Slide 1

Data Loss Prevention and Controls Mark Lachniet, Solutions Architect Analysts International Bret Straffon, PSS Security Cisco Systems Lansing, MI July 15 th, 2008 Slide 2 2 Presentation Overview This presentation will provide an overview of issues surrounding Data Loss Prevention (DLP) and provide a roadmap for understanding: How it impacts YOUR organization Regulations and standards (e.g. PCI and GLBA) that address it How it is affecting industry and the economy in general Some vendor-agnostic approaches to dealing with data loss and breaches How Ciscos product line can help you address DLP concerns in a cost effective and scalable manner How Analysts Internationals expertise and services can help to prevent and recover from incidents CAVEAT EMPTOR: Many of the topics discussed in this seminar cover legal topics. You should consult your own legal counsel! Slide 3 3 Introductions Mark Lachniet Mark Lachniet from Analysts International Solutions Architect with Analysts Internationals security group With Analysts International for approximately 8 years Previously an I.T. director at a K-12 school district and instructor for Walsh Colleges NSA-certified Masters in Information Assurance (MSIA) Program Provide oversight on all security services Perform hands-on work in most areas with a focus on holistic security such as policies and procedures, regulatory compliance, Business Continuity Planning, and technical areas such as forensics, incident response, web app security, etc. Member of the International High Technology Crime Investigation Association (HTCIA) GIAC Gold Certified Forensic Analyst (GCFA) Certified Information Systems Security Professional (CISSP) Certified Information Systems Auditor (CISA) Slide 4 4 Introductions Bret Straffon Bret Straffon, bstraffo@cisco.combstraffo@cisco.com Product Sales Specialist Security Solutions With Cisco for approximately 3 years Prior to Cisco spent time at Cybertrust, Open Service, Trend Micro, ISS, Deloitte and Touche. Total of 9 years experience selling Security solutions BSBA - Management Information System CMU 94 Slide 5 5 Agenda 11:00 am Section 0 &1 (Mark Lachniet) (45mins) 11:45 amLunch is distributed (20mins) 12:05 pmSection 2 (Mark Lachniet) (45 mins) 12:50 pmSection 3 (Cisco) (45 mins) 1:35 pmSection 4 (Mark Lachniet) (20 mins) 1:55 pmQ&A (all) (5 minutes or as needed) Slide 6 Section 1 Data Loss Overview Mark Lachniet, Solutions Architect Analysts International Lansing, MI July 15 th, 2008 Slide 7 7 Overview of Data Loss Prevention There have been hundreds of significant breaches in the last few years, and public (as well as legislative) attention is now on the problem so it will only get more important over time Failure to control data leakage has very public and painful ramifications (bad press, plummeting stock prices, fees and penalties, lawsuits, regulatory non-compliance, etc.) We must be concerned about controlling our sensitive data throughout its entire life-cycle (from creation to destruction) History has shown that being out in front of, and prepared for, upcoming (and inevitable) trends such as data breach disclosure laws is more cost effective than a late response Slide 8 8 Types of Data To Protect The type of data you need to protect will obviously depend upon your industry, and some are more susceptible than others Personally Identifiable Information (PII) such as addresses, phone numbers, etc. Personal Financial Information (PFI) such as account numbers and balances, purchasing history, credit card information Personal Health Information (PHI), includes personal health records, billing, etc. Covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Internal secrets (marketing, payroll, passwords, etc) Slide 9 9 The Pain of a Breach If you have a breach, the impact could be significant, possibly even going out of business Loss of stakeholder confidence (the public, customers, investors, partners, etc.) Lost productivity (inability to work, servers down, people re- assigned for clean-up, data recovery costs) Fees for not meeting Service Level Agreements (e.g. in manufacturing industries) Costs associated with notification (sending oops letters, staffing a toll free information line, providing credit counseling to victims, etc.) Internal and external consultant costs Blackmail and extortion attempts Submitting to mandatory audits Slide 10 10 The Pain of a Breach Examples 8 August 2002 Microsoft and FTC Reach Passport Privacy and Security Settlement A Federal Trade Commission (FTC) investigation found that Microsoft misrepresented both the level of security provided and amount of data collected by its Passport services. As part of a settlement with the government, Microsoft will refrain from making false claims about the information it collects and will submit to an independent audit of its security program every two years. Microsoft could face fines of $11,000 a day if it fails to comply with the agreement. ChoicePoint In January 2006, consumer data provider ChoicePoint Inc. agreed to pay $15 million to settle FTC charges that its security and record-handling procedures violated consumers' privacy rights when thieves breached its database. Slide 11 11 The Pain of a Breach Examples T.J. Maxx Parent Company Data Theft Is The Worst Ever The intrusion hands the retailer the dubious honor of surpassing the 40 million stolen customers record mark, something that only CardSystems had been able to achieve. TJX later settled Visa's charges against it for $41 million in November 2007, and paid an undisclosed amount to settle a group of lawsuits brought against it by Massachusetts-based banks in December 2007. The FTC ordered TJX to designate an individual responsible for information security, identify risks to personal data, deploy safeguards to mitigate that risk, work out agreements with service providers that handle customer data, and evaluate and adjust its security