Sensitive Data Loss is NOT Inevitable

Size: px

Start display at page:

Download "Sensitive Data Loss is NOT Inevitable"

Camron Norris
5 years ago
Views:

1 Sensitive Data Loss is NOT Inevitable Dan Geer, CISO In-Q-Tel Featured Speaker Heidi Shey, Security Analyst, Forrester Research

Shey, Forrester Why Consider MSP Dan Geer, In-Q-Tel Q&A

2 Agenda Introduction Time for a Change Dan Geer, In-Q-Tel How to Overcome Common DLP Challenges Heidi Shey, Forrester Why Consider MSP Dan Geer, In-Q-Tel Q&A with Dan Geer & Forrester Sensitive Data Loss is NOT Inevitable 1

3 About Dan Geer Chief Information Security Officer (CISO) for In-Q-Tel Started first cyber security firm on Wall Street in 1992 Former president of USENIX Association Earned a Lifetime Achievement Award Presented Keynote Address BlackHat 2014 Digital Guardian Customer Advisory Group 2014 Sensitive Data Loss is NOT Inevitable 2

4 Typical Approach to Security Not Working Typical mélange of security products are less cost effective Antivirus Firewalls Intrusion Detection Systems Patch Management Systems Cost of management far outweighs license cost Failure of any is the failure of all Sensitive Data Loss is NOT Inevitable 3

5 Identity and Access Management Doesn t Scale Access control - conventional approach to data protection AC as a security strategy suffers from complexity issues Increases in personnel and its resources Increase in size of access control matrix Cost rises faster than environmental complexity Ultimately unsustainable over time Sensitive Data Loss is NOT Inevitable 4

6 Security Spend Over The Years $25,000,000,000 Security Spend over Time $20,000,000,000 $15,000,000,000 $10,000,000,000 $5,000,000,000 $ Network Security Database & Encryption Security Data Loss Prevention Security Operations Application Security Risk and Compliance Management Endpoint Security/Antivirus Identity Management Sensitive Data Loss is NOT Inevitable 5

7 Security Spend in 2014 Identity Management, $7,114,200,000 SECURITY SPEND IN 2014 Network Security 29% Security Operations 12% Data Loss Prevention 1% DB & Encryption 12% Risk & Compliance 11% Anti-Virus 14% Identity Management 10% 65% Endpoint Security/Antivirus, $9,959,880,000 Risk and Compliance Management, $7,825,620,000 Application Security, $8,537,040,000 Network Security, $20,631,180,000 Database & Encryption Security, $8,587,460,000 Data Loss Prevention, $661,000,000 Security Operations, $8,537,040,000 Sensitive Data Loss is NOT Inevitable 6

8 Time for a Change Re-center your security Data vs. infrastructure Accountability vs. access control Minimize surprises Evolve to context driven, data-centric security Observe what matters the data Sensitive Data Loss is NOT Inevitable 7

9 DLP Key Component to Data-Centric Security As data volumes explode and more people and devices have access, the challenge of controlling it will grow exponentially. Endpoint, , web, gateway, and network are critical channels for data loss that DLP solutions can cover. Despite the difficulties, DLP as a capability continues to be an important part of data defense. Rethinking DLP: Introducing The Forrester DLP Maturity Grid Heidi Shey and John Kindervag, Jan 15, 2015 Sensitive Data Loss is NOT Inevitable 8

10 About Heidi Shey Analyst at Forrester Serves Security & Risk Professionals Data security and privacy Security architecture and operations Areas of focus Data discovery and classification Secure file sharing and collaboration Cyber security and privacy Certified Information Systems Security Professional (CISSP) Sensitive Data Loss is NOT Inevitable 9

11 Overcome Common DLP Hurdles Heidi Shey, Analyst February, 2015

12 Agenda Mixed satisfaction why? Challenge of limited scope deployments Five process steps for DLP success 2014 Forrester Research, Inc. Reproduction Prohibited 11

13 DLP: a tale of woe It does not stop data from leaving, and we know data is leaking out Forrester Research, Inc. Reproduction Prohibited 12

14 DLP: a tale of woe There s too much noise (false positives) to dig through. We re overwhelmed by it all. It does not stop data from leaving, and we know data is leaking out Forrester Research, Inc. Reproduction Prohibited 13

