june 2009 securing your campus against data loss and internet threats victor c. lee director, data...

June 2009

Securing Your Campus Against Data Loss and Internet Threats

Victor C. LeeDirector, Data Protection Marketing

June 2009 Copyright 2009 Trend Micro Inc.

Agenda

• Introduction and Overview of Threats to Privacy• Mass Web Hack Attacks• Insider Threats• Highlight: Two Trend Micro Solutions

– Deep Security– LeakProof

June 2009 Copyright 2009 Trend Micro Inc.3

Internal

External

THREATS

• Malicious insiders stealing company data• Worried workers proactively downloading info• Careless Insiders losing private data and IP• Increasing government regulations focusing on privacy

• Volume of attacks increasing exponentially • Hackers moving from disruption to profiteering• Increasingly sophisticated malware seeking valuable corporate data

Ponemon Institute, 2006 research Study

You are under constant attack


The Impact of Data Loss

• Cost: $6.3M per breach*

• Loss of customers/business

• Brand damage

• Stock price decrease

• Regulatory fines

• Legal defense

• Notification and compensation

• Public relations & security response

* Ponemon Institute


What Types of Data Do Enterprises Want to Protect

Privacy: Customer, Privacy: Customer, Employee & Patient DataEmployee & Patient Data

Privacy: Customer, Privacy: Customer, Employee & Patient DataEmployee & Patient Data

Regulatory Compliance

• Account Information

• Credit Card Numbers

• Contact Information

• Health Information

Regulatory Compliance

• Account Information

• Credit Card Numbers

• Contact Information

• Health Information

Intellectual PropertyIntellectual Property

Intellectual PropertyIntellectual Property

Competitive

• Source Code

• Engineering Specs

• Strategy Documents

• Pricing

Competitive

• Source Code

• Engineering Specs

• Strategy Documents

• Pricing

Company ConfidentialCompany Confidential Company ConfidentialCompany Confidential

Contracts

Reputation

• Quarterly Results

• M&A Strategy

• CEO Internal Email

• Internal Conversations

Contracts

Reputation

• Quarterly Results

• M&A Strategy

• CEO Internal Email

• Internal Conversations

5

Increased transparency makes privacy protection more difficult


Privacy Threat Landscape: Top Threats

1. Malware- Get employees to

unknowingly compromise internal systems

2. Hackers- Compromise web-based

applications to access databases

3. Insider Threats- Malicious and accidental

breaches of privacy data


Example: URL’s instead of Attachments!


Threat AnalysisTrendLabs &

Malware Database

Email Reputation

IP

URL

WebReputation

Files

FileReputation

A compromised web siteOne click in a link.Fake news by email.

Mitigation Requires Cloud Based Correlation

A fake video

June 2009

2. Hackers


“Mass Web Hack”

10© Third Brigade, Inc.


Multi Pronged Attack

• Sophisticated Attack - Numerous kinds of exploits• Six different kinds of exploits – in most cases

– SQL Injection– JavaScript Injection– Phishing– OS Vulnerability – Malware– Covert channel communication

• Added Evasion techniques such as JavaScript Obfuscation



The Attack


website

Maliciouswebsite

2b. Browser parsesinjected code

3b. Exploit unpatched vulnerability

5. Passwords, Sensitive Data

1a. SQL Injection

1b. Malicious Code Injected

<IFRAME src=“xyz.com/1.js>

2a. Visit website

3a. Redirected to malicious site

4. Command & Control


Mitigation Strategies

Step Proactive Reactive Comments

1. Protect the web site •Fix application code•Host/Network-based IDS/IPS•App Firewall

•Monitor database content for changes•FIM/Chng Mgmt

•Google searches can be used to locate vulnerable sites; bots can also be used


website

1b. Malicious Code Injected

1a. SQL Injection




2. Detect outbound from webserver and Protect browser

•Turn-off or control parsing of JavaScript•Host/Network-based IDS/IPS•App Firewall