program to meet operation changes. In addition, TJX must submit to a third-party audit of its security program every two years for the next two decades. Slide 12 12 The Pain of a Breach Examples EggHead.com 3.7 million customer records were stolen (including mine) End consumers were covered we just had to fill out a form for the credit card company, and would have only been liable for $50 max However, it was necessary for consumers to actually identify and contest the charges Egghead actually informed customers (this is before this was a common practice) and hence were able to keep some stakeholder confidence Credit card companies were not happy they had to re-issue cards and sued egghead for costs Egghead was apparently forced out of business due to these lawsuits from the credit card companies Eventually re-branded themselves as newegg.com, a company which I actually purchase from (can lightning strike twice?) Slide 13 13 Other Penalties for Breaches In addition, there may be other types of damages for failure to maintain good security and/or alert victims By law: In the State of New York, can be fined $10 per instance of failed notification not to exceed $150,000 Many other states have similar fines on the books, and more and more states are passing breach notification laws. See http://www.csoonline.com/article/221322 for an interactive map At a federal level, the FTC or SEC may step in By civil suit: Choicepoint: $10 million in civil penalties and $5 million in consumer redress to settle Federal Trade Commission charges Disciplinary action: Lose job or vacation time An Ohio Department of Administrative Services employee lost a week of vacation! Slide 14 14 States with Breach Laws From: http://www.csoonline.com/article/221322 38 States have them as of February 12, 2008 Interesting note: In many cases, if the lost data was in an encrypted format, you may not have to make a disclosure due to safe harbor Slide 15 15 What Happens to that Lost Data??? A lot of times, nothing the tape or laptop was lost or stolen, and never heard of again. No direct impact was known (but they still had to report it) In some cases, it may be used for identity theft, which is a real problem, but in many cases, it is sold on the black market Computer crime is now within the domain of organized crime such as the Russian Business Network There is an entire community and hierarchy of traffickers Slide 16 16 The Lucrative World of Malware and Bot Herding People are making money! Millions of dollars! There are entire economies based on computer crime: Hackers: Produce new exploits in common software and sell the 0 day exploits to Bot Herders Bot Herders: Use the new exploits to distribute malware to end users. These are used for Denial of Service extortion, spamming, stealing network or PII information, click advertisement abuse, etc. They sell their harvested information to criminals. Criminals: Use their obtained credit card and bank account information to perpetuate financial crimes and pay for further development Finding ways to identify, control and remove malware (especially unidentified malware) is a boom market Limiting exposure (for example through good system security and products such as Ciscos Iron Port appliances) can minimize this risk Slide 17 17 Malicious Code Threats (2007) One very real problem is that there is a proliferation of malware, and Anti-Virus simply cannot keep up with all the new versions Slide 18 18 The Value of Information (2007) Slide 19 19 The List Not to Be On attrition.org Attrition.org used to maintain a list of hacked organizations, but they were unable to keep up Now they are focusing on data breaches see: http://attrition.org/dataloss/ Slide 20 20 Attrition.org March of 2008 (1 month) Baltimore Highway Administration - [2008-04-25] (Employee information for about 1,800 accidentally exposed on internal server) [archive]Baltimore Highway Administrationarchive Child Assessment Service, Tuen Mun Centre - [2008-04-25] (Medical data and identity on 700 children exposed) [archive]Child Assessment Service, Tuen Mun Centrearchive University of Colorado at Boulder - [2008-04-25] (Names, addresses, and Social Security numbers of about 9,500 on compromised server) [archive]University of Colorado at Boulderarchive WiseBuys - [2008-04-25] (Hundreds of credit and debit card numbers reported stolen) [archive]WiseBuysarchive Coos County Oregon - [2008-04-24] (Nearly 500 Social Security numbers and personal information reported on stolen laptop) [archive]Coos County Oregonarchive Chrysler Financial - [2008-04-23] (Data tape lost in transit contained personal information) [archive]Chrysler Financialarchive Southern Connecticut State University - [2008-04-23] (11,000 students and alumni exposed on website) [archive]Southern Connecticut State Universityarchive University of Texas Health Science Center - [2008-04-23] (Social Security numbers available on about 2,000 billing envelopes) [archive]University of Texas Health Science Centerarchive Slide 21 21 Attrition.org March of 2008 (1 month) CollegeInvest - [2008-04-22] (Lost hard drive exposes 200,000 customers during office relocation) [archive]CollegeInvestarchive University of Massachusetts - [2008-04-22] (Hackers breach system accessing thousands of medical records) [archive]University of Massachusettsarchive Boots Dental Plan - [2008-04-22] (Account details of 34,000 stolen from courier) [archive]Boots Dental Planarchive LendingTree - [2008-04-22] (Social Security numbers, names, addresses, and other personal information inappropriately accessed) [archive]LendingTreearchive Bank of Ireland - [2008-04-22] (Account information, addresses, and medical information of 10,000 on stolen laptops) [archive]Bank of Irelandarchive Central Collection Bureau - [2008-04-19] (Social Security numbers and names of 700,000 on stolen server) [archive]Central Collection Bureauarchive University of Miami - [2008-04-17] (Stolen tapes containing names, addresses, and medical records of 2.1 million patients) [archive]University of Miamiarchive Slide 22 22 Attrition.org March of 2008 (1 month) Connecticut State University System / Buffalo State / Northwest Missouri State University - [2008-04-17] (Stolen laptop contains names and Social Security numbers of 20,500 students) [archive]Connecticut State University System / Buffalo State / Northwest Missouri State Universityarchive University of Virginia - [2008-04-16] (Social Security numbers and names of over 7,000 on stolen laptop) [archive]University of Virginiaarchive Stokes County High Schools - [2008-04-14] (Stolen computer exposes 800 student names and Social Security numbers) [archive]Stokes County High Schoolsarchive University of Toledo - [2008-04-13] (Name, address, and Social Security numbers for 6,488 exposed on internal server) [archive]University of Toledoarchive West Seneca School District - [2008-04-12] (Students hack school district computer system 1,800 employees notified) [archive]West Seneca School Districtarchive Bowdoin College - [2008-04-11] (Student Social Security numbers, names, addresses, insurance information left exposed on server) [archive]Bowdoin Collegearchive Slide 23 23 Attrition.org March of 2008 (1 month) New York-Presbyterian Hospital/Weill Cornell Medical Center - [2008- 04-11] (Names, phone numbers and some Social Security numbers of 40,000 stolen by employee) [archive]New York-Presbyterian Hospital/Weill Cornell Medical Centerarchive Joliet West High School - [2008-04-10] (Names and Social Security numbers of "about every student enrolled" accessed) [archive]Joliet West High Schoolarchive Wellcare - [2008-4-08] (71,000 insurance records including Social Security numbers exposed on internet) [archive]Wellcarearchive WellPoint - [2008-04-08] (Social Security numbers and medical information for about 128,000 exposed on internet) [archive]WellPointarchive Pfizer - [2008-04-07] (Stolen laptop contains names and credit card numbers of about 800) [archive]Pfizerarchive University of California, Irvine - [2008-04-04] (Up to 7,000 affected - very few details available) [archive]University of California, Irvinearchive Okemo Mountain Resort - [2008-04-01] (Computer network breach exposes tens of thousands of credit card transactions) [archive]Okemo Mountain Resortarchive Slide 24 24 Managing the Societal Impact of High-Tech Crime And those were only the incidents that were reported, and for which someone bothered to make an entry in the database Obviously, this is a problem that is costly both to the people affected and to the economy in general Computer Economics estimates $13 Billion world-wide in 2006, and its getting worse To mitigate this, government (through regulations and laws) and industries (through self-regulation) are starting to develop standards and controls Some standards are proactive, some reactive We will discuss a couple the Payment Card Industry (PCI) and Gramm-Leach-Bliley Act (GLBA) Slide 25 25 The Payment Card Industry (PCI) A consortium of credit card companies including Visa and Mastercard Has implemented the PCI Data Security Standard (PCI DSS) This affects anyone who stores or processes credit card information, though there are different categories: https://www.pcisecuritystandards.org/pdfs/instructions_guidelines_v1-1.pdf According to payment brand rules, all merchants and service providers are required to comply with the PCI Data Security Standard in its entirety. Slide 26 26 The Payment Card Industry (PCI) There are numerous requirements as part of the PCI standard https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf These are partially based on what type of data you process or store, namely the Primary Account Number (which means you must comply) There are some items that you can never store: Slide 27 27 PCI Requirements The Big 12 Cisco ASA firewalls are well accepted way to meet Requirement #1 Use of IPSEC VPN (e.g. in ASA and ISR routers) can meet Requirement #4 Use of Ciscos CSA agent can help meet Requirements #3 and #6 A well designed network and regular security assessments can also help to meet Requirement #6 Slide 28 28 PCI Requirements The Big 12 Ciscos MARS Appliance can help to meet Requirement #10 Regular vulnerability assessments (e.g. Analysts ISAS, OSAS and WASA services) can help address Requirement #11 Analysts policy development services can help to address Requirement #12 OF COURSE a mature and well-run organization with proper practices and procedures is the essential glue that pulls together all of the external products and services, and is without a doubt the MOST important part Slide 29 29 The Gramm-Leach Bliley Act (GLBA) Includes three primary components: The Financial Privacy Rule governs the collection and disclosure of customers' personal financial information by financial institutions. It also applies to companies, whether or not they are financial institutions, who receive such information. The Safeguards Rule requires all financial institutions to design, implement and maintain safeguards to protect customer information. The Safeguards Rule applies not only to financial institutions that collect information from their own customers, but also to financial institutions "such as credit reporting agencies" that receive customer information from other financial institutions. The Pretexting provisions of the GLB Act protect consumers from individuals and companies that obtain their personal financial information under false pretenses, a practice known as "pretexting." Slide 30 30 The GLBA Privacy Rule 313 Is primarily concerned with how you process and use information, and most notably that organizations have implemented a privacy policy and protection plan Past analysis by Analysts International has identified several specific provisions as part of our Security Needs Analysis Service (but you should consult