Practical Aspects of DLP System Deployment www.searchinform.com SearchInform Information Security Perimeter www.searchinform.com Customer Support Center Customer support center helps companies ready to deploy our product tune information security based on the experience of tackling similar challenges (names of our clients working in similar fields are kept a secret). Customer Support Center gives tips on: Tuning alerts; Protecting sensitive data ; Differentiating user rights, etc. www.searchinform.com Working with Colleges Quite often college graduates do not meet employers’ expectations as they do not have any practical experience in the information security sphere. SearchInform is the only Russian developer of information security solutions involved in the program of training graduates. We provide a free product version to all colleges interested in training experts able to work with a real product. www.searchinform.com Information Security Should Promote Business, not Hinder It. All Data Channels Should Be Open Very often employees are not allowed to use the most efficient and popular communication channels for the sake of data loss prevention. E.g. employees may only use corporate e-mail, while ICQ and Skype are banned, despite the fact it is a more efficient way to communicate. State-of-the-art DLP system allows using all data channels and at the same time intercepts and analyzes data flows transmitted via these channels. www.searchinform.com Information Security System Should Control All Data Channels “The Wizard of Oz” featured a big scary wolf protecting the gate of the country from intruders. Nobody could cross the border. However the rest of the border was just painted. The same could be said about information security: if copying data to removable media (USB-devices or CD/DVD drives) is forbidden, confidential data will be sent by e-mail or instant messengers. Many employees think it is impossible to intercept data sent via Skype. Being at work they feel free to use Skype rather than any other Internet messenger. That is why files, text and voice messages sent via Skype should be controlled by all means. Integrated approach to information security is impossible if at least one potential data leak channel is not controlled. www.searchinform.com One man doesn’t make a team? Intercepted information is useless until it is analyzed. Reading all captured data is a rather irrational way of information analysis. A security officer may only handle 20-50 employees if traditional approach is used. And what if there is a couple of hundreds or even thousands of them? SearchInform Information Security Perimeter offers automatic data analysis and alerts response (various search engines are used). This way one security officer can control 1000-1500 employees. www.searchinform.com Windows Domain Structure Integration Integration with Windows domain structure enables accurate identification of a user sending messages via one of the following communication channels: email, Skype, ICQ, MSN, JABBER, forums or web blogs, even if he/she used a free e-mail box, another nickname or computer to enter the network. www.searchinform.com Components of SearchInform Information Security Perimeter Laptops Control Laptop is not only a popular means of getting the work done in office, at home, and during business trips, but also a serious danger to information security officers. Being out of the employer-controlled network, insiders may transfer confidential data to third parties. SearchInform EndpointSniffer can control it. It captures all data sent by users and transfers them to information security officers right after their laptops are connected to network again. EndpointSniffer agent carefully conceals its presence. It cannot be easily discovered even by an experienced engineer. www.searchinform.com Tricks Recognition Very often insiders trying to deceive information security officers send confidential data in image file formats or encrypted archives. DLP’s full-scale control is achieved through the following: • Optical character recognition of any image file and its fulltext search • Intercepting encrypted files via all data communication channels • Detecting files with changed extension www.searchinform.com Data-Leak Incidents and Preventive Measures It is crucial to be aware of your employees relationships with their colleagues, reveal opinion-shapers, and control employees ties with their former colleagues. IT or IS? SearchInform’s previous experience shows drawing the line between Information Technologies (IT) and Information Security (IS) Departments is the best possible way to tune information security in a company. Each of the departments has its own goals. Employing a qualified information security officer would be the best possible solution. www.searchinform.com Three Pillars of Information Security Preventing Data Leaks A DLP system should not only detect data leaks but also prevent incidents at the stage when a potential insider has just started to express his/her displeasure. Tracking employee moods A DLP system can be used to track employee moods by means of monitoring Internet messengers and social networks traffic (Skype, ISQ, Facebook, etc.). Work Optimization A DLP system helps staying aware of employees’ attitude to innovations in a company. Thus internal company’s politics can be effectively controlled. www.searchinform.com Data Access Permissions Each component of company’s information security perimeter is in compliance with a single access rights differentiation system. It allows flexible configuration, and you can tune the rights to access intercepted documents any way you want it. www.searchinform.com System Architecture All system components have a client-server structure. Server side is one of the data interception platforms - SearchInform NetworkSniffer or SearchInform EndpointSniffer plus client applications designed to access the database and make internal investigations. A single search analytical base allows using all of the above-mentioned search technologies in full. SearchInform NetworkSniffer intercepts data using a mirror switch, i.e. it processes data not interfering with the company’s network. All information sent over data channels and protocols like SMTP, POP3, IMAP, HTTP, HTTPs, MAPI, ICQ, JABBER, and MSN are captured on the LAN level. NetworkSniffer platform incorporates the following products: www.searchinform.com