Optimize Your Data Protection Investment for Bottom Line Results
DATA LOSS PREVENTION EXPERTISE
Providing DLP Since 2002
Completed 500+ Assessments
Deployed 400+ DLP Projects
Manage DLP Solutions in 22 Countries
Provide Daily Management of 1,000,000+ Users Globally
Q U I C K FA C T S
Symantec Master Specialization DLP Partner
RSA’s Only Authorized Managed DLP Partner
1st Managed DLP Services Provider (2008)
Localized Chinese DLP Practice (2011)
Global Support in 130 countries
Data Mining, Custom Policies, & Scripting
WHAT WE WILL COVER TODAY
Developing the DLP Program
SYMANTEC DLP COMPONENTS
DLP Use Cases – How Did They Get There?
Endpoint Prevent
DLP Program
Symantec Data LossDeveloping
Prevention the
Endpoint
Prevent monitors files downloaded to local drives; transferred
over email, IM, Web or FTP; copied to USB, CompactFlash®, SD, or other removable media; burned to
CD/DVD; copied or pasted; captured via Print Screen; and printed or faxed electronically. With Symantec
Data Loss Prevention,
you canCommon
monitor and
Avoiding
DLPblock:
Pitfalls
•
•
•
•
•
•
•
•
Instant messages sent to a partner containing confidential M&A information
Web mail with product plans attached going to a competitor
Opencopied
Q&A to USB or other removable media devices
Customer lists being
Email containing PII sent via hosted email security services
Source code that is copied to a local drive
Mobile devices for email sent containing confidential data
Product design documents being burned to CD/DVD
Price lists being printed or faxed to a competitor
HOW TO GET STARTED WITH DLP
Developing the DLP Program Scope
Processes
Understanding Work Place Monitoring Requirements
Designing and Implementing the DLP Program
Measuring the DLP Program
USE CASE 1:
INCIDENTS DETECTED 2 MONTHS INTO DLP PROGRAM
Captured group
emails going
to Gmail
with unencrypted data:
What of
incidents
or events
are retained?
 Combination of design standards, CAD files and pro-forma product business plans
including unit costs, forecasted revenue and margin data
 Customer and vendor lists, proprietary development processes and procedures, and
pricing data from similar current product lines
Performed Who
real-time
DLP correlation
develops
reports? analysis:
 Identified 78 design standards focused on “highly classified” next-gen product
development
Are DLP system
generated
reports
adequate?
 Downloaded
to personal
USB with
no legitimate
business use within 1 hour after
email
Who drives report requirements? Requestors, Reviewers, others?
Incidents reported to information security team within 2 hours of both incidents
generated and correlated
Report accuracy tied into QA process?
Employee was in manager’s office submitting resignation as InfoSec notified the manager
USE CASE 1:
OBTAINING BUSINESS BUY-IN
incidents
or events
are with
retained?
ComplianceWhat
& Risk
Management
tasked
implementing DLP in organization of
50,000+employees
Needed to develop DLP Program allies:
 Key technology stakeholders: Desktop, Networking, Messaging and Storage
 Strong relationship with key Business Units within the DLP Program Scope
Who develops
reports?
 Generate
awareness
of program with key senior leadership (not excessive on front end)
Targeted one business unit as early adopters and used their success to expand the DLP
Are DLP system generated reports adequate?
program into neighboring business units or processes.
Earned Business
Unit,report
Data Owner
or Process
Advocate’sReviewers,
trust and leveraged
Who drives
requirements?
Requestors,
others? their internal
relationships to navigate corporate structure and help message value proposition.
accuracy
tied
intoisQA
process?
18-monthsReport
into DLP
Program
there
100%
business unit involvement.
USE CASE 2:
INCIDENTS DETECTED 14 DAYS INTO DLP PROGRAM
What
incidents
or eventsHIS
aresystem,
retained?
Vendor provides
upgrade
on enterprise
follows all change management procedures and
obtains sign-off from customer on upgrade.
DLP detects unencrypted patient information being transferred via unsecured FTP site; had been
configured for SFTP prior to change.
Who develops reports?
Information was detected the first time the bi-monthly batch-processing was completed.
Comprehensive audit trail of incident data available to the organization for investigation.
Are DLP system generated reports adequate?