your own legal counsel before accepting these as gospel): A formal information privacy policy has been created The information privacy is regularly communicated to internal and external stakeholders The privacy policy includes an inventory of existing data collection practices The privacy policy makes a distinction between Consumers (e.g. any NON-individual seeking a financial product or service) and a Customer (e.g. any individual with an established relationship) Slide 31 31 The GLBA Protection Rule 314 Is concerned with how you protect sensitive data Encrypt the data Properly dispose of it (and require outsourced service providers to do so as well) Have a formal incident response plan to detect and respond to threats Have a formal risk assessment program is in place and someone designated to maintain it A formal administrator termination process is used to remove all access rights from former employees Safeguards are regularly monitored and tested Slide 32 32 Summary Data Loss Prevention Data disclosures are bad, and getting worse It is difficult to identify requirements, to whom and how they apply, and how to address them in a cost effective manner Difficult to manage and monitor large I.T. infrastructures, products are needed Expertise in security and regulatory compliance is difficult to come by, and Subject Matter Experts are expensive to hire, train and keep on staff A high level of organizational maturity is required to pass audits, let alone truly comply with the spirit if the laws Slide 33 Section 2 Threat Vectors and Internal Controls Mark Lachniet, Solutions Architect Analysts International Lansing, MI July 15 th, 2008 Slide 34 34 Data Loss Threat Vectors and Controls Many controls are best done internally, such as creating a formal I.T. security management framework, or identifying the type of data you need to protect Some controls are most efficient when automated with products for example aggregating logs from a large number of systems and analyzing them for incidents Some controls require significant security expertise, or require third party independence such as doing security audits, and may need to be outsourced for cost reasons In the next section, we will discuss a number of threats (though not a complete list) that pertain to DLP and propose some appropriate controls that can be done internally, with Cisco Products, or Analysts services Slide 35 35 Intentional Misconduct by Insiders Slide 36 36 Misconduct by Partners, Service Providers and Clients Slide 37 37 Conventional Hack Attacks Slide 38 38 Targeted Attacks Slide 39 39 Contracted Malware Slide 40 40 Stolen or Lost Data Slide 41 41 Awareness of Sensitive Data Slide 42 42 Not Prepared for a Breach Slide 43 43 Limited Budget and Resources Slide 44 44 Encourage Maturity In Operations In general, the more organized you are, the better your security will be, the less likely you are to suffer a breach, and the less expensive I.T. will be to the organization! Consider adopting the ITIL standards in areas such as documentation, change control, etc. Also formally define your security polices, expectations, procedures (e.g. server hardening, application development, database security, remote access, etc.) Consider the Capability Maturity Model where are you on security? Slide 45 45 Manage Employees Do regular background checks of applicants Have strong, documented linkages between H.R. and I.T. Require sign-off on Acceptable Use Policies (AUP) and Non-Disclosure Agreements (NDA) Provide training and awareness on security issues, recommended at 1week/year per I.T. employee, less for end users Regularly monitor employee activity Slide 46 46 Formalize Risk Management I.T. Risk Management should be a formal process in your organization Consider creating a workgroup tasked with managing security that is responsible for: Promoting awareness of Information Security issues within the organization Identifying and managing strategic, operational and financial I.T. risks Identifying and managing I.T. regulatory compliance requirements and controls Identify security needs, budgetary and staffing requirements, etc. Act as an interface to other departments within the organization to provide guidance and assistance on information security issues Slide 47 47 Create an Information Classification System Identify the types of critical data you have in use through self- assessments, interviews, external audits Classify this data into some logical but maintainable types Determine how each of these categories must be handled from creation to disposal: Physical Storage: Locked rooms, clean desk policies Logical Storage: Approved file shares, encrypted tape / USB flash, on encrypted hard drives if taken outside of the organization Disclosure: Who is allowed to have the information? Is it on a need to know basis? Destruction: Must it be shredded? Completely wiped before resale? Slide 48 48 Create an Incident Response Plan Have a formal plan, that people are aware of and can use, on how to respond to an incident Consider items such as: How will you identify a breach? What is the appropriate response, based on the type of information? What information will you record about the incident? Who is allowed to talk to whom? What types of incidents will require an oops letter to go out? Who makes the call on this? Will you have to file a Suspicious Activity Report (SAR) with an oversight agency? Slide 49 49 Forensic Readiness Forensic readiness is related to incident response, but focuses on taking steps to accumulate forensic data before an incident happens Do you have log files from all of your network devices? Servers? Would they be available if the device was wiped? Do you have the ability to do log analysis with software such as Sawmill in an ad-hoc basis for data mining? Do you have processes, procedures and tools to analyze and preserve data? Do you know who to call if you are out of your