System Architecture SearchInform EndpointSniffer Platform uses agents to intercept traffic. It provides additional control of employees outside company’s LAN as they may freely transfer confidential data stored on laptops to third parties. SearchInform EndpointSniffer collects all data sent by users and transfers them to information security officers for analysis as soon as laptops are connected to LAN again. Its major advantage is increased failure tolerance (interception is ensured even if servers are not available). Data transmitted over secure communication protocols are also captured. SearchInform EndpointSniffer agents: Components of SearchInform Information Security Perimeter Intercepting Internet Traffic SearchInform NetworkSniffer allows intercepting sensitive data transferred over the Internet. All common protocols that may be used by insiders are supported. It also supports proxy servers: software (Kerio, Squid, etc.) and hardware (BlueCoat, IronPort, etc.) through ICAP. E-mail E-mail is one of the most dangerous data leak channels as it allows sending large data volumes. The following protocols are supported: SMTP, POP3, MAPI, IMAP. HTTP Insiders can send sensitive information to forums, blogs, social networks, chats, or use web services to send e-mail or SMS messages. FTP FTP allows sending large data volumes and may be used by insiders to transmit the entire data bases, drawings, scanned documents, etc. www.searchinform.com Components of SearchInform Information Security Perimeter Skype SkypeSniffer is the first DLP solution to intercept files, text and voice messages sent with Skype. Instant Messengers (IM) NetworkSniffer supports ICQ, MSN, Mail.ru Agents, and JABBER. PrintSniffer PrintSniffer intercepts every printed document, indexes and saves it to a database. It helps to prevent data leaks and see if a printer is used as intended thus avoiding excessive consumption of paper and other consumables, like toner. www.searchinform.com Components of SearchInform Information Security Perimeter DeviceSniffer intercepts files copied to removable media (flash drives, CD/DVD, and portable hard disks). It prevents leaks of large data volumes copied to such types of devices. MonitorSniffer makes screenshots and saves them to a database. It can also control monitors of one or several users in real time and monitor users working via RDP (Remote Desktop Protocol). www.searchinform.com Components of SearchInform Information Security Perimeter FileSniffer controls users working with shared network resources protecting large data volumes that shouldn’t be sent to third parties. Dishonest employees may use them for their malicious purposes. Workstations indexing is the best possible way to monitor if sensitive data appeared, were deleted or copied to user computers. Controlling every user PC in a company helps to discover employees having malicious intent. www.searchinform.com Data-Leak Incidents and Preventive Measures Thesaurus Together with one of the city councils SearchInform Ltd. has worked out an anticorruption thesaurus including words related to bribery. If specific words (money, cash, franklins, etc.) are found information security officers will be immediately notified about it. www.searchinform.com Data-Leak Incidents and Preventive Measures Printer A company producing large volumes of grocery products found out a significant difference in the products shipped and the products stored at the end-seller’s warehouse. SearchInform PrintSniffer allowed tracking illegal output of unrecorded items organized by a group of employees. Selling such products was possible due to printing invoice duplicates. www.searchinform.com Data-Leak Incidents and Preventive Measures Monitoring ICQ and User Workstations ICQ monitoring helped to find some not very flattering “poetry” about company’s management. This could be a hard blow to the company’s reputation. Some lines were made accessible on the Internet. The “poets” were found owing to ICQ messages analysis made by IMSniffer. After the very first message had been tracked, workstations of several employees were checked. Thus poetry files were found. www.searchinform.com Data-Leak Incidents and Preventive Measures Cusswords and Offensive Epithets Curse words + names of top managers gives food for thought. www.searchinform.ru Data-Leak Incidents and Preventive Measures Any company has sensitive data to protect. It is crucial to monitor documents containing names of employees; names of business partners; information on developed products. www.searchinform.com Data-Leak Incidents and Preventive Measures SearchInform’s previous experience shows some employees should be included in the risk group: 1.Employees having breached company’s security policies at least once, 2.Employees using various tricks (changed file extensions, password protected archives, etc.), 3.Disloyal employees (negative comments about company’s top management, etc.), 4.Employees who started ignoring their work for some reason, 5.Employees whose work is closely related to cash flows and some midlevel managers. www.searchinform.com Data-Leak Incidents and Preventive Measures Common Practice Monitoring communication with dismissed employees; Monitoring so-called opinion shapers and bursts of activity; Monitoring activity of 1-2% of staff for the previous month. www.searchinform.com Advantages of SearchInform Information Security Perimeter 1. Easy to integrate. To install SearchInform Perimeter components, you only need several hours. Company’s existing information systems will not be affected in the process of system integration. 2. End-to-end solution. It enables you to control all data transfer channels, including Skype, social networks, printers and users activities at file servers. 3. Similar-content search feature. The similar-content search technology will allow you to easily tune the analytical subsystem so you won't need assistance from outside of your company. Besides efficient data protection is achieved through employing fewer information security officers for data analysis. 4. Windows Domain identification. 5. Extended search possibilities allow efficient data protection while employing fewer information security officers for traffic analysis (one officer is enough to monitor 1000-1500 workstations). Structure Integration allows accurate user www.searchinform.com Control your information! www.searchinform.com