Quick Wins With DLP. Applying the Quick Wins process to deploy a high impact solution, Rich Mogul, Securosis. Sponsors of Today's Event:

Transcription

1 Safeguarding the Digital World Quick Wins With DLP Applying the Quick Wins process to deploy a high impact solution, Rich Mogul, Securosis Sponsors of Today's Event:

2 Today s Agenda Introduction Peer Group Survey Rich Mogull Presentation Jon Kim, Cisco/RSA Quick Win Q&A

3 Guest Speaker: Rich Mogull CEO and Analyst Securosis

4 Today s Agenda Introduction Peer Group Survey Rich Mogull Presentation Jon Kim, Cisco/RSA Quick Win Q&A

5

6

7

8

9

10 Today s Agenda Introduction Peer Group Survey Rich Mogull Presentation Jon Kim, Cisco/RSA Quick Win Q&A

11 Presents Quick Wins with Data Loss Prevention Rich Mogull Securosis, LLC

12 DLP Fears Too complex to deploy. Too many false positives.

13 The Quick Wins Process

14 "Products that, based on central policies, identify, monitor, and protect data at rest, in motion, and in use through deep content analysis." -Rich Mogull

15 What DLP Provides Helps you identify where you store sensitive information. Helps you understand how that information is used and moved throughout your organization. Proactively protects your information, while limiting impact on legitimate business processes.

16 Content Analysis Partial Document Matching Database Fingerprinting Statistical Exact File Matching Categories Conceptual ^(?:(?<Visa>4\d{3}) (?<Mastercard>5[1-5]\d{2}) (?<Discover>6011) (?<DinersClub>(?:3[68]\d{2}) (?:30[0-5]\d)) (?<AmericanExpress>3[47]\d{2}))([ - ]?)(?(DinersClub)(?:\d{6}\1\d{4}) (?(AmericanExpress)(?:\d{6}\1\d{ 5}) (?:\d{4}\1\d{4}\1\d{4})))$ Rules

17 Defining Process

18

19 Prepare Directory Servers Why? DLP policies are typically user and group based. Need to correlate activities back to warm bodies. Poor directories are a leading obstacle to DLP deployments. vs. Web vs. Endpoint

20 Integrate with Infrastructure

21 Integration Recap For all deployments: Directory services (usually your Active Directory and DHCP servers). Network deployments: Network gateways and mail servers. Endpoint deployments: Software distribution tools. Discovery/storage deployments: File shares on the key storage repositories (you generally only need a username/password pair to connect).

22 Choose Flavor Single Data Type Information Usage

23 Choose Deployment Type In Motion At Rest In Use

24 Define Policies Single Type Information Usage Leverage an existing category when possible. Tune later. False positives are good! Turn on (nearly) everything. Collect as much as possible to identify usage patterns.

25 Monitor ID Time Policy Channel Severity User Action Status PII 1.2 M rmogull Blocked Open HIPAA IM 2 jsmith Notified Assigne d PII HTTP None Closed R&D/Product X USB 4 bgates Notified Assigne d Financials Storage Encrypt Escalated /1/08 Source Code Cut/Paste 12 sjobs Confirm Open

26 Analyze Top violations by data type. Top violations by business unit. QuickTime and a Animation decompressor are needed to see this picture. Top violations by volume. False positive patterns. Different violations from same source. Unusual origins.

27 What Did We Accomplish? QuickTime and a Animation decompressor are needed to see this picture. Established a flexible incident management process. Integrated with major infrastructure components. Assessed broad information usage. Set foundation for later.

28 Full Deployment

29 Summary With DLP, iteration is the name of the game. Encrypt laptops, (maybe) backup tapes, and key applications/databases. TDE is easiest. Choose application encryption over filed level when possible. Tokenization may reduce both risks and costs.

30 Quick Wins with Data Loss Prevention Rich Mogull Securosis,

31 Today s Agenda Introduction Peer Group Survey Rich Mogull Presentation Jon Kim, Cisco/RSA Quick Win Q&A

32 Jon S. Kim Force 3 jon.kim@force3.c

33 360 Degrees of Data Privacy Anti-Spam SenderBase Reputation Filtering IronPort Anti-Spam (IPAS) Cisco IronPort RSA DLP 100+ predefined DLP policies Accurate Easy to Implement Inbound Security Outbound Control Anti-Virus Virus Outbreak Filters (VOF) McAfee Anti-Virus Sophos Anti-Virus Encryption Secure Message Delivery Transport Layer Security

34 Prevent Data Loss on the Web Interoperability between IronPort S-Series and RSA DLP Network o Content analysis of web traffic for DLP o Enforcement of controls for web traffic o URL, Web reputation and malware filtering HTTP, HTTPS, FTP IronPort S-Series (ICAP Client) Corporate Users DLP Administrator RSA DLP Network (ICAP Server) RSA DLP Network Controller & Enterprise Manager

35 Today s Agenda Introduction Peer Group Survey Rich Mogull Presentation Jon Kim, Cisco/RSA Quick Win Q&A