depth? Do you have legal help? Are you covering your data retention requirements? Slide 50 50 Privacy Policy Do you have a written privacy policy? Does it match the regulatory requirements that you may be subject to? Does it align with your information classification and incident response procedures? Has your lawyer reviewed it? Slide 51 Section 3 Managing Data Loss - Cisco Solutions Bret Straffon, bstraffo@cisco.combstraffo@cisco.com PSS Security Lansing, MI July 15 th, 2008 Slide 52 52 IronPort Gateway Security Products Internet EMAIL Security Appliance WEB Security Appliance Security MANAGEMENT Appliance IronPort SenderBase Slide 53 53 E-Mail Security (C-Series) Protection from External Attacks Spam Virus Denial of Service Phishing Directory Harvesting Misdirected Bounces Protection of Internal Property Compliance Data Leakage Encryption Brand Protection Email Authentication Web Security (S-Series) Control Web Traffic High performance web proxy Web Policy & URL Filtering Fully integrated complete content inspection L4 traffic monitor protects all network ports Protect from Web Threats Adware Virus Phishing Browser Hijackers Keyloggers Trojans and more IronPort Gateway Solutions Slide 54 Data Loss Prevention Deployment IronPort Reduces Complexity After IronPort Groupware Firewall IronPort Email Security Appliance Internet Before IronPort Anti-Spam Anti-Virus Policy Enforcement Mail Routing Internet Firewall Groupware Users Encryption Platform MTA DLP Scanner DLP Policy Manager Users Slide 55 55 The IronPort SenderBase Network Global Reach Yields Benchmark Accuracy 30B+ queries daily 150+ Email and Web parameters 25% of the Worlds Traffic Cisco Network Devices IronPort EMAIL Security Appliances IronPort WEB Security Appliances IronPort SenderBase Combines Email & Web Traffic Analysis View into both email & Web traffic dramatically improves detection 80% of spam contains URLs Email is a key distribution vector for Web-based malware Malware is a key distribution vector for Spam zombie infections Slide 56 56 IronPort Reputation Filters Dell Case Study MAILBOXES PROTECTED 100,000+ IronPort has increased the quality and reliability of our network operations, while reducing our costs. Tim Helmstetter Manager, Global Collaborative Systems Engineering and Service Management, DELL CORPORATION Dells challenge: Dell currently receives 26 million messages per day Only 1.5 million are legitimate messages 68 existing gateways running Spam Assassin were not accurate IronPorts solution: IronPort Reputation Filters block over 19 million messages per day 5.5 million messages per day scanned by IronPort Anti-Spam Replaced 68 servers with 8 IronPort appliances Accuracy of spam filtering increased 10x Servers consolidated by 70% Operating costs reduced by 75% Slide 57 57 IronPort Email Encryption The Easiest Path to Protecting Confidential Email Universal ReachUniversal Reach: send to any email user Auditable Policy EnforcementAuditable Policy Enforcement Content scanning at gateway drives encryption Does not rely on or require user action Easiest to useEasiest to use Transparent to sender No client software for sender or receiver, no certificates needed Easiest to Deploy and ManageEasiest to Deploy and Manage No client software Hosted key management infrastructure View secure message Enter password Receive email Slide 58 Data Loss Prevention Foundation Integrated Scanning Weighted Content Dictionaries Compliance Dictionaries Users Custom Content Filters Smart Identifiers Integrated Scanning Makes DLP Deployments Quick & Easy Outbound Mail Attachment Scanning Slide 59 Data Loss Prevention Foundation Integrated Remediation Users Remediation: Quarantine Remediation: Notification Remediation: Reporting Outbound Mail Remediation: Encryption Integrated Remediation Eases Work Flow Burden Slide 60 60 How It Works: Recipient Experience Notification Envelope Slide 61 61 Business Class Email Enhanced Visibility and Control Guaranteed Read Receipt Guaranteed Recall Slide 62 62 IronPort Email Security Manager Single view of policies for the entire organization Identify & Encrypt POs Archive all mail Encrypt mail With Outside Counsel Encrypt New Passwords Categories: by Domain, Username, or LDAP IT SALES LEGAL IronPort Email Security Manager serves as a single, versatile dashboard to manage all the services on the appliance. PC Magazine Slide 63 63 Regulatory Compliance IronPort Compliance Dictionaries Smart Identifiers Encryption (Message Based & TLS) Pre-Defined Filters Compliance Dictionaries Smart Identifiers Encryption (Message Based & TLS) IM, Skype, P2P Slide 64 64 Acceptable Use IronPort Custom Filter Creation AUP Dictionaries URL Filtering / Webmail Control Granular Policy Management Slide 65 65 Intellectual Property Protection IronPort Data Leakage Dictionaries Custom Filter Creation Remediation: Notification Remediation: Quarantine Remediation: Reporting Slide 66 66 ADPs Challenge: State mandated outbound content filtering Encryption to meet HIPAA and similar regulations Prevent accidental disclosures of state data, including patient records and SSNs Secure messaging with outside partners Other needs: phishing protection, easy message retention, improved system management The IronPort Solution: IronPort C-Series email security appliance Email Encryption Envelope Server, IronPort Anti-Spam, IronPort Virus Outbreak Filters, Sophos Anti-virus IronPort Results: Rapid deployment of Data Loss Prevention technology Ensures compliance with state and federal laws Set and forget management; little to no administrative intervention Industry leading anti-spam and anti-virus protection at the network perimeter, providing a first line of defense for Exchange servers CA Dept. of Alcohol & Drug Programs Data Loss Prevention via IronPorts Email Security Appliances The selection of the IronPort email and encryption system fulfilled the need for a secure electronic messaging