Upgrade caused numerous unforeseen changes in the HIS application that created vulnerabilities
and potential for inadvertent data leakage.
Who drives report requirements? Requestors, Reviewers, others?
Information was sent to Business Associate but was exposed in an non-encrypted state.
USE CASE 1:
OBTAINING BUSINESS BUY-IN
What incidents
events
are retained?
Leveraged relationship
betweenorCISO,
Internal
Audit and Privacy to obtain the necessary funding hard to get dollars being allocated to patient care.
Defined DLP Program scope around specific elements of primary concern, specifically infectious
diseases. HIV/AIDS patient data had been leaked in the past causing significant impact to the
organization.
Who develops reports?
Shared DLP Program Scope to skeptical physician lead healthcare management team. Senior
leadership wasAre
in the
on thegenerated
project butreports
once again,
not too much information overload on the
DLPloop
system
adequate?
front-end.
CISO and IA/Privacy
developed
around previous
breach asReviewers,
well as negative
press as part of
Who drives
reportcosts
requirements?
Requestors,
others?
their DLP justification pitch. Clearly identified the previous costs and impacts to the organization,
obtaining buy-in from senior leadership and board members.
Report accuracy tied into QA process?
USE CASE 3:
INCIDENTS DETECTED 72 HOURS INTO DLP PROGRAM
What incidents
or eventsmanner
are retained?
Company is approached
in confidential
in regards to a “hostile” takeover situation and has
48 hours to respond until public notice is provided.
Company crafted a set of policies within 2 hours to monitor all communication channels and
endpoints within the DLP scope. Policy was enabled to:
 Quarantine all email communication
 Block
all develops
web basedreports?
traffic or any downloading of specific keywords or specific documents
Who
related to the topic - management imposed gag order
Within 3 hours
of DLP
the submission
of the bidreports
documents
to the customer, 5 senior staff members
Are
system generated
adequate?
had a attempted to disclose the existence of the transaction.
 2 email transmissions to friends/family members (spouses)
 2 Who
instantdrives
message/chat
messages to friends/family
members
report requirements?
Requestors,
Reviewers, others?
 1 Google mail to friend at a investment bank who works for direct competitor of company
outlining the key terms of the offer. Employee was a Senior VP with access to term sheet.
Report accuracy tied into QA process?
USE CASE 3:
OBTAINING BUSINESS BUY-IN
What incidents or events are retained?
CIO driven DLP program that “dragged” the COO, CFO and General Counsel to demo and
presentation of the capabilities of DLP.
General Counsel set-up meeting with CEO and Board to bring visibility to the “real dangers of a
digital commerce environment”.
Who develops reports?
CEO and executive team allocated discretionary budget to build out a DLP pilot system at corporate
headquarters to monitor for pre-disclosed earning information, M&A activity and competitor
communications.
100 employees
at HQ outreports
of 10,000
global employees.
Are DLP
system generated
adequate?
Recent trend seems to be more top down approach in regards to the assessment and adoptions of
WhoHad
drives
report requirements?
Requestors,
Reviewers, and
others?
DLP programs.
no problem
with rapid deployment,
policy development
building the
supporting incident response program.
Report accuracy tied into QA process?
USE CASE: DLP PRE-PROJECT STATE
Organization Overview:
40,000 employees globally, Manufacturing
DLP Scope:
Protection of Intellectual Property (General)
DLP Primary Issue:
Customer overwhelmed with inaccurate incident data, no meaningful information
Application Management:
Operated and managed by IT Security with limited input from business.
Policy Governance:
Failure to use a lifecycle software development process for policy construction
Incident Triage:
Infrequently reviewed by IT with little to no review by business owners.
Event Management:
Hard to accomplish due to large # of false positives. No “gold nuggets.”
Reporting and Metrics:
Zero customized reports. No relevant business analysis provided.
Status:
System generates 25,000 incidents/day / 750,000 incidents/month
MANAGING WORKPLACE PRIVACY
Framework
1.
2.
3.
4.
5.
6.
7.
8.
