2019 Maine Bank Expo Presentation...2019 Maine Bank Expo Presentation Introduction to Data Loss Prevention (DLP) Jeff Trudel Technology Consultant • 9 years at Systems Engineering

2019 Maine Bank Expo Presentation

Introduction to Data Loss Prevention (DLP)

Jeff TrudelTechnology Consultant

• 9 years at Systems Engineering

• Expertise

• Senior Engineer Skillset

• Technology Consulting

• Cloud Security

• IT Assessments

• Outsourced CIO

Adrian WellsProduct Specialist• 11 years at Systems Engineering

• Expertise

• Senior Engineer Skillset

• Microsoft 365

• Microsoft Azure

• Technology Consulting

Get Ahead of ITGet Ahead of IT

Good morning, welcome!

• How many of you have a decent understanding of DLP?

• Who has DLP protections in place currently?

• How many of you are already using the cloud?


Agenda

• DLP Definition

• The Bigger Picture

• Planning and Implementation DLP

• Examples

• Closeout

Questions are welcome!


What is DLP?

• Data ‘Loss’ Prevention or Data ‘Leakage’ Prevention

• DLP is a set of tools and processes used to stop sensitive

information from leaving an organization.

• “Sensitive” can mean anything that should be protected.

– Confidential Information

– Intellectual Property (IP)

– Personally Identifiable Information (PII)

– Internal Communications


Data Loss Examples

• Emailing the wrong recipient

• Lost or stolen device

• Phishing, whaling, and social engineering

• Insider threat

• Insecure disposal of paper or electronic storage

• Incorrect configuration or sharing


of employees say mobile business apps change how they work

Digital transformation is driving change

80%of employees use non-approved SaaS apps for work

41%

85%of enterprise organizations keep sensitive information in the cloud

On-premises


Devices AppsIdentity Data

The security perimeter has changed

On-premises


The security perimeter has changed

On-premises


How much control do you have over data?

OUT OF YOUR CONTROL


• Discover

– What is our sensitive data?

– Where is it stored?

– Who accesses it?

– How do they access it?

• Plan

– Data classifications

– Policies

– Security requirements

– Monitor

• Execute

– Train users

– Implement technology

How do we do DLP?


Private

• Not intended for public consumption

• Accessed by All or Most Users

• Sharing by Users As-Needed

• Examples

– Internal Emails

– Process Documents

– Instant Messaging

Confidential

• May cause harm if released

• Access Restricted / For Cause

• Sharing Requires CISO Approval

• Examples

– Personally Identifiable Information

– Human Resources Data

– Financials

– Intellectual Property (IP)

Example Data Classifications


Private– Multi-Factor Authentication Outside the Office

– Storage Encryption

– Trusted Mobile Applications

– Browser Access from Home PCs

– File Server, SaaS Apps, Email, SharePoint &

OneDrive for Business

Confidential– Multi-Factor Authentication Always

– Storage & Data Encryption

– Trusted Mobile Devices

– Corporate-Owned PCs Only

– Specific Folders on File Server, Specific SaaS

Apps, Not Email, SharePoint & OneDrive for

Business

Example Data Classification Security


Example - Microsoft Cloud Security

Apps

Risk

MICROSOFT INTUNE

Make sure your devices are

compliant and secure, while

protecting data at the

application level

AZURE ACTIVE

DIRECTORY

Ensure only authorized

users are granted access

to personal data using

risk-based conditional

access

MICROSOFT CLOUD

APP SECURITY

Gain deep visibility, strong

controls and enhanced

threat protection for data

stored in cloud apps

AZURE INFORMATION

PROTECTION

Classify, label, protect and

audit data for persistent

security throughout the

complete data lifecycle

MICROSOFT ADVANCED THREAT ANALYTICS

Detect breaches before they

cause damage by identifying

abnormal behavior, known

malicious attacks and security

issues

!

Device

!

Access granted to data

CONDITIONAL

ACCESS

Classify

LabelAudit

Protect

!

!

Location


Protect sensitive data on unmanaged devices

USER

User is prompted

to create a PIN or

Biometric

User edits

document stored

in OneDrive for

Business

User saves

document to…

User adds

business account

to OneDrive app

Intune configures app

protection policy

OneDrive

for Business

• Copy/Paste/SaveAs

controls

• PIN required

• Encrypt storage


Protect sensitive data in cloud apps with AIP & CASB

CONFIDENTIAL

Azure information

protection

Identifies document tagged

CONFIDENTIAL being shared publicly

Move to

quarantine

Encrypted and

restricted

USER

Uploaded to

public share

Admin is notified

CLOUD APP

SECURITY


DLP – Policy Tips within E-mail


DLP – Policy Tips with Excel


View the justification submitted by a user for an override


Report on DLP


Lost or stolen device

• Solution in place to manage

devices

– MDM or EMM

– Enrolling devices

– Protecting app level data


Phishing, Whaling, and Social Engineering





• Training

– Attack Simulator in Office 365

– Find a service provider to help implement and manage this

• Identity protection

– MFA can help



• Technologies

– SPF, DKIM, and DMARC

– E-mail filtering

• Office 365 Advanced Threat Protection – Safe Links

– Safe Attachments


Insecure disposal

• Vendor management

• Policy and tech can be used to help

• Enroll devices in an EMM or MDM

• Enforce encryption from the beginning

• Secure destruction services


Incorrect configuration or sharing


Summary

• The way people work is changing, we need to keep up with security

• DLP begins with a wholistic approach to security

• Discover and Plan before Executing


Next Steps

• Review your organizations’ sensitive data flows and needs

• Review your existing policies and controls

• Engage with a skilled vendor

• Investigate and implement improvements

Thank you

www.syseng.com

[email protected]