7/29/2019 Administration of Data Loss Prevention Services in Higher Education (166265853)
http://slidepdf.com/reader/full/administration-of-data-loss-prevention-services-in-higher-education-166265853 1/34
Mike ThompsonSystems and Network Security Analyst
The Pennsylvania State University
Kyle Crain Systems and Network Security Analyst
The Pennsylvania State University
7/29/2019 Administration of Data Loss Prevention Services in Higher Education (166265853)
http://slidepdf.com/reader/full/administration-of-data-loss-prevention-services-in-higher-education-166265853 2/34
OV E RV I E
W
GeneralInformation
• Glossary
• PSU Overview
Planning Your Deployment
• Governance and Compliance
• Who's Responsible
• Training and Documentation
CompromiseInformation
• After A Compromise
• How DLP Comes Into Play
• DLP Effect on Compromised Machines
Summary
• Lessons Learned
• Key Points
• Historical Information
• Where we Started
• Balancing The Needs
• Define Your Scans
• Dealing With Difficult Areas
7/29/2019 Administration of Data Loss Prevention Services in Higher Education (166265853)
http://slidepdf.com/reader/full/administration-of-data-loss-prevention-services-in-higher-education-166265853 3/34
GENERAL INFORMATION
7/29/2019 Administration of Data Loss Prevention Services in Higher Education (166265853)
http://slidepdf.com/reader/full/administration-of-data-loss-prevention-services-in-higher-education-166265853 4/34
DO YOU CURRENTLY HAVE A DATA LOSS PREVENTI ON SOLUTION IN PLACE?
Yes, we are actively scanning/implementing a DLP solution
No, but we plan on implementing one
No, and we have no plans to implement
7/29/2019 Administration of Data Loss Prevention Services in Higher Education (166265853)
http://slidepdf.com/reader/full/administration-of-data-loss-prevention-services-in-higher-education-166265853 5/34
GL O S S A RY • Software that is installed on a computer;
either the client for Windows or MacClient
• A computer on which the DLP client hasbeen installed
Endpoint
• A collection of settings that defines theway scanning is performed
Policy
• Used generically to mean a campus,college, administrative area, department,or work unit
Unit
7/29/2019 Administration of Data Loss Prevention Services in Higher Education (166265853)
http://slidepdf.com/reader/full/administration-of-data-loss-prevention-services-in-higher-education-166265853 6/34
P S UDE
P L OY ME NT DE
T A I L S
Item Total
Penn State ~23,000
Commonwealth Campuses 24 (Includes a Hospital and Law School)
DLP Unit Contacts 300+
Administrative Roles 131
Registered Endpoints 21,000+
Centrally Managed Installations 1
Independent Installations 5
Highly Skilled Individuals Responsible
for Running Project2 (0, and 2 Imposters?)
7/29/2019 Administration of Data Loss Prevention Services in Higher Education (166265853)
http://slidepdf.com/reader/full/administration-of-data-loss-prevention-services-in-higher-education-166265853 7/34
DE P L OY ME NT A ND S U
P P ORT
Security Operations andServices
Unit IT Staff
End User
• Manage Project
• Maintain Infrastructure
• Train & Support Unit IT Staff • Maintain Policy Settings
• Create Documentation
• Generate Install Packages
• Train End Users
• Deploy Client Software
• Review Results• Define Scan Schedules
• Remediation of Data
7/29/2019 Administration of Data Loss Prevention Services in Higher Education (166265853)
http://slidepdf.com/reader/full/administration-of-data-loss-prevention-services-in-higher-education-166265853 8/34
HI S T ORI C A L
Why the Initial Product was Replaced
IT Staff Requested Reports; Parsed Data; Then Sent to End User
For Remediation
No Ability to Track Progress of Remediation
No Mac Client
Cumbersome to Define Exclusion Areas for False Positives
IT Staff Wanted Control in the Process
Initial DLPProductRollout
Late 2008
CurrentProductLicensed
January2010
Chose not toRenew
Late 2009
InitialProductDiscontinued
Use
June 2010
CurrentProduct
Deployed
April 2010
7/29/2019 Administration of Data Loss Prevention Services in Higher Education (166265853)
http://slidepdf.com/reader/full/administration-of-data-loss-prevention-services-in-higher-education-166265853 9/34
NE E D S A S S E S S ME NT
Delegate Control of Process to Units
Mac Client
Direct remediation to Fall to the Data Owner
• Centrally Hosted Web Based Application• Scheduled Scan Frequency
• Sizable Subset of Computers that Were Not
Being Scanned
• Provides Visibility to Remediation Actions Taken (If Any)
Picture an
Apple logo sowe don’t get
sued.
7/29/2019 Administration of Data Loss Prevention Services in Higher Education (166265853)
http://slidepdf.com/reader/full/administration-of-data-loss-prevention-services-in-higher-education-166265853 10/34
PLANNING YOUR DEPLOYMENT
7/29/2019 Administration of Data Loss Prevention Services in Higher Education (166265853)
http://slidepdf.com/reader/full/administration-of-data-loss-prevention-services-in-higher-education-166265853 11/34
IF YOU HAVE DLP DEPLOYED, IS IT PART OF AN OFFICIAL POLICY?
