symantec dlp: detection innovation and expanded...

1

Symantec DLP: Detection Innovation and Expanded Coverage

Ernie Simmons, Tory Gilbert IIP Technical Field Enablement

DLP: Detection Innovation and Expanded Coverage

SYMANTEC VISION 2012

Topics

• DLP and Detection Overview

• Vector Machine Learning (VML)

• Email Prevent and VML

• Endpoint Prevent and VML

• DLP for Tablets and VML

• Summary

DLP: Detection Innovation and Expanded Coverage 2


DLP and Detection Overview


SYMANTEC VISION 2012 4

Data Loss Prevention Threat Coverage

USB/CD/DVD

Stored data

Email

Instant Message

FTP

SharePoint / Lotus Notes /

Exchange

Databases

File Servers

Print/Fax

DLP Policy Monitoring & Prevention Discovery & Protection

Webmail

Web servers

Untrusted networks

DLP for Tablets:

New in V11.5


Data Loss Policies

5

• Notification – by email, onscreen notification, marker file, syslog alert

• Blocking – SMTP, HTTP/S, FTP, IM, USB/CD/DVD, Print/fax, Copy/paste

• File Copy or Quarantine – for Network Discover (quarantine also for Endpoint Discover)

• Modification (SMTP) – for conditional encryption, for example

• FlexResponse (Storage, Endpoint) – API for custom responses, such as applying digital rights, encrypting files in place, and so on

• Described Data (DCM) – keywords, data identifiers, regular expressions, file type

• Fingerprinted Data

• Structured data (EDM)

• Unstructured data (IDM)

• Vector Machine Learning

• Group-based rules (AD user groups, senders/recipients)

• Additional detection features

• Match count threshold

• Boolean logic (and/or/if)

• Exceptions

Detection Rules Response Rules

Data Loss Policy

Build from scratch or 60+ policy templates


Introduced in V11.1


Detection Innovation and Expanded Coverage

• Vector Machine Learning

– Lets you detect confidential documents that can proliferate across the enterprise. Such documents often are difficult to fingerprint or describe.

• DLP for Tablets

– Extends DLP coverage, providing the DLP suite’s robust policy and reporting features for iPad security.



Vector Machine Learning (VML)



Vector Machine Learning: Overview

Challenges of detecting unstructured data:


Symantec Proprietary & Confidential - This information is not a commitment, promise or legal obligation to deliver any material, code or functionality

Keywords IDM

• How to identify relevant keywords?

• How to tune policies?

• What if I can’t access all confidential docs?

• How to I account for new docs?

8


The solution:

• Automates policy creation using sample docs

• Improves accuracy with remediation

• Detects new or similar content

Keywords IDM

Machine

Learning

Vector Machine Learning: Overview (cont’d)


Symantec Proprietary & Confidential - This information is not a commitment, promise or legal obligation to deliver any material, code or functionality

9

SYMANTEC VISION 2012 10

Top VML Use Cases

Improve accuracy for PII policies by using VML to tune out certain categories of data

Create highly accurate policies around Source Code – wherever it resides

Detect Insurance Claim Forms that reside outside the grasp of IT Security

Automatically create policies based on VML feature extraction



VML: Definition and Uses

• VML detects unstructured data by determining whether analyzed content is similar to docs in a training set (collection of example documents). VML represents a third type of detection – learning – in addition to describing (DCM) and fingerprinting (EDM / IDM).

• When to use:


Yes No

Unstructured and textual Unstructured and binary

Data set highly distributed, difficult to collect

Data set centralized and/or small

Very difficult to describe Easy to describe


VML: Example Data


Source code Protect proprietary source code for a product, trading models, or actuarial algorithms

Reports and forms Monthly or weekly sales reports, loan applications, and resumes

Legal contracts Licensing, partnerships, and sales agreements

HIPAA and HITECH Patient Health Information in the form of insurance claims, billing and procedure codes, emails to patients

ITAR (International Traffic in Arms Regulations)

Intellectual Property and unstructured data that may be restricted


VML: Selecting Sample Docs (Training Sets)


Broader Categories

Narrow Category

Positive Training Set represents narrow category (ex., Endpoint DLP source code)

Negative Training Set represents related broader categories (ex., Open source C++ code or Endpoint DLP API Guides)

Both training sets: Stored on Enforce host, minimum 50 docs each (minimum 250 recommended), roughly same size, docs in ZIP (recommended), no docs >30 MB.


