29
Optimize Your Data Protection Investment for Bottom Line Results

Optimize Your Data Protection Investment for Bottom Line Results

Embed Size (px)

Citation preview

Optimize Your Data Protection Investment for Bottom Line Results

Providing DLP Since 2002

Deployed 400+ DLP Projects

Completed 500+ Assessments

Manage DLP Solutions in 22 Countries

Provide Daily Management of 1,000,000+ Users Globally

DATA LOSS PREVENTION EXPERTISE

QUICK FACTS

Symantec Master Specialization DLP Partner

RSA’s Only Authorized Managed DLP Partner

1st Managed DLP Services Provider (2008)

Localized Chinese DLP Practice (2011)

Global Support in 130 countries

Data Mining, Custom Policies, & Scripting

SYMANTEC DLP COMPONENTS

Endpoint Prevent

Symantec Data Loss Prevention Endpoint Prevent monitors files downloaded to local drives; transferred over email, IM, Web or FTP; copied to USB, CompactFlash®, SD, or other removable media; burned to CD/DVD; copied or pasted; captured via Print Screen; and printed or faxed electronically. With Symantec Data Loss Prevention, you can monitor and block:

• Instant messages sent to a partner containing confidential M&A information• Web mail with product plans attached going to a competitor• Customer lists being copied to USB or other removable media devices• Email containing PII sent via hosted email security services • Source code that is copied to a local drive• Mobile devices for email sent containing confidential data• Product design documents being burned to CD/DVD• Price lists being printed or faxed to a competitor

WHAT WE WILL COVER TODAY

Developing the DLP Program

DLP Use Cases – How Did They Get There?

Developing the DLP Program

Avoiding Common DLP Pitfalls

Open Q&A

HOW TO GET STARTED WITH DLP

Processes

Developing the DLP Program Scope

Understanding Work Place Monitoring Requirements

Designing and Implementing the DLP Program

Measuring the DLP Program

What incidents or events are retained?

Who develops reports?

Are DLP system generated reports adequate?

Who drives report requirements? Requestors, Reviewers, others?

Report accuracy tied into QA process?

USE CASE 1: INCIDENTS DETECTED 2 MONTHS INTO DLP PROGRAM

Captured group of emails going to Gmail with unencrypted data: Combination of design standards, CAD files and pro-forma product business plans

including unit costs, forecasted revenue and margin data Customer and vendor lists, proprietary development processes and procedures, and

pricing data from similar current product lines

Performed real-time DLP correlation analysis: Identified 78 design standards focused on “highly classified” next-gen product

development Downloaded to personal USB with no legitimate business use within 1 hour after

email

Incidents reported to information security team within 2 hours of both incidents generated and correlated

Employee was in manager’s office submitting resignation as InfoSec notified the manager

What incidents or events are retained?

Who develops reports?

Are DLP system generated reports adequate?

Who drives report requirements? Requestors, Reviewers, others?

Report accuracy tied into QA process?

USE CASE 1: OBTAINING BUSINESS BUY-IN

Compliance & Risk Management tasked with implementing DLP in organization of 50,000+employees

Needed to develop DLP Program allies: Key technology stakeholders: Desktop, Networking, Messaging and Storage Strong relationship with key Business Units within the DLP Program Scope Generate awareness of program with key senior leadership (not excessive on front end)

Targeted one business unit as early adopters and used their success to expand the DLP program into neighboring business units or processes.

Earned Business Unit, Data Owner or Process Advocate’s trust and leveraged their internal relationships to navigate corporate structure and help message value proposition.

18-months into DLP Program there is 100% business unit involvement.

What incidents or events are retained?

Who develops reports?

Are DLP system generated reports adequate?

Who drives report requirements? Requestors, Reviewers, others?

USE CASE 2: INCIDENTS DETECTED 14 DAYS INTO DLP PROGRAM

Vendor provides upgrade on enterprise HIS system, follows all change management procedures and obtains sign-off from customer on upgrade.

DLP detects unencrypted patient information being transferred via unsecured FTP site; had been configured for SFTP prior to change.

