The Next
Generation DLP
Journey
Duane Clouse
Global Managing Principal, Verizon Data
Protection
October 2015
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Agenda
The areas covered will be:
Current Data Protection Landscape
In this topic I will review the current security breach statistics, the existing
Data Protection Landscape and what’s needed to help drive a successful Data
Protection program
Why Classification
Classifying information is the keystone to determine who should have access to
the information and what they are allowed to do with it. In this topic I will discuss
the importance of data classification and the typical approaches in use
today.
Data Protection beyond the Endpoint
Traditional DLP tools ends at the perimeter. Other strategies are needed to
extend protection beyond the enterprise. In this topic I will address the use
cases and solutions that could address data outside of the perimeter.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
2
70
CONTRIBUTING
Security incident:
Any event that compromises
the confidentiality, integrity,
or availability of an
information asset.
Data breach:
An incident that resulted in
confirmed disclosure (not just
exposure)to an unauthorized
party
ORGANIZATIONS
79,790
SECURITY
INCIDENTS
2,122
CONFIRMED
DATA BREACHES
61
COUNTRIES
REPRESENTED
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Data Breaches are
affecting Organizations
in over 61 countries
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
4
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
5
INSIDER
MISUSE
As with prior years, the top action (55% of
incidents) was privilege abuse
Most affected
industries:
Public,
Healthcare,
and
Financial
Services
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
6
MISCELLANEOU
S ERRORS
Most affected
industries:
Public,
Information, and
Healthcare
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
7
Information
Protection
Driven by
Classification.
8
Existing Solutions
Like CISOs, information security solution providers are rising to the challenge of
the borderless enterprise, numerous solutions exist. The most popular of these
are based on security paradigms that can be roughly divided into three types:
• Data Loss Prevention (DLP)
• Cloud Encryption Gateways (CEG)
• Anti-Malware or Advanced Persistent Threat
** All three are still valid solutions and are excellent at what they do specific
to the requirements they are working to fulfil.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
9
DLP-based Solutions
According to Wikipedia, Data Loss Prevention “…is designed to detect
potential data breach / data exfiltration transmissions and prevent them by
monitoring, detecting and blocking sensitive data while in-use (endpoint
actions), in-motion (network traffic), and at rest (data storage).”
DLP was conceived to protect infrastructure. It presupposes that data will always
be enclosed – within a trusted endpoint, in transit over a trusted network, or
within a trusted storage network. In other words, the DLP paradigm presumes
that the perimeter still exists. But since we’ve already determined that the
perimeter does not exist, how can DLP-based information security solutions still
deliver?
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
10
Cloud Encryption Gateway (CEG) - based
Solutions
CEG solutions create a secure conduit between your users and cloudbased applications and data. Trusted users can only access cloud-based
services via this single point, and their data is encrypted while in transit and
storage.
CEG appliances constitute a single point of failure at worst, a traffic bottleneck
at best, and raise TCO (Total Cost of Ownership) in any case. But beyond the
obvious, CEG is conceptually trying to create a perimeter in a perimeter-less
world. By limiting access to the cloud to a single point, CEG-based solutions by
definition cripple cloud elasticity and may impact productivity.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
11
Anti-Malware and APT Protection
• Signature-based solutions need pre-existing knowledge of a given
attack type in order to defend against that attack. But since threats are
zero-day, pre-existing knowledge is an oxymoron. This paradigm protects
only against known threats, when the danger is by definition unknown.
• Current anomaly detection solutions, even those advanced solutions that
use predictive behavior modelling, still markedly contribute to security
overhead owing to frequent false positives. Moreover, these solutions can
actually impede security, since security thresholds are often raised to
eliminate false positives, allowing malware to “slip in under the radar.”
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
12
More Options
•
•
Encryption – Symmetric and Asymmetric
Rights management
 The concept of persistent protection that controls the use, circulation,
and compartmentalization of content
•
Secure file sharing and collaboration.
•
SIM and security analytics
•
Access controls
 Aim to provide end-to-end security, with a wide range of capabilities
that can include content management and workflow, encryption, file
retention management etc…
 Situational awareness — understanding what is happening in the
enterprise environment and how data flows
 Ensuring that the right users have access to the right data when they
need it
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
13
What is Important for Success with a Data
Protection Program
• Commitment - Senior and middle management need to be onboard, this is
not something that can be fixed by just technology.
• Identify the Business Drivers - Support from the information owners and
other appropriate sponsors to establish the correct success criteria.
• A Defined Process Discipline - (Operationalization) Specific to the area
of Data Protection.