•Host/Network-based IDS/IPS•App Firewall

•Client may be outside of your control


2b. Browser parsesinjected code

website

Maliciouswebsite

2a. Visit website




3. Protect system •Host/Network-based IDS/IPS

•Block access to ‘known bad’ domains•Patch systems•Anti-virus•Host/Network-based IDS/IPS•FIM

•IP’s and domains used change rapidly


Maliciouswebsite

3b. Exploit unpatched vulnerability

3a. Redirected to malicious site




4. Monitor and detect malware

•Host/Network-based IDS/IPS

•Anti-virus•Re-image systems•Host/Network-based IDS/IPS•FIM

•Update AV until it detects•Always check for ‘worst-case’


5. Passwords, Sensitive Data

4. Command & Control

June 2009

3. The Insider Threat


Insider Threats: Market DynamicsEconomic Uncertainty Increases Risk


Insider Threats Increase

If you thought your job was at risk would you, as a pre-emptive move, download company/competitive information?

Cyber-Ark Survey, Nov 2008


Ex-Workers/Fired Workers

According to the 2009 Ponemon Data Loss Study, nearly 60% of ex-employees admitted to taking company data


Regulatory Requirements Proliferating


USB

Corporate email

Email on the public Internet

USB

Email on the public Internet

WiFi

CD / DVD

PDA

Bluetooth / infrared

Printer

Many of these concerns can ONLY be addressed via endpoint intelligence

1 2 3 4 5 6

Source: Market Research International

CD / DVD

PDA

WiFi

Bluetooth / infrared

The Importance of Endpoint Protection

Top Threat Vectors of Concern …


DLP Technology Must Haves…

• Off network enforcement and device control

• Online/Offline policies

• Policy reinforcement and education

• Optimized endpoint fingerprinting

• Full and partial fingerprint matching

• Discovery of data at rest

• Real-time content scanning of sensitive data

• Smart identifiers (i.e. SSN, DOB, account numbers)

• Regulatory compliance templates (PCI, HIPAA)

• Language independence

• Centralized management


INTERNAL NETWORK EXTERNAL NETWORK

InternetIntranet

File Server

DocumentManagement

ServerSource Control

ServerCustomer Info

Database

RemovableMedia

LeakProof™DataDNA

Server

LeakProof™ SecurityManagement

ConsoleBranch Office

Offline VPN

Anti-Leak Client

Deploying DLP

If fingerprints required, content

repositories scanned

2

Data classified, DLP policy configured

1

Policy & fingerprints

pushed to clients

3

Violations detected, logged & reported; Endpoints scanned

4

1

4

3Private SecretSecret

2


Trend Micro Data Protection

THREAT DescriptionMitigation Requires

Trend Micro Solutions

Malware

Get employees to unknowingly compromise internal systems

Cloud based correlation of web,

file, email reputation

Endpoint Security: OfficeScan with

Smart Protection Network

Hackers

Compromise web-based applications to access databases

Web application protection, Host Based IDS/IPS

(HIPS)

Deep Security: Deep Packet Inspection,

Server Firewall

Insider Threats

Malicious and accidental breaches of privacy data

Endpoint-based content filtering / Data Loss Prevention (DLP)

LeakProof, Email Encryption


Trend Micro Data Protection Solutions

26

Now with Deep Security!


Data Security + Content SecurityOn-Premise + Cloud-based Solutions

+

• Email Reputation

• Web Reputation

• File Reputation

With Global Threat Feedback

27

Now with Deep Security!


Addressing Hackers: Deep Security

Deep Packet Inspection

IDS / IPSWeb App.Protection

ApplicationControl

FirewallIntegrity

MonitoringLog

Inspection


Deep Packet Inspection

IDS/IPS– Vulnerability rules: shield

known vulnerabilities from unknown attacks

– Exploit rules: stop known attacks

– Smart rules: Zero-day protection from unknown exploits against an unknown vulnerability

– Microsoft Tuesday protection is delivered in synch with public vulnerability announcements.

