data leakage prevention en final

110th regional conference Information Security and Storage, 2011 – Sofia, Bulgaria

Zdravko Stoychev, CISM CRISC��

��

10th regional Information Security and Storage conference“The New Cross-Section”, Sep 28th, 2011 – Sofia, Bulgaria

��

��


� � ��

� The need of new skills

� What a DLP system is?

� To DLP or not to DLP? – Questions, Risks, Outcomes

� Examples – Business needs, Insider threats, Implementation

� Questions


� ��

“Ab ovo (usque ad mala)”- From the beginning to the end


� � � ��

RSA appoints its first CSO» EMC’s security division RSA has plucked its first chief security officer (CSO) from NetWitness,

the company it acquired shortly after admitting it was hacked;» Following RSA's offer to replace as many as 40 million SecurID tokens, three Australian banks

have dumped their tokens, including Australia's largest bank, Westpac;» Eddie Schwartz, RSA’s new CSO:

“Only job more public and challenging at the moment would be CSO of Sony.”

Sony promised its first CISO» In response to its equally devastating breach, Sony promised to appoint its first chief information

security officer (CISO) to ensure the company could avoid a repeat;» However, “Lulzsec” is claiming to have attacked the servers yet again and say that they have

walked away with unencrypted security information.

“At this point in time we are not in the position to say one way or another what the impact will be in full."

Source: itnews, ghacks


Source: World Economic Forum


� � � ��

Technical knowledge—that connects to business operations» While technical expertise is something a CISO has always needed, in fact, it is this level of

knowledge that will broaden the gap and continue to differentiate senior information security leaders, from their counterparts with backgrounds solely in physical security, and make them more attractive in the selection process.

Business acumen—at a whole new level» While you may be an expert in application security, comparing yourself to a group of application

security professionals will only keep you in application security and won't get you elevated to management. In the past ISO've used their peer group of security pros to be their benchmark of what their skills should be; now that is really the executive team.

Communication ability—including the skill of listening» In order for a security program to be implemented correctly you have to be able to get that

message to everyone. Everybody has to develop some kind of security conscience. The listening skills may be even more important than speaking in the first stages of communicating with others throughout the organization.

Leadership skill—no matter your current position» Of all the skills today's employer is looking for from their CISO or security manager, it is

leadership. And many companies may be hiring a CISO because they are seeking change within an organization and they want a CISO who can drive their security in a new direction. And that takes someone with leadership ability.

Source: CSO Magazine


�� !��

“Et ipsa scientia potestas est”- And knowledge itself, is power


Data leakage/loss prevention (DLP) is:A set of information security tools that is intended to stop users from sending sensitive or critical information outside of the corporate network.

Adoption of DLP, variously called data leak prevention, information loss prevention or extrusion prevention, is being driven by significant insider threats and by more rigorous state privacy laws, many of which have stringent data protection or access components.

DLP products use business rules to examine file content and tag confidential and critical information so that users cannot disclose it.

Tagging is the process of classifying which data on a system is confidential and marking it appropriately.

Example: A user who accidentally or maliciously attempts to disclose confidential information that's been tagged will be denied, e.g. prevent a sensitive financial spreadsheet from being emailed by one employee to another within the same corporation.

" � �� #


$ � � �� % & � ��

The first and the foremost thing is to answer the question: What problem space are we talking about when we talk about Data Leakage?

» The Data Leakage problem can be defined as any unauthorized access of data due to an improper implementation or inadequacy of a technology, process or a policy.

Next, the second question to answer is what part of the problem space defined above does the DLP product market solve?

» In the above definition of data leakage, the DLP solutions are designed to prevent unauthorized access of data due to inadequacy or improper implementation of a process or a policy, but not technology. They are not designed to address data leakage issues resulting from external attacks.

Hence the DLP systems primarily help enforce “acceptable use” policies and processes for an enterprise.What you don’t have is that:

» They are not designed to solve the part of data leakage problem space that is related to technology–the information security aspect. So, it is not an information security data leakage issue that the DLP solution is trying to solve.

Source: InfoSecIsland


$ � � �� % & � ��

The third question that comes to mind, where is our enterprise in this Data Leakage Problem space?

» Surprisingly, one will notice that Data Leakage is already a part of one's enterprise security strategy in the form of deployed firewalls, encryption solutions, IDS, LDAP etc.

Next, getting to the real question – does my enterprise need to invest in a DLP solution? » And this is a million dollar question which requires comprehensive evaluation specifically to the

current state of enterprise security technology investments, and of course the data type the enterprise processes/stores.