Understand your company’s data flows
Identify your monitoring purpose
Understand general principles underlying personal data
processing
Determine if other countries law’s apply to your company
Understand other countries approach to workplace
monitoring
Understand other countries requirements to workplace
monitoring
Understand other countries laws
Implement technology that fosters compliance with legal
requirements
IDENTIFY PURPOSE FOR MONITORING
Generally Acceptable Business Reasons Include:
•
•
•
•
•
•
•
•
•
•
Monitor & maximize employee productivity
Protect against unauthorized use, disclosure or transfer of PII
Monitor employee compliance with employer workplace policies
Investigate complaints of employee misconduct
Prevent industrial espionage
Prevent or respond to unauthorized access to employer’s computer
systems
Protect computer networks from becoming overloaded
Prevent or detect unauthorized utilization of employer’s computer
system for criminal activities & terrorism
Help prepare employer’s defense to lawsuits or administrative
complaints
Respond to discovery requests in litigation related to electronic
evidence
DETERMINE IF COUNTRY LAWS
APPLY TO YOU
1.
Does your company operate in that country?
2.
Does your company have affiliates or subsidiaries
that collect personal data in that country?
3.
Does your company have employees residing in that
country?
4.
Does your company collect or process personal data
in that country?
5.
Does your company process personal data using
equipment in that country?
INTERNATIONAL PRIVACY LAWS
BUSINESS IMPACT
Must comply with privacy laws in countries where have operations, where laws
can be significantly more restrictive than in the US
Transfer of personal information can be blocked in other countries unless
specific requirements are met
Countries across the globe are adopting privacy laws
UNDERSTAND GENERAL PRINCIPLES: SAFE HARBOR
NOTICE - Individuals must be informed that their data is being collected and about how it will be
used.
CHOICE - Individuals must have the ability to opt out of the collection and forward transfer of the
data to third parties.
ONWARD TRANSFER - Transfers of data to third parties may only occur to other organizations that
follow adequate data protection principles.
SECURITY - Reasonable efforts must be made to prevent loss of collected information.
DATA INTEGRITY - Data must be relevant and reliable for the purpose it was collected for.
ACCESS - Individuals must be able to access information held about them, and correct or delete it if
it is inaccurate.
ENFORCEMENT - There must be effective means of enforcing these rules.
APPLICATION SUPPORT & INTEGRATION
Primary System DLP Management =
Human Resource / Expertise Requirements
Integrated System Management =
Cross Department Collaboration Processes
Health Check & System Validation Management =
System Resource Requirements
Vendor Management =
Primary and Integrated Technology Vendor Relationships
POLICY & RULE GOVERNANCE
Who requests rules & policy
requirements?
Are business owners engaged?
Who reviews rule requests?
Criteria for approved rule?
Who’s responsible for converting
a rule into technical policy?
What is the formal policy
development process?
Do they have technical policy
authoring expertise?
First drafts rarely work as
expected!
What’s the process for
converting a rule request into a
policy?
Is there a process to relay
production policy metrics to
stakeholders?
WORKFLOW DEVELOPMENT & MANAGEMENT
Who develops & manages policy
“buckets”?
False positive, inbound partner,
outbound employee
Triage response options:
Human notification
System notification (auto)
Hybrid?
Who defines thresholds that
determine response rules for
each “bucket”?
Are 10 SSNs a high, medium or
low severity incident?
Who’s responsible for building
alerts, alarms & notifications?
Has business been engaged on
event management?
Who designs & sets the policy
response triggers?
Malicious, Inadvertent,
Suspicious, above threshold.
Who manages the DLP policy &
rules repository?
Why recreate the wheel?
INCIDENT TRIAGE & EVENT MANAGEMENT
How does DLP fit in overall
incident/event management
process?
Who reviews volume & yield of
incidents & events?
How are events/incidents
routed?
What’s the review frequency?
Who owns the incident/event?
What metrics are developed to
measure success of rules &
related policy?
Revision of rules based on quality
of policy results.
How will integrated systems be
tied together to yield valued info?
Who manages policy optimization
process?
Secure mail, web gateway, GRC,
SIEM
Who ‘s responsible for developing
metrics?
Can this be mapped to DLP
system?
BUSINESS ANALYTICS
Who drives report requirements? Requestors, Reviewers, others?
Who develops reports?
Do they have the expertise with 3rd party reporting tools?
Are DLP system generated reports adequate?
Are the metrics valuable & driving meaningful change?
Report accuracy tied into QA process?