system as the department requires a secure transmission method to meet HIPAA guidelines as well as other administrative requirements... Gary Hummel, CISSP Information Security Officer Dept. of Alcohol & Drug Programs Slide 67 67 Header One Government Tax forms Land registry Defense procurement Benefit statements Health Care Patient Appointments Invoices Prescriptions Treatment plans Benefit statements Test results Pharmaceutical Drug research collaboration Test results FDA Submissions IronPort Encryption Use Cases Legal Contracts Patents Attorney-Client Privilege IT Password seeding Live password resets Voicemail transcription HR Benefits statements Offer / pay letters Stock option grants Time cards Pay slips Marketing Product roadmaps Price lists Promotion codes Engineering / R&D Design collaboration Patents Financial Services Trade Confirmations Broker/Agent Networks Insurance Policies Bank Statements Credit Card Statements Account Service Requests Loan/Account ApplicationsGeneral Operations / Finance Order confirmations Invoices Purchase Orders Payment details PCI Compliance Sales Quotes Product Presentations Business Development M&A discussions Deal negotiation Copyright 2000-2007 Cisco Systems, Inc. All rights reserved. IronPort, the IronPort logo and SenderBase are registered trademarks of Cisco Systems, Inc. All other trademarks are the property of Cisco Systems, Inc. or their respective owners. While every effort is made to ensure the information given is accurate, Cisco does not accept liability for any errors or mistakes which may arise. Specifications and other information in this document may be subject to change without notice. Slide 68 68 IronPort Security Appliances Integrated Security Appliances For The Network Perimeter L4 traffic monitor inspects all traffic Web reputation for preventive filtering Integrated complete content inspection Data Loss Prevention Multi Layer Spam Protection Industry Leading Virus Protection Data Loss Prevention Unmatched Performance + IronPort S-Series WEB SECURITY APPLIANCE IronPort C-Series EMAIL SECURITY APPLIANCE Slide 69 69 Cisco Data Loss Prevention Portfolio Extend the value of your investment, leverage functionality Data Center Employees Network Edge Tape Devices Application Server MDS 9000 EMAIL Security Appliance WEB Security Appliance Internet Corporate Network Cisco Security Agent Prevent endpoint data loss Prevents bypass of IronPort network protection Content classification similar to IronPort in a future release Partners Customers Remote Employees Storage Media Encryption Prevent unauthorized access and loss of data at rest Fully integrated with SAN fabric and management Secure, highly available service IronPort Prevent Data Loss at Network Perimeter Multi-Protocol Scanning Leverage Existing Anti- Spam and Anti-Spyware Infrastructure Slide 70 70 Concern: Endpoint Data is Mobile How is data mobile? USB, Floppy, CD Burner SSL encrypted transfers Webmail, p2p, IM Cut and Paste Dial-up modem, Bluetooth, IRDA interfaces Whats the concern? Protecting Intellectual Property stored on the endpoint Demonstrating that regulated data is properly controlled Auditing and enforcing corporate use policies for data on laptops Slide 71 71 CSA Prevents Data Loss on the Endpoint Restrict copying sensitive data to removable media USB, floppy disk, CD Burner Restrict sending sensitive data via unauthorized interfaces Modem, Bluetooth, IRDA; printer (6.0) Block sending sensitive data via webmail, p2p, IM No cut & paste clipboard abuse Content scanning on endpoint available in an upcoming release EMAIL Security Appliance WEB Security Appliance Slide 72 72 Removable Media Controls Controls for USB drives, CD, iPod Monitor usage Confidential file controls Authorized user controls Location-based controls Consolidated event reporting of USB usage End user Business Justification for audits Slide 73 73 Identify Sensitive Data Content or Context File Content certain data patterns are recognized File Context data written by certain applications is known to be sensitive Slide 74 74 Educate & Modify end user behavior Justification window provides audit trail Allows timely access to data without sacrificing productivity Educate the End User Reinforce Acceptable-Use Policies Localized in 11 different languages Slide 75 75 Data Loss Prevention Logs & Reports Comprehensive repository of DLP events Stores justification responses for audit trail Provides single audit log & activity reports Slide 76 76 Concern: Endpoint Users are Mobile When are users mobile? Working from home During trips at hotels and business partners Daily with public and retail hotspots Whats the concern? Continuity of data mobility controls when not in the office Ensuring corporate network data security protections cannot be bypassed Slide 77 77 CSA Enforces Policy for Mobile Users CSA can require the use of VPN for remote users CSA can block SSL sessions not sent via corporate proxy These ensure IronPort corporate network mail & web protections are not bypassed VPN Email/ Web Internet Corporate Network Remote Employees Slide 78 78 Colorado States Challenge: Concerned about Data Loss Prevention Needed a way to secure employee laptops, disk drives, USB flash drives and CD-ROMs The Cisco Security Agent Solution: Cisco Security Agent deployed on their endpoints Cisco Security Agent disables the usage of USB ports Cisco Security Agent allows only authorized users such as IT to write to flash drives Cisco Security Agent mandates that all file storage must be done in secure encrypted partitions Cisco Security Agent Results: Mandates compliance to Colorado States established security policy Ensures compliance to State and federal laws for credit unions Colorado State Employees Credit Union Data Loss Prevention via Cisco Security Agent USB ports are disabled using the Cisco Security Agent, so only certain people such as IT can write to flash drives. We