Hence the DLP system should be/ is implicitly a part of an enterprise security strategy.What you should do/ have is:

� Enterprise Data Classification – if you cannot answer the question where is my sensitive data, you need to first work on a data classification effort for your enterprise;

� Streamline or Implement Processes and Policies in support of data leakage prevention;

� Perform a gap assessment on current security infrastructure that already implicitly supports DLP or can be leveraged to support DLP – purely for cost savings.


' � �� #

“Amat victoria curam”- Victory loves preparation


( �� ) � ��

DLP solutions help mitigate following risks:

�Identifying insecure business processes. For example, use of FTP for transporting personal data;

�Accidental data disclosure by employees. For example, employee sending unencrypted email containing sensitive data;

�Intentional data leakage by employees. For example, disgruntled employees stealing data or an employee leaving the company with sensitive data.

The problem space is not solved comprehensively by DLP solutions!Example: an employee can still take a picture of sensitive data and leak it.

So DLP are being systems that aid the enforcement of acceptable use policies and process with certain limitations.


* �& �� & �+ � � � �

Data Classification efforts can be very easy for a small enterprise, and a beast for large enterprise. Similarly, implementing a DLP solution is an easy and effective for a small enterprise vs. a medium or large enterprise.The larger enterprises should always use a phased approach and also account for the extra manpower required to continuously configure, monitor and tune the DLP solution. This will reduce false positives and false negatives, which is usually the biggest problem enterprises have reported once implementing the DLP solution.

» Some of the features could result in serious business interruptions in the case of no data classification or a rules misconfiguration;

» Also, it's easy to get blown away by some of the rally features like copy-paste functions for certain kinds of data, or pattern matching features, etc.

Its not the tool which is a problem here, it's the preparation and implementation shortcomings that result in such outcomes.

Conclusion: the DLP solutions address only a subset of data leakage issues and only help enforce “acceptable use” policies and processes with a number of limitations. They do not prevent information security related data leakage issues.


��

“A bove maiore discit arare minor”- A good example makes a good job


�� !�, & � � � ��

In most of the cases, the company exchanges information with third parties (customers, partners, authorities etc) using the E-mail and the Internet services;

Sensitive Information is located at many places, such as in:� central databases;

�workstations (local drives) and laptops;

� shared workplaces (file servers, SharePoint servers);

�USB sticks and external hard drives.

The company provides E-mail and Internet services to the users of its own units (and probably several group companies).

The risk of inadvertent or deliberate data loss due to inadequate security measures and users negligence is present. Isn’t it?

To answer that question we have to evaluate the existing threats…


�� !��

�Lack of or insufficient security policies & procedures;

�Appropriate security measures not implemented (perimeter, endpoints);

�Lack of employees’ awareness & training;

�Lack of employees’ diligence;

�Disgruntled employees steal corporate data;

�Misuse of corporate computers, systems and passwords;

�Information destruction and recycling of media;

�Remote working & mobility;

�Economic crisis.


� � � � � � � �� !��-� � �

�Based on the policies and rules, the DLP Email Prevent system» Releases the message (no violation of policies)» Blocks the message (unauthorized user)» Modifies the header of the message (authorized users).

�When the SMTP Gateway receives an email with this special header, forwards it to the encryption server.

�The encryption server encrypts the email and sends it back to the SMTP Gateway for forwarding it to the Internet.

» No user (sender) intervention is required.» Different encryption options provided for the recipients.


� � � � � � � �� !��-� � �


� � � � � � � �� !��

�Proxy server forwards all web traffic to the DLP Web Prevent system;

�Based on the policies and rules, the DLP system can:» block the file upload or remove the confidential content from the file;» release the traffic back to the proxy server.

�Main goal is to block the uploading of files using HTTP/S or FTP:» real-time monitoring of the ongoing traffic – transparent to the users;» blocking certain websites based on BlackLists / keywords, etc;» encrypted traffic is being monitored too (by replacing root CA).

�No additional protection (encryption) mechanism.


� � � � � � � �� !��


� � � ��

Related security projects to consider for minimizing the risks of Data Leakage:

�Discover where the sensitive Information is located across the company and take relevant measures;

�Implement DLP at workstations with critical operations, in conjunction with the current Endpoint security technology;

�Protection at the endpoint (workstations, laptops, removable storage devices, mobile devices, smartphones);

�Protecting Databases from unauthorized access and actions (audit & prevent);

�Protection for shared information (file servers, backups, Databases) by using encryption mechanisms;

�This is an ongoing process (Monitoring, assessment, optimization).


. & � ��

“Prudens quaestio dimidium scientiae”- To know what to ask is already to know half


. & � ��

Thank you for your time!

Zdravko Stoychev, CISM CRISChttp://twitter.com/zdravkos

data leakage prevention en final

Technology