• Policy Governance and Framework - (Operationalization) Specific to the
area of Data Protection.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
14
Program Validation
Validation Tasks
Validation of DLP Program Success Criteria
• Policy Review for support of DLP program activities
• Identify and validate both short and long term DLP program objectives
• Validate executive support and sponsorship for DLP
• Document the suggested changes and recommendations to existing
process, policies and infrastructure.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
15
The challenge - Global Workspace
Storage
Applications
Devices
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
A new approach is needed
Next Generation DLP
•
Reduce operations overhead
•
Real effective security
• Classify information persistently
• Avoid false positives and false negatives
• Reduce the need for multiple appliance implementations at the exit
points
•
•
•
Go beyond monitoring only mode
Protect information in the Cloud
Protect instead of block. Blocking is disruptive
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Information / Data centric protection
IDENTITY and
GOVERNANCE
DISCOVER,
MONITOR and
CONTROL
PROTECTION
CLASSIFICATION
Why Classification
• Protection - persistent encryption and Information Rights Management (like MS AD
RMS). Protection and permissions move with data - in use, in motion, and at rest
- regardless of location, on/off premise, while still preserving functionality like ,
archiving, e-discovery, and more.
• Classification – classification of sensitive files and emails based on automated,
system-driven recommendations, as well as user driven classification models
that assist enterprises in optimizing classification methods.
• Usage Tracking – powerful analytics and reporting to identify trends, detect
anomalies, execute forensics, and assess risk.
• Policy – granular central policy management throughout the information lifecycle.
By changing from a perimeter-centric security paradigm to an Information /
data-centric paradigm, CISOs can nullify the issues that traditional information
security vendors wrestle with daily. No more costly and productivity-limiting
workarounds. No more high security single points of failure. Sensitive information of
any kind is immunized at its origin, and is then free to be securely accessed by
trusted users - anywhere, anytime,
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
19
Why Classification
Classifying information is the keystone to determine who should
have access to the information and what they are allowed to do
with it.
• Sensitive information might be anywhere
• Infrastructure location alone, such as a file share, is not a
reliable way to determine sensitivity..
• Raise user awareness
• Classification raises user awareness and accountability
• Provides Accuracy
• Many DLP implementations do not progress beyond
monitoring only.
• DLP tools can not reliably scan non text based
information or detect intellectual property.
• DLP tools can utilize classification information to
determine sensitivity of information.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
CLASSIFICATION
Classification
• Flexible interception points
• Cloud solutions
• ECM (Enterprise Content
Management) software like MS
SharePoint,
• Enterprise applications
• Storage networks
• All types of user-generated content.
• Automated classification based on
source, target and content.
• User driven classification and reclassification built in to the everyday
workflow.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Protection
Traditional DLP tools ends at the perimeter. Encryption is
needed to extend protection beyond the enterprise.
Encryption of any file type and email regardless of storage
location. Protect the object instead of DLP block.
No manual key or certificate exchange.
The protection must be transparent to the user.
Password based encryption does not scale and creates a black
hole.
Protection based on classification policy, that is AD Group based
encryption instead of individual users.
Protection inside and outside of the enterprise on any device.
No separate client install. RMS is built in to Windows.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
PROTECTION
Classification Mech.
Optimized classification cycle is triggered upon
intercepted events (open, close, save, download, upload, copy, etc)
Phrases
Patterns
Thresholds
Algorithms
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Third Party
User Classification
Folders
User
File
Email
Applications
Properties
Domain
Web
ECM
AD Attributes Attributes
SaaS
Cloud
IP Ranges
Content
Metadata
Identity
Destination
Source
Microsoft Word
Document
Customer Info
Finance
Info
Classified
Top Secret
Public Info
Others
SAP Information protection
Companies spend considerable
resources controlling their SAP
environment, information exported
from SAP is generally uncontrolled
•
•
•
•
•
•
Protect and classify information at the
moment of creation
Persistent object encryption
Centrally controlled access policy
Persistent classification
Audit trail of document use
Automated classification based on
source, destination, content ,
thresholds
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Example: Engineering Files
Organization wants to protect intellectual property in
the form of CAD drawings and other engineering files
in the changing IT landscape
•
•
CAD Application
Persistent Protection
Operating System
Classify and protect CAD files
Persistent protection, even when shared with
authorized external parties
•
Fine-grained access restrictions, e.g., allow viewing,
•
Un-intrusive solutions supporting established polices
•
prevent printing, etc.
for engineering information and Product Lifecycle
Management (PLM) solutions
Protect CAD constructions, consisting of many parts
and structure files, protecting only the relevant
parts
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Watchful
Software
RightsWATCH
.
Classify email.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
27
Classify Office documents.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
28
Office classification visualization.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
29
Classify from a folder.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
30
Open protected picture file.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
31
Secure
Islands
IQProtector.
32
Classify email.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
33
Email classification visualization.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
34
Classify Office.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
35
Office classification visualization.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
36
Access denied.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
37
Thank you.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
38