– On the host/server (HIPS)

Web Application Protection – Enables compliance with PCI DSS 6.6

– Shield vulnerabilities in custom web applications, until code fixes can be completed

– Shield legacy applications that cannot be fixed

– Prevent SQL injection, cross-site scripting (XSS)

Application Control– Detect suspicious inbound/outbound

traffic such as allowed protocols over non-standard ports

– Restrict which applications are allowed network access

– Detect and block malicious software from network access


Integrity Monitoring

Monitors files, systems and registry for changes

• Critical OS and application files (files, directories, registry keys and values, etc.)

• On-demand or scheduled detection

• Extensive file property checking, including attributes (PCI 10.5.5)

• Monitor specific directories • Flexible, practical monitoring

through includes/excludes • Auditable reports


Log Inspection

Getting visibility into important security events buried in log files

• Collects & analyzes operating system and application logs for security events

• Rules optimize the identification of important security events buried in multiple log entries

• Events are forwarded to a SIEM or centralized logging server for correlation, reporting and archiving


Advanced

Standard

LeakProof Server 5.0

Privacy Protection &Regulatory Compliance

LeakProof Standard + Intellectual Property Protection

Data Leak Prevention: LeakProof 5.0

LeakProof 5.0


Compliance templates:• PCI• SB-1386• HIPPA• GLBA• US PII

Source Code Templates:• C/C++• Java• C#• Perl• COBOL• VB

HR Keyword Template:• Adult• Weapon• Racism

LeakProof 5.0 StandardPrivacy Protection/Regulatory Compliance

Validators

• LUHN checksum

•Social Security No.

•Credit Card Number

•US Phone number

•US Date

•PRC National ID

•Taiwan ID number

•ROK (South Korean) Reg.#

•Canadian Social Insurance #

•Norwegian Birth number

•American Names

•ABA Routing number

•UK Date

•UK NHS Number

•German Tax ID (eTIN)

•IBAN

•National Provider Identifier (NPI)

•HIC (Health Insurance Claim) Number

•ISO Date

•Swift BIC

•France INSEE Code

•Spanish Fiscal Identification Number (NIF)

•Irish PPSN

•Polish ID Number

•Finish ID


LeakProof 5.0 Advanced: Intellectual Property Protection via Unique Fingerprinting Technology• Fast

• Small

• Accurate

• Language independent


LeakProof Server• Centralized Management

• Policy

• Visibility

• Workflow

LeakProofServer

Monitor

ACME Customer Privacy ProtectionEmployees of ACME are expectedto protect sensitive informationcontaining customer information such as names, account numbers,social security numbers etc. Please report any …Call the helpdesk or email.

Protect

Educate/Self Remediation

DiscoverLeakProof Client• Intelligent

– Fingerprint, Regex, Keyword, Meta-data

• Small Footprint

• Invisible

• Independent

• Robust

LeakProofClient

LeakProof 5.0 Product Components


Protecting Privacy: What To Do?

DO’s• Identify top Privacy Data, Location,

and Channel (Threat)• Engage data/information owners• Understand what regulations are on

the horizon• Start monitoring/discovering privacy

data usage

DON’Ts• Try to boil the ocean – classify everything,

everywhere• Monitor or prevent EVERY possible threat• Forget to address people/process

improvements Citizen Data Web Aps

Legal Cases, Desktop/Laptop

Legal Cases, WebMail/USB

Privacy Email


Think Again….You May Qualify for a Free Threat Assessment

Trend Micro Tabletop Display• What’s being offered?: We are offering a free, no obligation

assessment of your enterprise network to qualified applicants!• What do I get?: You will receive a two week trial of the Threat

Detection portion of the Threat Management Solution. We even provide onsite installation!

• How does it benefit me?: We will provide a detailed executive report which shows actual vulnerabilities and penetrations of your network, down to the individual PC level. We will provide advice about how to close any security holes we find. No purchase required

• If you think your network is safe – THINK AGAIN!

June 2009

Questions and Discussion