PITFALL 1: NO PLAN OF ATTACK
PITFALL 2: FAILURE TO ENGAGE THE BUSINESS
5 Pieces of DLP Advice You Can’t
Afford to Ignore
23
PITFALL 3: INADEQUATELY TRAINED RESOURCES
5 Pieces of DLP Advice You Can’t
Afford to Ignore
24
DATA-IN-MOTION PITFALLS:
M i s s i n g t h e Ta r g e t – F a l s e S e n s e o f S e c u r i t y
Mis-configured Tap
or Port Span
Problem
Missing segments of
network traffic or protocols
Solution Comprehensive
test plan that maps to in
scope business processes
and related data types
transmitted from various
network locations to
ensure all relevant data
streams are being
captured.
Encryption – The
Masked Data
Problem
Analysis of data DID NOT
take place prior to
encryption.
Solution
Comprehensive test plan
that proves ALL DLP data
assessment takes place
prior to the gateway
encryption & implement
managed “test” DLP
policies that identify
encrypted transmissions
as part of the test plan.
Misfire of Network
Discovery Scans
Network versus
Endpoint Discovery
Problem
Locations of sensitive
data never targeted by
the organization for
scanning due to lack of
an effective policy
governance process.
Problem
Running DAR scans
using a combo of
network & endpoint
without thinking about
which policy types &
detection methods are
not the same.
Solution
Identify potential data
stores by discussing the
DLP program with staff
to understand process.
Solution
Prior to acquiring DLP
solution, have an
understanding of the
data types that make up
your target environment
& then, decide on
scanning method.
.
DATA-IN-MOTION (ENDPOINT) PITFALLS:
T h e P a n d o r a ’s B o x o f D L P
Environment
Assessment
Staying in
Contact
• Problem
No rigorous endpoint
environment
assessment prior to the
selection of the
application &
enablement.
• Problem
Failure to monitor
endpoint population &
their frequency of
“checking-in” to the
management server
with validated results.
• Solution
Address age of
environment,
performance
capabilities, technical &
human issues, & load
of applications, in
conjunction with
education on the DLP
endpoints.
• Solution
Phased deployment of
endpoint with
validation via test plan
on initial success of
ALL agents & ongoing endpoint agent
health reports.
User Performance
Impacts
Network/System
Performance Impacts
• Problem
Implementing same
policies for network
based & endpoint
assessments without
testing or modification.
• Problem
Failure to calculate &
measure the impact of
endpoint policy traffic
across wide & local
area network
connections.
• Solution
Utilize a
comprehensive test
plan outlining specific
metrics (time to open
files, open/send
emails, open
applications) prior to
deployment.
• Solution
Thorough assessment
of endpoint policies
that addresses all of
the concerns including
policy design
requirements, timing,
frequency & delivery
methods.
USE CASE –POST PROJECT STATE
Organization Overview:
Defined specific business units to initiate program
DLP Scope:
Focused on 3 specific product lines linked to highest revenue & earnings
DLP Primary Goal:
Identification of unauthorized movement of specific elements of IP
Application Management:
Operated by a combination of IT, messaging & desktop management teams
Policy Governance:
100% customized policies based on data collected from business unit
Incident Triage:
Daily review of incidents by Information Security
Event Management:
Incidents meeting severity criteria routed to business unit for investigation
Reporting and Metrics:
Behavioral pattern analysis leading to preventive actions
Status:
R&D teams have high-level of confidence in ability to identify leakage of IP.
QMS SAMPLE QUARTERLY REPORT
Number of Hours
Intelisecure DLP QMS: Six Month Trend
Application Management
Policy Governance
Incident Triage
Event Management
Reporting & Analytics
Time
BEW GLOBAL HQ
BEW GLOBAL EMEA
BEW GLOBAL APAC
5613 DTC Parkway
Suite 1250
Greenwood Village, CO 80111
USA
3 Albany Court
Albany Park
Camberley GU16 7QR
England
520 Oxford Street
Level 23, Tower 1
Bondi Junction
Sydney 2022
(ph) +1 720 227 0990
(fax) +1 720 227 0984
(ph) +44 (0) 845 481 0882
(fax) +44 (0) 871 714 2170
(ph) +61 (2) 9513 8800
(fax) +61 (2) 9513 8888
www.bewglobal.com
www.bewglobal.com
www.bewglobal.com