usually dont encrypt the entire drive on users laptops, but do provide secure storage areas so that end users can just save the files to that location and they will always be encrypted. Tom Gonzales, Senior Network Administrator Colorado State Employees Credit Union Slide 79 79 Intrusion Prevention Zero Update Track Record CSA has a proven track record of stopping brand new exploits, botnets, targeted attacks, worms, and viruses over past 7 years: 2001 Code Red, Nimda (all 5 exploits), Pentagone (Gonner) 2002 Sircam, Debploit, SQL Snake, Bugbear, 2003 SQL Slammer, So Big, Blaster/Welchia, Fizzer 2004 MyDoom, Bagle, Sasser, JPEG browser exploit (MS04-028), RPC- DCOM exploit (MS03-039), Buffer Overflow in Workstation service (MS03- 049) 2005 Internet Explorer Command Execution Vulnerability, Zotob 2006 USB Hacksaw, IE VML exploit, WMF, IE Textrange, RDS Dataspace 2007 Rinbot, Storm Trojan, Big Yellow, Word(MS07-014), MS ANI 0Day, MS DNS 0Day No signatures, or configuration updates required Slide 80 80 ClamAV virus scanning engine packaged with CSA, as single installable agent Protects Windows desktops & servers at no additional cost accurately identifies malware prevents malware execution quarantines or deletes malware CSA Management Center manages agent policies, signature updates Provides a true single agent - single console endpoint security solution Integrated Agent with ClamAV Open Source Antivirus All other trademarks mentioned in this document are the property of their respective owners. Slide 81 81 Source: Shadowserver.org wild testing ClamAV is widely deployed on UNIX/Linux e-mail servers Scrubs e-mail traffic for malware Protects millions of Windows desktops Database contains over 200,000 unique signatures Integrated Agent with Clam Antivirus Shadowserver Foundation independent research: ClamAV has high degree of malware detection accuracy. All other trademarks mentioned in this document are the property of their respective owners. Slide 82 82 Single Integrated Management CSA Management Center provides enterprise class security management Agents poll the CSAMC periodically for security updates CSAMC distributes daily AV signature updates Due to CSAs best-in-class protection - agents are always protected, even out of office without immediate sig updates Relying on CSA protection allows more sensible management of antivirus and patching updates All other trademarks mentioned in this document are the property of their respective owners. Slide 83 83 Increased Security thru Better Visibility What do I have installed? What do I use? Is it at risk or malicious? How do I control it? CSA reports where malware, spyware, unauthorized applications may be installed CSA tracks which applications are installed on which systems in the network Better visibility = Increased Security Slide 84 84 Policy Control Application Trust Levels CSA monitors & controls all applications and processes Trust Levels offer flexible, easy to manage control White List : Trusted Business Apps (permissive controls) Grey List: Permitted Applications (more restrictive controls) Black List: Undesired Applications (block use) Provides robust security without sacrificing ease of management & deployment Slide 85 85 Regulatory Compliance Benefits for PCI Compliance Provides compliance solution for 9 out of 12 PCI requirements Predefined PCI Policies offer ease of management & audit 26 Rule Modules, 150 rules Validated by Cybertrust (official PCI auditor) Runs on Servers, Point-Of-Sale terminals, desktops and laptops CSA can be customized for other compliance mandates http://www.cisco.com/go/retail Slide 86 86 Predefined CSA PCI Policies Slide 87 87 Inform NIPS of Hostile Hosts 1. Hacker scans internal servers for vulnerabilities 3. All connection attempts by the hacker to CSA protected devices are dynamically blocked 4. CSA collaborating with Cisco IPS is able to dynamically elevate the Risk Rating threshold for attacks coming from the hacker 2. Global Correlation is invoked and the CSAMC updates all the CSA agents with threat information CSA MC Servers Desktops Slide 88 88 Desktop DSCP Marking by Application or OS Per-Application QoS Example: CSA and QoS Internet Explorer BitTorrent Cisco IP Communicator FTP Client DSCP Marking by CSA Default AF11 EF Default AF11 Default EF AF11 Class-Based Weighted Fair Queuing (CB-WFQ) Low-Latency Queuing (LLQ) Class-Based Weighted Fair Queuing (CB-WFQ) Low-Latency Queuing (LLQ) AF11:50% (CB-WFQ) EF:15% (LLQ) Default:10% (CB-WFQ) AF11:50% (CB-WFQ) EF:15% (LLQ) Default:10% (CB-WFQ) Bad software can mark packets to: Get a better service from the network To perform an attack (e.g. flooding with EF-marked packets can cause DoS for IP telephony) Use CSA to remark packets according to QoS design Slide 89 89 NAC Appliance Verifies CSA version and if its running Check systems states like insecure boot detected and if sensitive data exists Check user identity if CSA reports sensitive data is on system Network Integrated Solutions CSA with NAC, DLP and IronPort IronPort Internet Cisco Security Agent Prevent loss of sensitive data: Scan data files for sensitive data Prevent copying to external media (USB flash and disk, IR/Bluetooth devices) Prevent using with (inter)network applications (e- mail, IM, browser) Prevents bypass of IronPort network protection IronPort Prevent Data Loss at Network Perimeter Multi-Protocol Scanning Leverage Existing Anti-Spam and Anti-Spyware Infrastructure Intranet NAC Appliance ASA Slide 90 90 Operational Efficiency Administrator Dashboard Quick access to common tasks The dashboard helps the administrator see what needs to be done today Centralized visibility into the effectiveness of your endpoint protection Slide 91 91 Network Admission Control Using the network to enforce policies ensures that incoming devices are compliant. Authenticate & Authorize Enforces authorization policies and privileges Supports multiple