RSA Data Loss Prevention: Policy to Remediation

Transcription

1 RSA Data Loss Prevention: Policy to Remediation Christian Hewitt, CISSP 1

2 RSA Security Management & Compliance Vision Delivering Visibility, Intelligence and Governance 2

3 Problem Definition You have a lot of data, but most controls are detective You rely heavily on people to do the right things: Don t store data on local hard drives Delete/archive files that have are no longer required Know where data is Know who data owners are Know who has access to data Know what kind of access You rely on IT knowing what needs to be protected 3

4 Zero Tolerance vs. Risk Mitigation Most InfoSec policies are based on zero-tolerance Rigid interpretation Detrimental to the business Hard to align to the business Complexity prevents understanding Data exists in states of rest, motion and use The determined thief/spy problem We need to shift to a risk-based approach Understand how much to absorb or tolerate SOLUTION IS TO MANAGE OR MITIGATE RISK AS MUCH AS POSSIBLE 4

5 Risk Based Approach To adopt a risk based approach you must adopt a risk analysis scheme to properly categorise risks What are our risks? What is the probability of their occurrence? When are they most likely to occur? What is the severity of their consequence? Most organisations are good at understanding risk from physical assets and services Most organisations are bad at understanding the risk from information assets 5

6 The What, Where and Who? Most organisations do not understand what sensitive information assets they have But they know they have a lot of information assets Most organisations do not know where their sensitive information assets are stored Cloud Computing, Virtualisation and BYOD increase scope Most organisations do not know who has access to their sensitive information assets But they know data is shared inappropriately Nobody knows what controls are required But blocking stuff sounds good 6

7 Information Leak Protection Data Loss Prevention Data Leak Prevention Information Risk Management Data Risk Management 7

8 RSA s Definition for Data Loss Prevention DLP is a technology that helped us build a process to protect our people from mishandling and leaking sensitive data -CISO, Healthcare Company 8

9 Need/Awareness Has Increased Companies are losing data at unprecedented scales 2013 is the worst year for a decade.. 705m records lost Adobe: largest ever loss at 2.9m 152m records Target: POS systems lose 110m records Rogue insiders PFC Chelsea Manning Edward Snowden 600% increase in enquiries for Data Governance and Data Loss Prevention solutions 9

10 RISK (INCIDENTS) Establishing a Risk-Based DLP Programme DISCOVER/ ANALYSE EDUCATE ENFORCE Risk across the infrastructure End-users and Risk Teams Security Controls Understand Risk Reduce Risk Manage Risk TIME 10

11 Discover (What Policy is Required?) Policy Requirements Best Practices What data is sensitive? How long is it sensitive? Who can do what? Who should the alerts go to? Who are the policy approvers? Enable business to take ownership Develop an approval process Avoid s/calls based approach Record all communications Establish a repeatable workflow Regulatory data is usually easy (well defined) but Corporate Secrets need engagement with the data owners in the business 11

12 RSA Policy Workflow Manager + Step 1 Identify files & set business rules Step 3 DLP Policy is routed for approval Business Managers Step 2 Create DLP Policy & check for feasibility Step 4 Approved DLP policy DLP Admin End Users Policy applied across the enterprise 12

13 Discover (What, Where, Who?) Data At Rest Repositories (Exchange, SharePoint, Documentum, FileNet, etc.) Applications (Oracle, SQL, etc.) Filesystems of servers, laptops, desktops Filesystems of NAS/SAN Removable media Data In Motion SMTP, HTTP(S), FTP, etc. Data In Use Sneakernet (USB, CD/DVD, etc.) Printing Working with VDI 13

14 Forrester ~ Understand The State of Data Security and Privacy: Survey of IT executives in the US, UK, Hong Kong, Brazil and Germany 56% of respondents unaware of their companies security policies Most breaches are the work of inside actors 25% outside actors 31% loss/theft of a corporate asset 27% unintentional misuse of data 12% acts by malicious insiders 14

15 Education, Education, Education Notifications! Communicate your information security policies Internal PR for the security group Sent to the right people at the right time Drive organisation / culture change Good Corporate Citizens (~95%) Now you know who they are Reduced incident rate = reduced risk Bad Corporate Citizens (~5%) Now you know who they are Technology problem or Education/HR problem? 15

16 Enforcement and Remediation How many events can you review per day/week? Prioritise events by criticality (risk) Prioritisation must change over time (policy review) Network / Endpoint Events Occur in real-time Creator/actor is known Blocking stops bad stuff, must be good, right? Can the end-user solve a block unaided? Datacentre Events Non real-time Creator or owner is often obscured Scan results create lots of events 16

17 You Scan for Sensitive Data. Then What? IT decides on remediation Result Sensitive files discovered by DLP X IT does not have business context Potential of disruption to business Involve end-user in remediation Who to contact? What to ask? How to track responses? How to follow up? How to orchestrate? How to manage the process? 17

18 RSA Risk Remediation Manager Repositories Grid Business Users Databases Apply DRM Virtual Grid Encrypt NAS/SAN RSA DLP Datacenter RSA DLP RRM Delete / Shred Temp Agents Change Permissions File Servers Agents File Activity Tools GRC Systems Policy Exception Endpoints Discover Sensitive Data Manage Remediation Workflow Apply Controls 18

19 Risk Remediation Manager: Use Case Day T ,000 Owners in 32 Countries Identified by RSA DLP Imperva used to identify owners for orphan files Day T 30K files discovered by RSA DLP Day T % of files remediated Repeatable and continuously monitored Process time reduced by 600% Day T + 15 RRM creates cases and sends questionnaires to data owners Data owners and IT agree on remediation controls 19

20 Asset Criticality Intelligence (ACI) Asset Intelligence IT Info Biz Context RSA ACI IP Address Criticality Rating Business Unit Facility Asset List Device Owner Device Type Business Owner Device Content Business Unit Criticality Rating RSA Security Analytics CMDBs Vuln. Scans Biz Process RPO / RTO Security analysts now have asset intelligence and business context to better analyze and prioritize alerts. 20

21 21

22 DLP as a Data Governance and Information Risk Mitigation Solution BOARD EMPLOYEES SEND COPY POST STORE Non-sensitive Data Regulatory Data CONTRACTORS ACCESS Company Secrets identities user actions information RISK 22

23 THANK YOU