, and I’ll explain what this means, but in short there are three key elements we’ll look at here: StreamIQ, which is observing user activity within these applications in very fine detail, ContentIQ which is inspecting the content of files and monitoring risk exposure, and ThreatScore which is profiling user behavior. These technologies allow us to monitor and control activity at a scale that was never before possible! Let’s take a look at an example of how this works. First, we have StreamIQ which is observing in very fine detail every click the user makes within each cloud-based application you choose to monitor. From StreamIQ we get deep visibility into encrypted cloud traffic we wouldn’t see otherwise, extracing all cloud service objects and activities - upload, download, share, delete, internal vs. external collaborators. We pair this with our ContentIQ engine, which is inspecting the content of files that have been stored on these services to detect sensitive information. Natural language processors identify and understand context of various words within files. Next, having data from StreamIQ and ContentIQ, we run dozens of machine learning models per user, to tease out weak signals that may indicate compromise, intentional malicious activity, or accidental risky behavior, we can assign a ThreatScore to profile each individual user’s behavior and assign a risk score to their activity. Seem overwhelming? Fortunately, the benefit of automation is to make life easier, and that’s exactly what we’re doing here. Let’s take a look at an example of how this all works. Granular user activity analysis StreamIQ™ Deep visibility into encrypted cloud traffic Extracts all cloud service objects and activities (upload, download, share, delete) Understands internal vs. external collaborators Per-User ThreatScore™ Calculated Dozens of machine learning models run per-user against StreamIQ™ events to tease out weak signals indicating compromise, intentional malicious activity, or accidental risky behavior Never before possible at this scale (100’s of thousands of users) – harnessing the power of the cloud Deep Content Inspection ContentIQ™ Machine learning, semantic analysis, natural language processing, etc. used to provide accurate file classification and risk assessment (PII, PCI, HIPAA, Source Code, etc.) Use the above in policy to easily alert, block, or remediate
- FIRST: Let’s look at event extraction and recording. Alice here is going to Dropbox. The StreamIQ engine monitors her session and records every activity she performs. This includes things like what folders she views, who she collaborates with, what browser she uses, what geographical location she logs in from, this is deep visibility into encrypted cloud traffic in very fine details. NEXT. Granular user activity analysis StreamIQ™ Deep visibility into encrypted cloud traffic Extracts all cloud service objects and activities (upload, download, share, delete) Understands internal vs. external collaborators Per-User ThreatScore™ Calculated Dozens of machine learning models run per-user against StreamIQ™ events to tease out weak signals indicating compromise, intentional malicious activity, or accidental risky behavior Never before possible at this scale (100’s of thousands of users) – harnessing the power of the cloud Deep Content Inspection ContentIQ™ Machine learning, semantic analysis, natural language processing, etc. used to provide accurate file classification and risk assessment (PII, PCI, HIPAA, Source Code, etc.) Use the above in policy to easily alert, block, or remediate
- NEXT: Now that the first step is complete, we analyze the user behavior we saw previously. This detailed data from StreamIQ is analyzed to establish a baseline of what normal behavior is for alice. A unique graph is established for each individual user. Once the baseline is established, now we can look for anomalies. So now the question is , what happens when the user deviates from the norm and we begin to see suspicious activity? Granular user activity analysis StreamIQ™ Deep visibility into encrypted cloud traffic Extracts all cloud service objects and activities (upload, download, share, delete) Understands internal vs. external collaborators Per-User ThreatScore™ Calculated Dozens of machine learning models run per-user against StreamIQ™ events to tease out weak signals indicating compromise, intentional malicious activity, or accidental risky behavior Never before possible at this scale (100’s of thousands of users) – harnessing the power of the cloud Deep Content Inspection ContentIQ™ Machine learning, semantic analysis, natural language processing, etc. used to provide accurate file classification and risk assessment (PII, PCI, HIPAA, Source Code, etc.) Use the above in policy to easily alert, block, or remediate
- SIMPLE: We dynamically assign a ThreatScore. CLICK Once the deviations are detected, these are examined and assigned a score. Modeling is performed to determine the risk of these deviations, and even weak signals, or what would be seemingly low-level anomalies can add up to a higher risk score when looked at in context. CLICK Now that we’ve identified a risky behavior, we can take action. Lock out the device from accessing Dropbox, lock him out of all services, log the user out of single sign on, email an administrator, text an administrator, open a trouble ticket, etc. The best part here is that all of this is automated, so less work for you. Granular user activity analysis StreamIQ™ Deep visibility into encrypted cloud traffic Extracts all cloud service objects and activities (upload, download, share, delete) Understands internal vs. external collaborators Per-User ThreatScore™ Calculated Dozens of machine learning models run per-user against StreamIQ™ events to tease out weak signals indicating compromise, intentional malicious activity, or accidental risky behavior Never before possible at this scale (100’s of thousands of users) – harnessing the power of the cloud Deep Content Inspection ContentIQ™ Machine learning, semantic analysis, natural language processing, etc. used to provide accurate file classification and risk assessment (PII, PCI, HIPAA, Source Code, etc.) Use the above in policy to easily alert, block, or remediate
- That’s fine for file sharing, and threats, but what about identifying content of files? Traditional DLP already presents certain challenges with even seeing traffic when using SSL, and further, traditional DLP will typically depend on regex values, and be ignorant of context. This can lead to blind spots and false positives. 17 Elastica’s ContentIQ engine applies semantic analysis and natural language processing to not only identify keywords within files, but the context of those keywords. This in turn, leads to accurate file classification and risk assessment. Once you have this, you can use policy to easily alert, block or remediate.
- Let’s take a look at a typical example of what i mean here: If you look closely at these three documents, any of us on this call could pretty easily determine that the one on the left is a patient health record containing personal information, the one in the middle is a doctor’s resume, and the one on the right is source code. A traditional DLP, however, might identify all three of these documents as containing Public Health Information content because they all happen to contain keywords that trigger it’s regular expression engine. Not so with Elastica! Since the ContentIQ engine understands natural language and context, it easily classified these documents properly and without false positives, leaving you more time to work on the more important things.
- So to recap here, the Elastica CloudSOC is all about generating meaning to the data. We gather this data from API’s and the Elastica Gateway and even firewall logs, and apply data science to provide very granular visibility via the StreamIQ engine, identify content and risk using the ContentIQ, and identify suspicious behavior using the ThreatScore engine. And we then use this information to apply policy to safely enable these applications. At this point, We’re very proud to show you the Elastica CloudSOC, applying all these tools I’ve mentioned. We’re going to jump to a demo now where you’ll get to see this technology in action.
- Now that you’ve seen this, I hope we’ve been able to answer your questions about safely enabling Dropbox. We would love to ask you to give Elastica a try. Setting up an evaluation literally takes about 5 minutes, requires no hardware or software, and you can start gaining visibility into your Dropbox for Business accounts very quickly. To get started, please contact your local sales team, or contact us directly here at Elastica to set up an evaluation today. Thanks, and we’ll look forward to seeing you on our next webinar!