user roles Update & Remediate Network-based tools for vulnerability and threat remediation Help-desk integration Quarantine & Enforce Isolate non-compliant devices from rest of network MAC and IP-based quarantine effective at a per- user level Scan & Evaluate Agent scan for required versions of hotfixes, AV, etc Network scan for virus and worm infections and port vulnerabilities Slide 92 92 Cisco NAC Partnerships Cisco NAC is committed to protecting customers investments in partner applications Cisco NAC Supports Policies for 300+ Applications, Including these Vendors: Slide 93 93 Cisco NAC Available Appliances and Network Modules 3500 users Super Manager manages up to 40 Enterprise and Branch Servers Enterprise and Branch Servers 1500 users Standard Manager manages up to 20 Branch Office or SMB Servers 100 users250 users500 users Manager Lite manages up to 3 Users = online, concurrent 2500 users 50 users NM 100 users NM License on NAS - Not additional Appliance Profiler Server Appliance Extended Guest Services - Appliance NAS Models Slide 94 Section 4 Managing Data Loss Analysts Solutions Mark Lachniet, Solutions Architect Analysts International Lansing, MI July 15 th, 2008 Slide 95 95 Analysts International Security Services Analysts International staffs engineers and consultants dedicated entirely to security services This includes a wide range of functions including policy development, incident response/forensics, security assessments, hardware and software installation and configuration, etc. Includes both preventative and reactive services, should they be necessary Analysts Internationals security engineers/consultants specialize in various compliance areas such as PCI, HIPPA, GLBA and DIACAP Slide 96 96 Policy and Procedure Development If you are interested in getting help with developing your policies, practices and procedures, Analysts can assign a consultant who can work with you to help Every organization is different, and one size does not fit all We have helped other organizations create the same procedures (e.g. Information Classification, Incident Response, Log Review) that are discussed in this seminar In addition, we have worked with many organizations to create security policies such as: Acceptable Use Policies Remote access policies Security device minimum standards / baseline configs Wireless security policies And many more Slide 97 97 Incident Response Services In the unfortunate event that you suspect you have been hacked or had a breach, Analysts can help you to determine the scope of an incident and its possible ramifications Tracking attacks through multiple firewalls, routers, Windows and UNIX servers, databases and applications is time consuming and technically demanding We can assist you with to: Minimize the disruption to your organization Find out what happened Identify short-term recovery and mitigation strategies Create reports on the scope and nature of the incident Identify long-term improvements that will reduce future risk Interface with Law enforcement and legal counsel as needed Slide 98 98 Administrator Termination Services In the event that you need to terminate an I.T. employee with significant levels of access Often used in hostile departures such as employees being fired Also used by organizations as a best practice to create a re- usable termination procedure in low-risk departures Analysts staff will work with you to: Evaluate the risk posed by the departing employee Participate in exit interviews if desired Identify physical and intellectual property to be retrieved Identify systems that the individual may have had access to Create a list of tasks that will need to be performed such as changing passwords, contacting vendors and partners, updating software, etc. Analyze systems for time bombs or other evidence of abuse Change passwords on servers, network devices, remote access systems, telephony systems, etc. Slide 99 99 Vulnerability Assessments Internet Security Assessment Service (ISAS) used to scan Internet-accessible servers for security flaws that could be used to breach security On-Site Assessment Service (OSAS) used to scan Internal servers for security flaws that could be used by a malicious employee or partner, or exploited by automated systems such as worms Web Application Security Assessment (WASA) used to analyze web applications for security flaws that could lead to a hack of sensitive back-end databases or trusted systems Customized assessments of products and systems such as security appliances, Citrix systems, wireless devices, etc. can also be performed as needed Slide 100 100 Security Needs Assessment Service (SNAS) The SNAS process is intended to be a wide-ranging review of security practices and procedures Primarily based on discussions and reviews of documentation Often used when an organization wants to get a check up on their current posture, or wants to identify the most important areas to focus on for security Yearly third-party security audits are frequently required by financial auditors Often customized to address specific concerns such as compliance with a specific regulation such as GLBA, NCUA, Michigan Gaming Control Board, etc. Provides a detailed deliverable with a security ranking matrix that maps each recommendation on a cost vs. gain matrix, so you can quickly identify the low hanging fruit Slide 101 101 Security Needs Assessment Service (SNAS) The above is an example of the ranking matrix with the sweet spot (cheap and high-gain) in the upper right-hand corner Slide 102 102 Questions, Comments and Discussion Contacts Analysts InternationalCisco Systems Mark LachnietBret Straffon Solutions ArchitectPSS - Security mlachniet@analysts.combstraffo@cisco.com (517) 336-1004 (office)(248) 455-1737 (office) Lance MillerScott Maxwell Security Practice DirectorCAM Cisco Channel lmiller@analysts.comscmaxwel@cisco.com (248) 232-5322 (office)(614) 718 2784 (office)