15 DLP: a tale of woe It s been 2 years. We ve invested millions. It is still unusable. It just doesn t work. There s too much noise (false positives) to dig through. We re overwhelmed by it all. It does not stop data from leaving, and we know data is leaking out Forrester Research, Inc. Reproduction Prohibited 14

16 DLP: a tale of triumph When it first rolled out, our chairman commented it was the first security tool he felt good about Forrester Research, Inc. Reproduction Prohibited 15

17 DLP: a tale of triumph When it first rolled out, our chairman commented it was the first security tool he felt good about. Money well spent. We gained visibility, raised awareness, and gained support for the infosec program Forrester Research, Inc. Reproduction Prohibited 16

18 DLP: a tale of triumph When it first rolled out, our chairman commented it was the first security tool he felt good about. Money well spent. We gained visibility, raised awareness, and gained support for the infosec program. It stopped a data breach! 2014 Forrester Research, Inc. Reproduction Prohibited 17

19 2014 Forrester Research, Inc. Reproduction Prohibited 18

20 How have we defined success? 2014 Forrester Research, Inc. Reproduction Prohibited 19

21 Reality check: time to deploy What s included in the estimate? What do you need to do to prepare? Don t think of DLP as a project. It s an ongoing program 2014 Forrester Research, Inc. Reproduction Prohibited 20

22 Reality check: resources to tune How to determine the DLP rules? What does it take to maintain? DLP is not magic 2014 Forrester Research, Inc. Reproduction Prohibited 21

23 Reality check: frustration with vendor support What type of support is provided? What will cost you extra? Hiccups happen. Align expectations for support 2014 Forrester Research, Inc. Reproduction Prohibited 22

24 Many flavors of DLP vendors Suite One product covering multiple channels of data loss/leakage 2014 Forrester Research, Inc. Reproduction Prohibited 23

25 Many flavors of DLP vendors Suite Feature DLP capabilities are a feature embedded within a security product or solution 2014 Forrester Research, Inc. Reproduction Prohibited 24

26 Many flavors of DLP vendors Suite Service DLP as a managed service Feature 2014 Forrester Research, Inc. Reproduction Prohibited 25

27 Challenge of limited scope deployments 2014 Forrester Research, Inc. Reproduction Prohibited 26

28 What are you looking for? 2014 Forrester Research, Inc. Reproduction Prohibited 27

29 What are you looking for? 2014 Forrester Research, Inc. Reproduction Prohibited 28

30 What are you looking for? 2014 Forrester Research, Inc. Reproduction Prohibited 29

31 Many focus on personal and financial data and overlook the value of IP Pitfalls that contribute to this: Compliance (mentality of check the box compliance at the cheapest cost) 2014 Forrester Research, Inc. Reproduction Prohibited 30

32 Many focus on personal and financial data and overlook the value of IP Pitfalls that contribute to this: Compliance (mentality of check the box compliance at the cheapest cost) Clarity (lack of clarity over what is sensitive data, especially IP) 2014 Forrester Research, Inc. Reproduction Prohibited 31

33 Many focus on personal and financial data and overlook the value of IP Pitfalls that contribute to this: Compliance (mentality of check the box compliance at the cheapest cost) Clarity (lack of clarity over what is sensitive data, especially IP) Completion (mindset that DLP is a project to complete, rather than an ongoing program) 2014 Forrester Research, Inc. Reproduction Prohibited 32

34 Many focus on personal and financial data and overlook the value of IP Pitfalls that contribute to this: Compliance (mentality of check the box compliance at the cheapest cost) Clarity (lack of clarity over what is sensitive data, especially IP) Completion (mindset that DLP is a project to complete, rather than an ongoing program) Collaborators (neglecting to work with and understand your workforce and internal stakeholders) 2014 Forrester Research, Inc. Reproduction Prohibited 33

35 Craft a data-centric DLP program Priorities: start with highest-value data types 2014 Forrester Research, Inc. Reproduction Prohibited 34

36 Craft a data-centric DLP program Priorities: start with highest-value data types Regulated data 2014 Forrester Research, Inc. Reproduction Prohibited 35

37 Craft a data-centric DLP program Priorities: start with highest-value data types Sensitive data 2014 Forrester Research, Inc. Reproduction Prohibited 36

Craft a data-centric DLP program Priorities: start with highest-value data types Sensitive data When in doubt, data creators, users, and owners must ask: 1) Would it be acceptable if this data