Yes
No
7/29/2019 Administration of Data Loss Prevention Services in Higher Education (166265853)
http://slidepdf.com/reader/full/administration-of-data-loss-prevention-services-in-higher-education-166265853 12/34
G OV E RN
A N C E A ND C O
MP L I A N C E
College or Unit Level If Top Level is Not Feasible
DLP Policy Model Awareness Balance Training Resistance
Lives At Top Level of Organization
Integrated AndRespects Existing
Policies
Defines How to Scanand What To Scan Per
State and Federal
Laws
Outlines RemediationProcess and
Consequences for
Inaction
CentralDLP Policy
7/29/2019 Administration of Data Loss Prevention Services in Higher Education (166265853)
http://slidepdf.com/reader/full/administration-of-data-loss-prevention-services-in-higher-education-166265853 13/34
DE F I NE A M ODE L
DLP Policy Model Awareness Balance Training Resistance
Central
IT
Group
Campus A
Campus
B
CampusC
Campus A
CampusB
CampusC
Central Model
Distributed Model
Level of Involvement
Central vs. Distributed
Support Model
Infrastructure
7/29/2019 Administration of Data Loss Prevention Services in Higher Education (166265853)
http://slidepdf.com/reader/full/administration-of-data-loss-prevention-services-in-higher-education-166265853 14/34
DE F I NE A M ODE L
Auditing and Review
Reporting Structure
Who is Responsible For Remediation
DLP Policy Model Awareness Balance Training Resistance
End User IT Staff Other
7/29/2019 Administration of Data Loss Prevention Services in Higher Education (166265853)
http://slidepdf.com/reader/full/administration-of-data-loss-prevention-services-in-higher-education-166265853 15/34
DE F I NE A M ODE L
DLP Policy Model Awareness Balance Training Resistance
Week 1
• UnitContacts
Week 2
• EnterpriseSecurityManager
• CISO
Week 3
• VP – IT• Risk
Management
• Unit FO
Week 4
• Dean,Chancellor or
Administrator
• Internal Audit
Week 5
• CFO• Provost
PSU Reporting Structure
7/29/2019 Administration of Data Loss Prevention Services in Higher Education (166265853)
http://slidepdf.com/reader/full/administration-of-data-loss-prevention-services-in-higher-education-166265853 16/34
IN YOUR ENVIRONMENT, WHO IS BEST SUITED TO PERFORM PII REMEDIATI ON?
End User
IT Staff
Other (Privacy Group, etc.)
7/29/2019 Administration of Data Loss Prevention Services in Higher Education (166265853)
http://slidepdf.com/reader/full/administration-of-data-loss-prevention-services-in-higher-education-166265853 17/34
DE F I NE A M ODE L
What Do You Want to Scan?
DLP Policy Model Awareness Balance Training Resistance
End User
Machines
File Servers
CommonAreas of
Filesystem
ScanDomain
Controllers
Machines
Without
Profiles
LabEquipment
System FileAreas Within
OS
Don’tScan
7/29/2019 Administration of Data Loss Prevention Services in Higher Education (166265853)
http://slidepdf.com/reader/full/administration-of-data-loss-prevention-services-in-higher-education-166265853 18/34
GE NE RA T E A WA RE NE S
S
Outreach and Awareness
Make the Project Known…
DLP Policy Model Awareness Balance Training Resistance
Personally IdentifiableNumber Chart
Document Shredder Program What’s the Virus On MyComputer
“
”
7/29/2019 Administration of Data Loss Prevention Services in Higher Education (166265853)
http://slidepdf.com/reader/full/administration-of-data-loss-prevention-services-in-higher-education-166265853 19/34
B A L A N C E
T HE NE E D S
Due Diligence
A Routine, Not a Burden
DLP Policy Model Awareness Balance Training Resistance
7/29/2019 Administration of Data Loss Prevention Services in Higher Education (166265853)
http://slidepdf.com/reader/full/administration-of-data-loss-prevention-services-in-higher-education-166265853 20/34
B A L A N C E
T HE NE E D S
DLP Policy Model Awareness Balance Training Resistance
Everyone's Responsibility
Executives
Staff
Faculty
7/29/2019 Administration of Data Loss Prevention Services in Higher Education (166265853)
http://slidepdf.com/reader/full/administration-of-data-loss-prevention-services-in-higher-education-166265853 21/34
T RA I NI N G
A NDD O C UM
E NT A T I ON
DLP Policy Model Awareness Balance Training Resistance
Wiki
Articles
• PSU SpecificProcesses
• Technical Articles
End User
Training
Videos
• Mac Client
• Win Client
Unit IT
Staff
Training
• 3 Hour Basic
• 3 Hour Advanced
• Web Based Q&A
Provided
Support
Resources
7/29/2019 Administration of Data Loss Prevention Services in Higher Education (166265853)
http://slidepdf.com/reader/full/administration-of-data-loss-prevention-services-in-higher-education-166265853 22/34
DO YOU PLAN ON HAVING STRUCTURED USER TRAINING?
