symantec dlp: detection innovation and expanded...
TRANSCRIPT
1
Symantec DLP: Detection Innovation and Expanded Coverage
Ernie Simmons, Tory Gilbert IIP Technical Field Enablement
DLP: Detection Innovation and Expanded Coverage
SYMANTEC VISION 2012
Topics
• DLP and Detection Overview
• Vector Machine Learning (VML)
• Email Prevent and VML
• Endpoint Prevent and VML
• DLP for Tablets and VML
• Summary
DLP: Detection Innovation and Expanded Coverage 2
SYMANTEC VISION 2012
DLP and Detection Overview
DLP: Detection Innovation and Expanded Coverage 3
SYMANTEC VISION 2012 4
Data Loss Prevention Threat Coverage
USB/CD/DVD
Stored data
Instant Message
FTP
SharePoint / Lotus Notes /
Exchange
Databases
File Servers
Print/Fax
DLP Policy Monitoring & Prevention Discovery & Protection
Webmail
Web servers
Untrusted networks
DLP for Tablets:
New in V11.5
SYMANTEC VISION 2012
Data Loss Policies
5
• Notification – by email, onscreen notification, marker file, syslog alert
• Blocking – SMTP, HTTP/S, FTP, IM, USB/CD/DVD, Print/fax, Copy/paste
• File Copy or Quarantine – for Network Discover (quarantine also for Endpoint Discover)
• Modification (SMTP) – for conditional encryption, for example
• FlexResponse (Storage, Endpoint) – API for custom responses, such as applying digital rights, encrypting files in place, and so on
• Described Data (DCM) – keywords, data identifiers, regular expressions, file type
• Fingerprinted Data
• Structured data (EDM)
• Unstructured data (IDM)
• Vector Machine Learning
• Group-based rules (AD user groups, senders/recipients)
• Additional detection features
• Match count threshold
• Boolean logic (and/or/if)
• Exceptions
Detection Rules Response Rules
Data Loss Policy
Build from scratch or 60+ policy templates
DLP: Detection Innovation and Expanded Coverage
Introduced in V11.1
SYMANTEC VISION 2012
Detection Innovation and Expanded Coverage
• Vector Machine Learning
– Lets you detect confidential documents that can proliferate across the enterprise. Such documents often are difficult to fingerprint or describe.
• DLP for Tablets
– Extends DLP coverage, providing the DLP suite’s robust policy and reporting features for iPad security.
DLP: Detection Innovation and Expanded Coverage 6
SYMANTEC VISION 2012
Vector Machine Learning (VML)
DLP: Detection Innovation and Expanded Coverage 7
SYMANTEC VISION 2012
Vector Machine Learning: Overview
Challenges of detecting unstructured data:
DLP: Detection Innovation and Expanded Coverage
Symantec Proprietary & Confidential - This information is not a commitment, promise or legal obligation to deliver any material, code or functionality
Keywords IDM
• How to identify relevant keywords?
• How to tune policies?
• What if I can’t access all confidential docs?
• How to I account for new docs?
8
SYMANTEC VISION 2012
The solution:
• Automates policy creation using sample docs
• Improves accuracy with remediation
• Detects new or similar content
Keywords IDM
Machine
Learning
Vector Machine Learning: Overview (cont’d)
DLP: Detection Innovation and Expanded Coverage
Symantec Proprietary & Confidential - This information is not a commitment, promise or legal obligation to deliver any material, code or functionality
9
SYMANTEC VISION 2012 10
Top VML Use Cases
Improve accuracy for PII policies by using VML to tune out certain categories of data
Create highly accurate policies around Source Code – wherever it resides
Detect Insurance Claim Forms that reside outside the grasp of IT Security
Automatically create policies based on VML feature extraction
DLP: Detection Innovation and Expanded Coverage
SYMANTEC VISION 2012
VML: Definition and Uses
• VML detects unstructured data by determining whether analyzed content is similar to docs in a training set (collection of example documents). VML represents a third type of detection – learning – in addition to describing (DCM) and fingerprinting (EDM / IDM).
• When to use:
DLP: Detection Innovation and Expanded Coverage 11
Yes No
Unstructured and textual Unstructured and binary
Data set highly distributed, difficult to collect
Data set centralized and/or small
Very difficult to describe Easy to describe
SYMANTEC VISION 2012
VML: Example Data
DLP: Detection Innovation and Expanded Coverage 12
Source code Protect proprietary source code for a product, trading models, or actuarial algorithms
Reports and forms Monthly or weekly sales reports, loan applications, and resumes
Legal contracts Licensing, partnerships, and sales agreements
HIPAA and HITECH Patient Health Information in the form of insurance claims, billing and procedure codes, emails to patients
ITAR (International Traffic in Arms Regulations)
Intellectual Property and unstructured data that may be restricted
SYMANTEC VISION 2012
VML: Selecting Sample Docs (Training Sets)
DLP: Detection Innovation and Expanded Coverage 13
Broader Categories
Narrow Category
Positive Training Set represents narrow category (ex., Endpoint DLP source code)
Negative Training Set represents related broader categories (ex., Open source C++ code or Endpoint DLP API Guides)
Both training sets: Stored on Enforce host, minimum 50 docs each (minimum 250 recommended), roughly same size, docs in ZIP (recommended), no docs >30 MB.
SYMANTEC VISION 2012
VML: How It Works
14 DLP: Detection Innovation and Expanded Coverage
Positive examples
Negative examples
• Select Features • generate model • calculate accuracy
+
-
Profile
?