38 Craft a data-centric DLP program Priorities: start with highest-value data types Sensitive data When in doubt, data creators, users, and owners must ask: 1) Would it be acceptable if this data were to fall into the hands of a competitor? 2) Would employees, customers, and business partners care if this information was made public? 2014 Forrester Research, Inc. Reproduction Prohibited 37

39 Five process steps for DLP success 2014 Forrester Research, Inc. Reproduction Prohibited 38

40 Five key process stages 2014 Forrester Research, Inc. Reproduction Prohibited 39

41 Five key process stages Where is data located? Where is sensitive data located? 2014 Forrester Research, Inc. Reproduction Prohibited 40

42 Five key process stages Manual vs automated approaches You may already have tools inhouse to do this (e.g., ediscovery, information governance tools) Some DLP solutions can do this too Where is data located? Where is sensitive data located? 2014 Forrester Research, Inc. Reproduction Prohibited 41

43 Five key process stages What is sensitive data? Tag it Forrester Research, Inc. Reproduction Prohibited 42

44 Five key process stages What is sensitive data? Tag it. Manual vs automated approaches Standalone vs feature New data vs legacy data Classification is everyone s job Simplify classification levels Data is a living thing 2014 Forrester Research, Inc. Reproduction Prohibited 43

45 Five key process stages Reduce the data sprawl. Move, archive, or dispose Forrester Research, Inc. Reproduction Prohibited 44

46 Five key process stages Data is a living thing Potentially limits scope of compliance Consider creating data free zones Reduce the data sprawl. Move, archive, or dispose Forrester Research, Inc. Reproduction Prohibited 45

47 Five key process stages Design DLP rules/policies Forrester Research, Inc. Reproduction Prohibited 46

48 Five key process stages Design DLP rules/policies. Work with multiple stakeholders Create rules with an understanding of the sensitivity of data and how it needs to be used Determine appropriate actions in response to policy violations 2014 Forrester Research, Inc. Reproduction Prohibited 47

49 Five key process stages Enforce DLP rules/policies Forrester Research, Inc. Reproduction Prohibited 48

50 Five key process stages Implement rules! Regularly review DLP rules and actions with stakeholders and lines of business to evaluate policy designs Track efficacy via reports from SIM or GRC tools Enforce DLP rules/policies Forrester Research, Inc. Reproduction Prohibited 49

51 Thank you Heidi Shey

52 Reasons to Consider a DLP Managed Service Sensitive Data Loss is NOT Inevitable 51

53 5 Reasons to Consider a DLP Managed Service Reason #1 Instant on Data discovery Where your sensitive data resides Who accesses it How it is transacted Look for service providers who can give you full visibility into all data access and usage within 120 days Sensitive Data Loss is NOT Inevitable 52

54 5 Reasons to Consider a DLP Managed Service Reason #2 Immediate access to security experts Severe shortage of IT security talent not going away With the right managed service you can harness the knowledge and experience security experts Look for experience in: Implementing mission-critical data security Risk and compliance programs Sensitive Data Loss is NOT Inevitable 53

55 5 Reasons to Consider a DLP Managed Service Reason #3 Better use of your resources With a managed service, InfoSec teams can focus on governance instead of administration Look for providers that offer different service level options to meet your unique needs Sensitive Data Loss is NOT Inevitable 54

56 5 Reasons to Consider a DLP Managed Service Reason #4 Exceptional time to value Managed security services can offer a faster road to better data visibility and risk posture Look for a managed service with a proven track record of strong time to value Sensitive Data Loss is NOT Inevitable 55

57 5 Reasons to Consider a DLP Managed Service Reason #5 No sensitive data in the cloud First generation DLP managed services transmitted and stored sensitive data in the cloud Next generation services only transmit encrypted metadata to the cloud Sensitive data is private and secured at all times Look for a next generation DLP managed service that doesn't transmit sensitive data to the cloud Sensitive Data Loss is NOT Inevitable 56

58 Q & A Dan Geer, CISO In-Q-Tel Featured Speaker Heidi Shey, Security Analyst, Forrester Research

What It Takes to be a CISO in 2017

What It Takes to be a CISO in 2017 Doug Copley Deputy CISO Sr. Security & Privacy Strategist February 2017 IMAGINE You re the CISO In Bangladesh Of a bank On a Friday when you re closed You realize 6 huge