Information was detected the first time the bi-monthly batch-processing was completed. Comprehensive audit trail of incident data available to the organization for investigation.

Upgrade caused numerous unforeseen changes in the HIS application that created vulnerabilities and potential for inadvertent data leakage.

Information was sent to Business Associate but was exposed in an non-encrypted state.

What incidents or events are retained?

Who develops reports?

Are DLP system generated reports adequate?

Who drives report requirements? Requestors, Reviewers, others?

Report accuracy tied into QA process?

USE CASE 1: OBTAINING BUSINESS BUY-IN

Leveraged relationship between CISO, Internal Audit and Privacy to obtain the necessary funding - hard to get dollars being allocated to patient care.

Defined DLP Program scope around specific elements of primary concern, specifically infectious diseases. HIV/AIDS patient data had been leaked in the past causing significant impact to the organization.

Shared DLP Program Scope to skeptical physician lead healthcare management team. Senior leadership was in the loop on the project but once again, not too much information overload on the front-end.

CISO and IA/Privacy developed costs around previous breach as well as negative press as part of their DLP justification pitch. Clearly identified the previous costs and impacts to the organization, obtaining buy-in from senior leadership and board members.

What incidents or events are retained?

Who develops reports?

Are DLP system generated reports adequate?

Who drives report requirements? Requestors, Reviewers, others?

Report accuracy tied into QA process?

USE CASE 3: INCIDENTS DETECTED 72 HOURS INTO DLP PROGRAM

Company is approached in confidential manner in regards to a “hostile” takeover situation and has 48 hours to respond until public notice is provided.

Company crafted a set of policies within 2 hours to monitor all communication channels and endpoints within the DLP scope. Policy was enabled to:

Quarantine all email communication Block all web based traffic or any downloading of specific keywords or specific documents

related to the topic - management imposed gag order

Within 3 hours of the submission of the bid documents to the customer, 5 senior staff members had a attempted to disclose the existence of the transaction.

2 email transmissions to friends/family members (spouses) 2 instant message/chat messages to friends/family members 1 Google mail to friend at a investment bank who works for direct competitor of company

outlining the key terms of the offer. Employee was a Senior VP with access to term sheet.

What incidents or events are retained?

Who develops reports?

Are DLP system generated reports adequate?

Who drives report requirements? Requestors, Reviewers, others?

Report accuracy tied into QA process?

USE CASE 3: OBTAINING BUSINESS BUY-IN

CIO driven DLP program that “dragged” the COO, CFO and General Counsel to demo and presentation of the capabilities of DLP.

General Counsel set-up meeting with CEO and Board to bring visibility to the “real dangers of a digital commerce environment”.

CEO and executive team allocated discretionary budget to build out a DLP pilot system at corporate headquarters to monitor for pre-disclosed earning information, M&A activity and competitor communications. 100 employees at HQ out of 10,000 global employees.

Recent trend seems to be more top down approach in regards to the assessment and adoptions of DLP programs. Had no problem with rapid deployment, policy development and building the supporting incident response program.

USE CASE: DLP PRE-PROJECT STATE

Organization Overview: 40,000 employees globally, Manufacturing

DLP Scope: Protection of Intellectual Property (General)

DLP Primary Issue: Customer overwhelmed with inaccurate incident data, no meaningful information

Application Management: Operated and managed by IT Security with limited input from business.

Policy Governance: Failure to use a lifecycle software development process for policy construction

Incident Triage: Infrequently reviewed by IT with little to no review by business owners.

Event Management: Hard to accomplish due to large # of false positives. No “gold nuggets.”

Reporting and Metrics: Zero customized reports. No relevant business analysis provided.

