Learn How to Stop Data Theft

Before It Happens

May 20, 2015

2

What we’ll talk about today

Challenges and costs of protecting intellectual property

Helix Threat Detection overview

Helix Threat Detection demo

Q&A

2

Charlie McLouth

Senior Director

Solutions Engineering

Chris Hoover

Global Vice President

Products & Marketing

3

The challenges of silo’ed IP

Friction between teams and design errors

Poor component reuse results in higher production costs

More delays, less efficient product delivery

Increased risk of quality issues

DevOps

code

reqs

specs

design

4

Increased risk of IP theft

DevOps

code

reqs

specs

design

Chief Security Officer

[ Even more separated ]

5

The impact of IP theft

Annual losses due to IP theft >$300B

“The greatest transfer of wealth in history”

Subsidizes competitors and foreign suppliers

Diminishes productivity growth, innovation, product advancements

6

Contributors

Consumers

Perforce Helix Platform

Flexible WorkflowsVersion control, code reviews, simple file sharing

Fast and Scalable10 to 10,000+ on each trunk

Every FileEfficiently handles large, often binary, data

EverywhereSupports geographically distributed teams

Secure Granular permissions & theft detection

CSO

7

Customer: $20B manufacturer

2 engineers stole data

1 YEAR

$1 million spentLarge security vendor failed to find anything

2 WEEKS

Easily identified the 2 engineers

Found 3 additional users stealing data in North America

Found 8 additional users stealing data outside North America

THREATDETECTION

X

8

Helix Threat Detection

Analytics Modeling

• Baselines and creates clusters

• Learns Patterns

• Learns Anomalies (unusual hours,

data volumes, application types &

more

Risk Scoring

• Risk by User

• Risk by Activity

• Risk by File

• Risk by Time

• Risk by Volume

• Risk by Method/Exit

Verification & Investigation

• Highly Readable Event Alarms

• Very Intuitive UI

• Executive Reporting

All Users

Ris

k f

rom

0 -

10

0

BEHAVIORAL ANALYTICS

2

0

5

23

Wintermute Wintermute 89

Armitage 82

Hideo 26

Maelcum 26

Molly 25

Aerol 25

Strayllight 25

Case 18

Chiba 8

Proteus 7

9

Reduces noise and false positives

Each entity maintains a persistent risk score

(user, machine, asset)

Risk scores change based on activities

Real-time aggregation of multiple events

“connects the dots” of related activities

John Smith is accessing an unusual, important file 25

… at a time of day he was almost never active 46

… and took from a source code project that has been inactive for months 80

… and is downloading more source code from more folders than his peers 96

Behavioral Risk Model

Behavioral Risk Score

Entity Risk Model

Entity Risk Score

10

Interactive risk reporting and drilldown

11

Data & analytic models

Wanderer (access folders/projects)• Anomalous folder access

• Inactive folder access

Sneaker (access times)• Anomalous working hours

• Anomalous working days

Moocher (take more than post)• Anomalous total mooch• Sudden mooch• High mooch

Hoarder (anomalous take, volume, folders)• Unusual project take (2 models)• Inactive project take• Large sudden unusual take (4 models – self & group)• Large sudden unusual take - per project

(4 models – self & group)

General Models

• Activity from rare user

• Aggregate anomaly

• Persistent anomaly

Data Types

Timestamp (Date/Time)

User

Resource(Folder Structure)

Action (Give/Take)

Item Number

Client

Size

12

Demo

13

Provide 30 Days Log Data Run Analytics Executive Report

Timestamp

User

IP Address

Action

- Commit

- Sync

- Get

Resource folder

- File

- Path

No need to install & configure system for testing Simply provide logs to prove the product meets your use case

Anonymized

FieldsEncrypted

Results

Risk Analysis Report

Questions?

Charlie McLouthSenior DirectorSolutions Engineering

Chris HooverGlobal Vice PresidentProducts & Marketing