VML: How It Works

14 DLP: Detection Innovation and Expanded Coverage

Positive examples

Negative examples

• Select Features • generate model • calculate accuracy

+

-

Profile

?

Training

Similarity Score

0.0 through 10.0

Detection


Vector Machine Learning: Demo

• Review Training Sets

• Configure Profile

• Train and Accept Profile

• Add Profile to Policy



Network Prevent for Email + VML



Network Prevent for Email + VML

17

DMZ

Network Prevent (Email)

Internet

Email inspected,

then blocked or

modified if in

violation of

policy

4

End user

sends email 1

2 Email forwarded

to MTA

MTA Email Server End Users

3 MTA

routes

email to

Prevent

Prevent

sends

email back

to MTA

5

6 If email is unmodified, MTA sends

it downstream. If header is

modified, MTA takes appropriate

action (typically, rerouting).

Corporate LAN

The above diagram is for reflecting mode.



Network Prevent for Email: Demo

• Send email with legal attachment (non-Medicaid-related)

• Send email with Medicaid-related legal attachment

• Review email notifications

• Review incident snapshot and send manager notification



Endpoint Prevent + VML



Endpoint Prevent + VML

20

1 Agent inspects files/data

to internal drives, USB,

CD/DVD, supported email

clients / IM clients /

browsers, FTP, print/fax,

clipboard, and network

shares (Windows Explorer

only)

Agent sends incident

data to Endpoint

Server

Disconnected

Agent functions

when disconnected

and stores incident

data

Endpoint Server

(Endpoint Prevent)

2

End Users

3

Any blocking, onscreen

notification, or

FlexResponse rules

rules are initiated locally

Corporate LAN



Endpoint Prevent: Demo

• Copy non-Medicaid-related file to USB

• Copy Medicaid-related file to USB



DLP for Tablets and VML



Symantec DLP for Tablets™ is tightly integrated w/ Symantec DLP Suite: • Common, advanced technologies for detecting confidential information • Consistent application of DLP policy, and • Seamless, integrated reporting & analytics

• Works over Wi-Fi and 3G

• Enables full use & productivity of the device. Our approach does NOT o Require a restrictive “sandbox” approach, or o Break business processes by restricting what data can go to the iPad

DLP for Tablets: Overview

Comprehensive Coverage

Corporate Email Personal Email Cloud Apps Social Media

Lowest TCO

Most User Friendly

23 DLP: Detection Innovation and Expanded Coverage


Data Loss Prevention for Tablets: Architecture

Proxy

Symantec Data Loss Prevention Tablet

Prevent Server

Tablet Network Traffic • Email • Web • Popular Apps

Corporate Network

Internet

Direct access to Internet

Key Benefits • Reduce risk of data loss from iPads, while giving users access to sensitive data • Supports consumerization- coverage for personal and corporate use cases

VPN at all times



Mobile Device Management + DLP for Tablets

• MDM not required, but it delivers VPN profile and may optionally enforce VPN profile

• MDM solution needs ability to:

– Set VPN profile

– Push certificates. Certificates required for DLP:

• User certificate (for VPN authentication)

• Proxy root certificate (to be added to iPad’s list of trusted certs)

– Prevent tampering with VPN profile setting (optional)

– Enforce remediation/action if the user turns off VPN (optional)



Symantec Mobile Management (Optional)

• Symantec Mobile Management (SMM) enforces VPN settings. It is optional.

– Symantec Mobile Management 7.1 SP1 (DLP release) can be configured to monitor and alert if the user attempts to shut off VPN – this is not done by most MDM solutions



DLP for Tablets: Demo

• Dropbox

• FTP

• Facebook

• Twitter

• Incident Review



DLP for Tablets: Benefits

• Balances protection with usability: Reduce data loss risk, preserve access to confidential data

• Supports consumerization: Coverage for personal and corporate use cases

• Preserves iPad app performance: Common apps work as expected

• Works with any Mobile Device Management (MDM) solution: Customer uses their preferred solution



Summary

• Vector Machine Learning (VML) lets you detect confidential documents that proliferate across the enterprise.

• DLP for Tablets extends coverage, providing the DLP suite’s excellent policy and reporting features for iPad security.



Q & A


Thank you!

SYMANTEC PROPRIETARY/CONFIDENTIAL – INTERNAL USE ONLY Copyright © 2012 Symantec Corporation. All rights reserved.


Ernie Simmons, Tory Gilbert

IIP Technical Field Enablement [email protected] [email protected]

mailto:[email protected]

mailto:[email protected]

symantec dlp: detection innovation and expanded...

Documents