IT staff only
End users only
IT staff and end users
No
7/29/2019 Administration of Data Loss Prevention Services in Higher Education (166265853)
http://slidepdf.com/reader/full/administration-of-data-loss-prevention-services-in-higher-education-166265853 23/34
U S E RP R
I V A C Y C ON C E
RN S
Dealing with Pushback
Isolated Pockets of Acceptance vs. Resistance
DLP Policy Model Awareness Balance Training Resistance
Category Count
Total Downloads 350
Unique Downloads (Users) 205
Users on Latest Version 18
Number of Completed Registrations 6
Self Assessment Program: Data
7/29/2019 Administration of Data Loss Prevention Services in Higher Education (166265853)
http://slidepdf.com/reader/full/administration-of-data-loss-prevention-services-in-higher-education-166265853 24/34
DO YOU FORESEE OR HAVE EXPERIENCED POCKETS OF RES ISTANCE?
Yes, we anticipate from a few areas
Yes, widespread
No, our users will comply
7/29/2019 Administration of Data Loss Prevention Services in Higher Education (166265853)
http://slidepdf.com/reader/full/administration-of-data-loss-prevention-services-in-higher-education-166265853 25/34
COMPROMISE INFORMATION
7/29/2019 Administration of Data Loss Prevention Services in Higher Education (166265853)
http://slidepdf.com/reader/full/administration-of-data-loss-prevention-services-in-higher-education-166265853 26/34
C OMP R O
MI S E D C OMP U
T E RP R O C E S S
30 Day Rule
Carrot v Stick
Preserve
Data &Rebuild
ReportFindings
Scan Host
For PII
(30 DayRule)
Compromise
Detected
piedtype.com
7/29/2019 Administration of Data Loss Prevention Services in Higher Education (166265853)
http://slidepdf.com/reader/full/administration-of-data-loss-prevention-services-in-higher-education-166265853 27/34
DO YOU SCAN AS PART OF YOUR COMPROMISED COMPUTER PROCESS?
Yes
No, LOL
No, but that is a good idea
7/29/2019 Administration of Data Loss Prevention Services in Higher Education (166265853)
http://slidepdf.com/reader/full/administration-of-data-loss-prevention-services-in-higher-education-166265853 28/34
N OT I F I C A
T I ON C O S T S
Costs Associated with Each Compromise
Staff Resources To Perform
Notifications
“Damage To Reputation” Loss of Funding
Third Party Costs
7/29/2019 Administration of Data Loss Prevention Services in Higher Education (166265853)
http://slidepdf.com/reader/full/administration-of-data-loss-prevention-services-in-higher-education-166265853 29/34
C OMP R O
MI S E D C OMP U
T E R S T A T I S T I C S
Previous Tool
47%
17% 16%
11%
0%
5%
10%
15%
20%25%
30%
35%
40%
45%50%
2009 2010 2011 2012
Percentage of Compromised Computers with PII by Year
7/29/2019 Administration of Data Loss Prevention Services in Higher Education (166265853)
http://slidepdf.com/reader/full/administration-of-data-loss-prevention-services-in-higher-education-166265853 30/34
SUMMARY
7/29/2019 Administration of Data Loss Prevention Services in Higher Education (166265853)
http://slidepdf.com/reader/full/administration-of-data-loss-prevention-services-in-higher-education-166265853 31/34
L E S S ON S
L E A RNE D
Assess Your Needs and Find the Right Product
Know Your Environment
Policies Need to be In Place Prior to Production
Hard to “Force” (proper) Remediation
Generate Awareness for Project
Otherwise, People Have No Idea What's Running
7/29/2019 Administration of Data Loss Prevention Services in Higher Education (166265853)
http://slidepdf.com/reader/full/administration-of-data-loss-prevention-services-in-higher-education-166265853 32/34
L E S S ON S
L E A RNE D
Define A Model
Support
Remediation
Support for IT Staff Is Ongoing
Takes Up 2 FTE’s Time and Then Some
Training and Documentation Are Not a Replacement
Need to Strike a Balance Between Business Needs and
Usability
If it’s a Hassle, Users Wont Comply
7/29/2019 Administration of Data Loss Prevention Services in Higher Education (166265853)
http://slidepdf.com/reader/full/administration-of-data-loss-prevention-services-in-higher-education-166265853 33/34
L E S S ON S
L E A RNE D
Plan For Resistance
Separate Process Should Be Last Resort
Integrate DLP Into Compromised Computer Process
7/29/2019 Administration of Data Loss Prevention Services in Higher Education (166265853)
http://slidepdf.com/reader/full/administration-of-data-loss-prevention-services-in-higher-education-166265853 34/34
THANK YOU!
QUESTIONS?