Data leakage prevention EN Final

Zdravko Stoychev, CISM CRISC

10th regional Information Security and Storage conference
“The New Cross-Section”, Sep 28th, 2011 – Sofia, Bulgaria

10th regional conference Information Security and Storage, 2011 – Sofia, Bulgaria 1

The need of new skills

What a DLP system is?

To DLP or not to DLP? – Questions, Risks, Outcomes

Examples – Business needs, Insider threats, Implementation

Questions


“Ab ovo (usque ad mala)”
- From the beginning to the end


RSA appoints its first CSO
» EMC’s security division RSA has plucked its first chief security officer (CSO) from NetWitness,
the company it acquired shortly after admitting it was hacked;
» Following RSA' offer to replace as many as 40 million SecurID tokens, three Australian banks
s
have dumped their tokens, including Australia' largest bank, Westpac;
s
» Eddie Schwartz, RSA’s new CSO:

“Only job more public and challenging at the moment would be CSO of Sony.”

Sony promised its first CISO
» In response to its equally devastating breach, Sony promised to appoint its first chief information
security officer (CISO) to ensure the company could avoid a repeat;
» However, “Lulzsec” is claiming to have attacked the servers yet again and say that they have
walked away with unencrypted security information.

“At this point in time we are not in the position to say one way or another
what the impact will be in full."
Source: itnews, ghacks


Source: World Economic Forum


Technical knowledge—that connects to business operations
» While technical expertise is something a CISO has always needed, in fact, it is this level of
knowledge that will broaden the gap and continue to differentiate senior information security
leaders, from their counterparts with backgrounds solely in physical security, and make them
more attractive in the selection process.
Business acumen—at a whole new level
» While you may be an expert in application security, comparing yourself to a group of application
security professionals will only keep you in application security and won'get you elevated to
t
management. In the past ISO' used their peer group of security pros to be their benchmark of
ve
what their skills should be; now that is really the executive team.
Communication ability—including the skill of listening
» In order for a security program to be implemented correctly you have to be able to get that
message to everyone. Everybody has to develop some kind of security conscience. The listening
skills may be even more important than speaking in the first stages of communicating with others
throughout the organization.
Leadership skill—no matter your current position
» Of all the skills today' employer is looking for from their CISO or security manager, it is
s
leadership. And many companies may be hiring a CISO because they are seeking change within
an organization and they want a CISO who can drive their security in a new direction. And that
takes someone with leadership ability.
Source: CSO Magazine


“Et ipsa scientia potestas est”
- And knowledge itself, is power

!


" #

Data leakage/loss prevention (DLP) is: DLP products use business rules to
A set of information security tools that examine file content and tag
is intended to stop users from sending confidential and critical information so
sensitive or critical information outside that users cannot disclose it.
of the corporate network.
Tagging is the process of classifying
Adoption of DLP, variously called data which data on a system is confidential
leak prevention, information loss and marking it appropriately.
prevention or extrusion prevention, is
being driven by significant insider Example: A user who accidentally or
threats and by more rigorous state maliciously attempts to disclose
privacy laws, many of which have confidential information that's been
stringent data protection or access tagged will be denied, e.g. prevent a
components. sensitive financial spreadsheet from
being emailed by one employee to
another within the same corporation.


$ %&

The first and the foremost thing is to answer the question: What problem space are we
talking about when we talk about Data Leakage?
» The Data Leakage problem can be defined as any unauthorized access of data due to an
improper implementation or inadequacy of a technology, process or a policy.

Next, the second question to answer is what part of the problem space defined above
does the DLP product market solve?
» In the above definition of data leakage, the DLP solutions are designed to prevent unauthorized
access of data due to inadequacy or improper implementation of a process or a policy, but not
technology. They are not designed to address data leakage issues resulting from external
attacks.

Hence the DLP systems primarily help enforce “acceptable use” policies and processes
for an enterprise.
What you don’t have is that:
» They are not designed to solve the part of data leakage problem space that is related to
technology–the information security aspect. So, it is not an information security data leakage
issue that the DLP solution is trying to solve.

Source: InfoSecIsland


$ %&

The third question that comes to mind, where is our enterprise in this Data Leakage
Problem space?
» Surprisingly, one will notice that Data Leakage is already a part of one' enterprise security
s
strategy in the form of deployed firewalls, encryption solutions, IDS, LDAP etc.

Next, getting to the real question – does my enterprise need to invest in a DLP solution?
» And this is a million dollar question which requires comprehensive evaluation specifically to the
current state of enterprise security technology investments, and of course the data type the
enterprise processes/stores.