Status: System generates 25,000 incidents/day / 750,000 incidents/month

MANAGING WORKPLACE PRIVACY

1. Understand your company’s data flows 2. Identify your monitoring purpose3. Understand general principles underlying personal data

processing4. Determine if other countries law’s apply to your company5. Understand other countries approach to workplace

monitoring 6. Understand other countries requirements to workplace

monitoring7. Understand other countries laws 8. Implement technology that fosters compliance with legal

requirements

Framework

IDENTIFY PURPOSE FOR MONITORING

Generally Acceptable Business Reasons Include:

• Monitor & maximize employee productivity• Protect against unauthorized use, disclosure or transfer of PII• Monitor employee compliance with employer workplace policies• Investigate complaints of employee misconduct• Prevent industrial espionage• Prevent or respond to unauthorized access to employer’s computer

systems• Protect computer networks from becoming overloaded• Prevent or detect unauthorized utilization of employer’s computer

system for criminal activities & terrorism • Help prepare employer’s defense to lawsuits or administrative

complaints• Respond to discovery requests in litigation related to electronic

evidence

1. Does your company operate in that country?

2. Does your company have affiliates or subsidiaries that collect personal data in that country?

3. Does your company have employees residing in that country?

4. Does your company collect or process personal data in that country?

5. Does your company process personal data using equipment in that country?

DETERMINE IF COUNTRY LAWS APPLY TO YOU

INTERNATIONAL PRIVACY LAWS BUSINESS IMPACT

Must comply with privacy laws in countries where have operations, where laws can be significantly more restrictive than in the US

Transfer of personal information can be blocked in other countries unless specific requirements are met

Countries across the globe are adopting privacy laws

UNDERSTAND GENERAL PRINCIPLES: SAFE HARBOR

NOTICE - Individuals must be informed that their data is being collected and about how it will be used.

CHOICE - Individuals must have the ability to opt out of the collection and forward transfer of the data to third parties.

ONWARD TRANSFER - Transfers of data to third parties may only occur to other organizations that follow adequate data protection principles.

SECURITY - Reasonable efforts must be made to prevent loss of collected information.

DATA INTEGRITY - Data must be relevant and reliable for the purpose it was collected for.

ACCESS - Individuals must be able to access information held about them, and correct or delete it if it is inaccurate.

ENFORCEMENT - There must be effective means of enforcing these rules.

APPLICATION SUPPORT & INTEGRATION

Primary System DLP Management = Human Resource / Expertise Requirements

Integrated System Management = Cross Department Collaboration Processes

Health Check & System Validation Management = System Resource Requirements

Vendor Management = Primary and Integrated Technology Vendor Relationships

POLICY & RULE GOVERNANCE

Who requests rules & policy requirements?

Are business owners engaged?

Who reviews rule requests?

Criteria for approved rule?

What’s the process for converting a rule request into a policy?

Who’s responsible for converting a rule into technical policy? Do they have technical policy authoring expertise?

What is the formal policy development process?

First drafts rarely work as expected!

Is there a process to relay production policy metrics to stakeholders?

WORKFLOW DEVELOPMENT & MANAGEMENT

Who develops & manages policy “buckets”? False positive, inbound partner, outbound employee

Who defines thresholds that determine response rules for each “bucket”? Are 10 SSNs a high, medium or low severity incident?

Who designs & sets the policy response triggers?

Malicious, Inadvertent, Suspicious, above threshold.

Triage response options: Human notificationSystem notification (auto)Hybrid?

Who’s responsible for building alerts, alarms & notifications? Has business been engaged on event management?

Who manages the DLP policy & rules repository? Why recreate the wheel?

Who reviews volume & yield of incidents & events? What’s the review frequency?

How are events/incidents routed? Who owns the incident/event?

How does DLP fit in overall incident/event management process?

Can this be mapped to DLP system?

What metrics are developed to measure success of rules & related policy?

Who ‘s responsible for developing metrics?

Revision of rules based on quality of policy results.

Who manages policy optimization process?

How will integrated systems be tied together to yield valued info?

Secure mail, web gateway, GRC, SIEM

INCIDENT TRIAGE & EVENT MANAGEMENT

BUSINESS ANALYTICS

Who develops reports?

Are DLP system generated reports adequate?

Who drives report requirements? Requestors, Reviewers, others?

Do they have the expertise with 3rd party reporting tools?

Are the metrics valuable & driving meaningful change?

Report accuracy tied into QA process?