Training
Similarity Score
0.0 through 10.0
Detection
SYMANTEC VISION 2012
Vector Machine Learning: Demo
• Review Training Sets
• Configure Profile
• Train and Accept Profile
• Add Profile to Policy
DLP: Detection Innovation and Expanded Coverage 15
SYMANTEC VISION 2012
Network Prevent for Email + VML
DLP: Detection Innovation and Expanded Coverage 16
SYMANTEC VISION 2012
Network Prevent for Email + VML
17
DMZ
Network Prevent (Email)
Internet
Email inspected,
then blocked or
modified if in
violation of
policy
4
End user
sends email 1
2 Email forwarded
to MTA
MTA Email Server End Users
3 MTA
routes
email to
Prevent
Prevent
sends
email back
to MTA
5
6 If email is unmodified, MTA sends
it downstream. If header is
modified, MTA takes appropriate
action (typically, rerouting).
Corporate LAN
The above diagram is for reflecting mode.
DLP: Detection Innovation and Expanded Coverage
SYMANTEC VISION 2012
Network Prevent for Email: Demo
• Send email with legal attachment (non-Medicaid-related)
• Send email with Medicaid-related legal attachment
• Review email notifications
• Review incident snapshot and send manager notification
DLP: Detection Innovation and Expanded Coverage 18
SYMANTEC VISION 2012
Endpoint Prevent + VML
DLP: Detection Innovation and Expanded Coverage 19
SYMANTEC VISION 2012
Endpoint Prevent + VML
20
1 Agent inspects files/data
to internal drives, USB,
CD/DVD, supported email
clients / IM clients /
browsers, FTP, print/fax,
clipboard, and network
shares (Windows Explorer
only)
Agent sends incident
data to Endpoint
Server
Disconnected
Agent functions
when disconnected
and stores incident
data
Endpoint Server
(Endpoint Prevent)
2
End Users
3
Any blocking, onscreen
notification, or
FlexResponse rules
rules are initiated locally
Corporate LAN
DLP: Detection Innovation and Expanded Coverage
SYMANTEC VISION 2012
Endpoint Prevent: Demo
• Copy non-Medicaid-related file to USB
• Copy Medicaid-related file to USB
DLP: Detection Innovation and Expanded Coverage 21
SYMANTEC VISION 2012
DLP for Tablets and VML
DLP: Detection Innovation and Expanded Coverage 22
SYMANTEC VISION 2012
Symantec DLP for Tablets™ is tightly integrated w/ Symantec DLP Suite: • Common, advanced technologies for detecting confidential information • Consistent application of DLP policy, and • Seamless, integrated reporting & analytics
• Works over Wi-Fi and 3G
• Enables full use & productivity of the device. Our approach does NOT o Require a restrictive “sandbox” approach, or o Break business processes by restricting what data can go to the iPad
DLP for Tablets: Overview
Comprehensive Coverage
Corporate Email Personal Email Cloud Apps Social Media
Lowest TCO
Most User Friendly
23 DLP: Detection Innovation and Expanded Coverage
SYMANTEC VISION 2012
Data Loss Prevention for Tablets: Architecture
Proxy
Symantec Data Loss Prevention Tablet
Prevent Server
Tablet Network Traffic • Email • Web • Popular Apps
Corporate Network
Internet
Direct access to Internet
Key Benefits • Reduce risk of data loss from iPads, while giving users access to sensitive data • Supports consumerization- coverage for personal and corporate use cases
VPN at all times
DLP: Detection Innovation and Expanded Coverage 24
SYMANTEC VISION 2012
Mobile Device Management + DLP for Tablets
• MDM not required, but it delivers VPN profile and may optionally enforce VPN profile
• MDM solution needs ability to:
– Set VPN profile
– Push certificates. Certificates required for DLP:
• User certificate (for VPN authentication)
• Proxy root certificate (to be added to iPad’s list of trusted certs)
– Prevent tampering with VPN profile setting (optional)
– Enforce remediation/action if the user turns off VPN (optional)
DLP: Detection Innovation and Expanded Coverage 25
SYMANTEC VISION 2012
Symantec Mobile Management (Optional)
• Symantec Mobile Management (SMM) enforces VPN settings. It is optional.
– Symantec Mobile Management 7.1 SP1 (DLP release) can be configured to monitor and alert if the user attempts to shut off VPN – this is not done by most MDM solutions
DLP: Detection Innovation and Expanded Coverage 26
SYMANTEC VISION 2012
DLP for Tablets: Demo
• Dropbox
• FTP
• Incident Review
DLP: Detection Innovation and Expanded Coverage 27
SYMANTEC VISION 2012
DLP for Tablets: Benefits
• Balances protection with usability: Reduce data loss risk, preserve access to confidential data
• Supports consumerization: Coverage for personal and corporate use cases
• Preserves iPad app performance: Common apps work as expected
• Works with any Mobile Device Management (MDM) solution: Customer uses their preferred solution
DLP: Detection Innovation and Expanded Coverage 28
SYMANTEC VISION 2012
Summary
• Vector Machine Learning (VML) lets you detect confidential documents that proliferate across the enterprise.
• DLP for Tablets extends coverage, providing the DLP suite’s excellent policy and reporting features for iPad security.
DLP: Detection Innovation and Expanded Coverage 29
SYMANTEC VISION 2012
Q & A
DLP: Detection Innovation and Expanded Coverage 30
Thank you!
SYMANTEC PROPRIETARY/CONFIDENTIAL – INTERNAL USE ONLY Copyright © 2012 Symantec Corporation. All rights reserved.
DLP: Detection Innovation and Expanded Coverage 31
Ernie Simmons, Tory Gilbert
IIP Technical Field Enablement [email protected] [email protected]