Preventing the Next Insider Threat from Leveraging Cross Domain Data Movement Kevin McPeak, CISSP, ITILv3 Symantec Security Architect kevin_mcpeak@symantec.com @kevin_mcpeak
Key References: DoDi 8540.01 ICS 500-31 (Draft) Preventing the Next Insider Threat from Leveraging Cross Domain Data Movement
Key Reference DoDi 8540.01: A CDS must be approved within an IS boundary or authorized as a separate IS using the DoD RMF process.
Cross Domain Solution (CDS) Authorization Process: Preventing the Next Insider Threat from Leveraging Cross Domain Data Movement
CDS Authorization Process: Cross Domain Enterprise Services The CDS Authorization Process for Cross Domain Enterprise Services (CDES) is comprised of four phases: Phase 1: Validation, Prioritization, & Requirements Analysis Phase 2: Solution Development and Risk Assessment Phase 3: Security Engineering & Risk Assessment Phase 4: Annual Risk Review
Understanding Insider Threats If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle. Sun Tzu, The Art of War
Preventing the Next Insider Threat from Leveraging Cross Domain Data Movement
Classified USG Materials: Presidential Efforts to Thwart Insider Threats EO 13526 EO 13587 Conforming Change 2 of the NISPOM
EO 13526: "Classified National Security Information" 18 President Obama issued EO 13526 in 2009. It provided for the creation of the NDC, which systematicallydeclassifies information as soon as practicable.
EO 13587: Structural Reforms to Improve Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information. Executive Branch Insider Threat Programs require: designation of a senior official(s); capability to gather; integrate; and centrally analyze and respond to key threat related information; monitor employee use of classified networks; provide workforce with insider threat awareness training; protect civil liberties and privacy of all personnel.
NISPOM Conforming Change 2 (Pending) The minimum standards for Industry will include: establishing an insider threat program designating an insider threat senior official who is cleared in connection w/ the facility clearance self assessments of insider threat programs insider threat training for designated personnel & awareness for employees monitoring network activity
Cross Domain Solution (CDS) Data Movement Strategy to Prevent Data Loss via Insider Threats I: Identify the Appropriate Data Owners II: Locate All of the Places Where Classified Data Resides III: Tag your Classified Data IV: Monitor/Learn How Classified Data is Typically Used V: Determine Where Classified Data Goes VI: Wrap Additional Security Around Classified Data VII: Halt Data Leaks Before Spillage Occurs
CDS Data Movement Strategy to Prevent Data Loss via Insider Threats I. Identify the Appropriate Data Owners 1: Identify the Appropriate Operating Units, Specialized Teams, Task Forces, Specific Individuals 2: Work with these Data Owners to further identify additional priority data types. This is an iterative process for risk reduction II. Locate All of the Places Where Your Highly Sensitive & Classified Data Resides 1: Consider data at rest, data in use, data in motion, archived data, & encrypted data 2: Consider standard locations: network devices, storage, databases, file servers, web portals and other applications, laptops, e mail servers (MTA or Proxy), PST files 3: Consider other locations: mobile devices, printers, scanners, fax machines, copiers, file sharing apps like Dropbox or Evernote, USB drives, CD/DVDs, paper copies, IM, "free" webmail services, university webmail for students & alumni, FTP puts
CDS Data Movement Strategy to Prevent Data Loss via Insider Threats III. Tag your Sensitive & Classified Data IV. Monitor & Learn How Classified Data is Typically Used and Typically Generated by Your Workforce V. Determine Where Classified Data Goes & the Conditions When it May Cross Domains. Don t be Lookin' for Data in All the Wrong Places... Preventing the Next Insider Threat from Leveraging Cross Domain Data Movement
CDS Data Movement Strategy to Prevent Data Loss via Insider Threats XI. Wrap Additional Security Around Sensitive Data 1: The best Incident Response (IR) is for the incident to have been thwarted in the first place, long before it became an incident 2: Review your file permissions 3: Consider using additional encryption for sensitive data as part of your defense in depth posture
CDS Data Movement Strategy to Prevent Data Loss via Insider Threats VII. Halt Data Leaks Before Spillage Occurs Preventing the Next Insider Threat from Leveraging Cross Domain Data Movement
Defense In Depth: Encryption + Data Loss Prevention Network DLP / Email Gateway Encryption Can be set to automatically block or encrypt emails containing classified or sensitive data Notify employees in real time/context about encryption policies and tools Storage DLP / Shared Storage Encryption Discover where classified data files are stored and automatically apply encryption Ease the burden to staff with near transparence Endpoint DLP / Endpoint Encryption Target high risk users by discovering what laptops contain sensitive data Protect & enable the business by targeting encryption efforts to sensitive data moving to USB devices
http://www.symantec.com/data loss prevention Kevin McPeak kevin_mcpeak@symantec.com @kevin_mcpeak Thank you! Copyright 2012 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.