PITFALL 1: NO PLAN OF ATTACK

5 Pieces of DLP Advice You Can’t Afford to Ignore 23

PITFALL 2: FAILURE TO ENGAGE THE BUSINESS

5 Pieces of DLP Advice You Can’t Afford to Ignore 24

PITFALL 3: INADEQUATELY TRAINED RESOURCES

DATA-IN-MOTION PITFALLS: Miss ing the Target – Fa lse Sense o f Secur i ty

Mis-configured Tap or Port Span

ProblemMissing segments of network traffic or protocols

Solution Comprehensive test plan that maps to in scope business processes and related data types transmitted from various network locations to ensure all relevant data streams are being captured.

Encryption – The Masked Data

Problem Analysis of data DID NOT take place prior to encryption.

SolutionComprehensive test plan that proves ALL DLP data assessment takes place prior to the gateway encryption & implement managed “test” DLP policies that identify encrypted transmissions as part of the test plan.

Misfire of Network Discovery Scans

Problem Locations of sensitive data never targeted by the organization for scanning due to lack of an effective policy governance process.

SolutionIdentify potential data stores by discussing the DLP program with staff to understand process.

Network versus Endpoint Discovery

Problem Running DAR scans using a combo of network & endpoint without thinking about which policy types & detection methods are not the same.

SolutionPrior to acquiring DLP solution, have an understanding of the data types that make up your target environment & then, decide on scanning method. .

DATA-IN-MOTION (ENDPOINT) PITFALLS: The Pandora ’s Box o f DLP

Environment Assessment

Staying in Contact

User PerformanceImpacts

Network/System Performance Impacts

• ProblemNo rigorous endpoint environment assessment prior to the selection of the application & enablement.

• SolutionAddress age of environment, performance capabilities, technical & human issues, & load of applications, in conjunction with education on the DLP endpoints.

• Problem Failure to monitor endpoint population & their frequency of “checking-in” to the management server with validated results.

• SolutionPhased deployment of endpoint with validation via test plan on initial success of ALL agents & on-going endpoint agent health reports.

• Problem Implementing same policies for network based & endpoint assessments without testing or modification.

• SolutionUtilize a comprehensive test plan outlining specific metrics (time to open files, open/send emails, open applications) prior to deployment.

• Problem Failure to calculate & measure the impact of endpoint policy traffic across wide & local area network connections.

• SolutionThorough assessment of endpoint policies that addresses all of the concerns including policy design requirements, timing, frequency & delivery methods.

USE CASE –POST PROJECT STATE

Organization Overview: Defined specific business units to initiate program

DLP Scope: Focused on 3 specific product lines linked to highest revenue & earnings

DLP Primary Goal: Identification of unauthorized movement of specific elements of IP

Application Management: Operated by a combination of IT, messaging & desktop management teams

Policy Governance: 100% customized policies based on data collected from business unit

Incident Triage: Daily review of incidents by Information Security

Event Management: Incidents meeting severity criteria routed to business unit for investigation

Reporting and Metrics: Behavioral pattern analysis leading to preventive actions

Status: R&D teams have high-level of confidence in ability to identify leakage of IP.

QMS SAMPLE QUARTERLY REPORT

Intelisecure DLP QMS: Six Month Trend

Application Management

Policy Governance

Incident Triage

Event Management

Reporting & Analytics

Time

Nu

mb

er o

f H

ou

rs

BEW GLOBAL HQ BEW GLOBAL EMEA BEW GLOBAL APAC

5613 DTC ParkwaySuite 1250

Greenwood Village, CO 80111USA

(ph) +1 720 227 0990(fax) +1 720 227 0984

www.bewglobal.com

3 Albany CourtAlbany Park

Camberley GU16 7QREngland

(ph) +44 (0) 845 481 0882(fax) +44 (0) 871 714 2170

www.bewglobal.com

520 Oxford StreetLevel 23, Tower 1

Bondi JunctionSydney 2022

(ph)  +61 (2) 9513 8800(fax) +61 (2) 9513 8888

www.bewglobal.com