Hence the DLP system should be/ is implicitly a part of an enterprise security strategy.
What you should do/ have is:
Enterprise Data Classification – if you cannot answer the question where is my sensitive data,
you need to first work on a data classification effort for your enterprise;
Streamline or Implement Processes and Policies in support of data leakage prevention;
Perform a gap assessment on current security infrastructure that already implicitly supports DLP
or can be leveraged to support DLP – purely for cost savings.


“Amat victoria curam”
- Victory loves preparation

' #


( )

DLP solutions help mitigate following risks:

Identifying insecure business processes. For example, use of FTP for transporting
personal data;

Accidental data disclosure by employees. For example, employee sending
unencrypted email containing sensitive data;

Intentional data leakage by employees. For example, disgruntled employees stealing
data or an employee leaving the company with sensitive data.

The problem space is not solved comprehensively by DLP solutions!
Example: an employee can still take a picture of sensitive data and leak it.

So DLP are being systems that aid the enforcement of acceptable use policies and
process with certain limitations.


* & & +

Data Classification efforts can be very easy for a small enterprise, and a beast for large
enterprise. Similarly, implementing a DLP solution is an easy and effective for a small
enterprise vs. a medium or large enterprise.
The larger enterprises should always use a phased approach and also account for the
extra manpower required to continuously configure, monitor and tune the DLP solution.
This will reduce false positives and false negatives, which is usually the biggest
problem enterprises have reported once implementing the DLP solution.
» Some of the features could result in serious business interruptions in the case of no data
classification or a rules misconfiguration;
» Also, it' easy to get blown away by some of the rally features like copy-paste functions for certain
s
kinds of data, or pattern matching features, etc.

Its not the tool which is a problem here, it's the preparation and implementation
shortcomings that result in such outcomes.

Conclusion: the DLP solutions address only a subset of data leakage issues and only
help enforce “acceptable use” policies and processes with a number of limitations. They
do not prevent information security related data leakage issues.


“A bove maiore discit arare minor”
- A good example makes a good job


!, &

In most of the cases, the company exchanges information with third parties (customers,
partners, authorities etc) using the E-mail and the Internet services;

Sensitive Information is located at many places, such as in:
central databases;
workstations (local drives) and laptops;
shared workplaces (file servers, SharePoint servers);
USB sticks and external hard drives.

The company provides E-mail and Internet services to the users of its own units (and
probably several group companies).

The risk of inadvertent or deliberate data loss due to inadequate
security measures and users negligence is present. Isn’t it?

To answer that question we have to evaluate the existing threats…


!

Lack of or insufficient security policies & procedures;

Appropriate security measures not implemented (perimeter, endpoints);

Lack of employees’ awareness & training;

Lack of employees’ diligence;

Disgruntled employees steal corporate data;

Misuse of corporate computers, systems and passwords;

Information destruction and recycling of media;

Remote working & mobility;

Economic crisis.


! -

Based on the policies and rules, the DLP Email Prevent system
» Releases the message (no violation of policies)
» Blocks the message (unauthorized user)
» Modifies the header of the message (authorized users).

When the SMTP Gateway receives an email with this special header, forwards it to the
encryption server.

The encryption server encrypts the email and sends it back to the SMTP Gateway for
forwarding it to the Internet.
» No user (sender) intervention is required.
» Different encryption options provided for the recipients.


! -


!

Proxy server forwards all web traffic to the DLP Web Prevent system;

Based on the policies and rules, the DLP system can:
» block the file upload or remove the confidential content from the file;
» release the traffic back to the proxy server.

Main goal is to block the uploading of files using HTTP/S or FTP:
» real-time monitoring of the ongoing traffic – transparent to the users;
» blocking certain websites based on BlackLists / keywords, etc;
» encrypted traffic is being monitored too (by replacing root CA).

No additional protection (encryption) mechanism.


!


Related security projects to consider for minimizing the risks of Data Leakage:

Discover where the sensitive Information is located across the company and take
relevant measures;

Implement DLP at workstations with critical operations, in conjunction with the current
Endpoint security technology;

Protection at the endpoint (workstations, laptops, removable storage devices, mobile
devices, smartphones);

Protecting Databases from unauthorized access and actions (audit & prevent);

Protection for shared information (file servers, backups, Databases) by using
encryption mechanisms;

This is an ongoing process (Monitoring, assessment, optimization).


“Prudens quaestio dimidium scientiae”
- To know what to ask is already to know half

. &


. &

Thank you for your time!
Zdravko Stoychev, CISM CRISC
http://twitter.com/zdravkos


Data leakage prevention EN Final

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Data leakage prevention EN Final

Similar to Data leakage prevention EN Final (20)

More from Zdravko Stoychev, CISM, CRISC

More from Zdravko Stoychev, CISM, CRISC (8)

Recently uploaded

Recently uploaded (20)

Data leakage prevention EN Final