Quick Wins with Data Loss Prevention How to Make DLP Work for You Rich Mogull, CEO & Analyst Securosis, L.L.C. Mark Moroses, Assistant CIO, Continuum Health Partners John Dasher, Senior Director, Data Protection, McAfee
Agenda Rich Mogull, CEO & Analyst, Securosis, L.L.C. Low-Hanging Fruit: Quick Wins with DLP Mark Moroses, Assistant CIO, Continuum Health Partners How Continuum uses McAfee DLP to protect sensitive patient data John Dasher, Senior Director, Data Protection, McAfee McAfee DLP solution overview 2
Quick Wins with Data Loss Prevention! Rich Mogull! Securosis, LLC!
Too complex to deploy.! Too many false positives.! DLP Fears!
The Quick Wins Process!
"Products that, based on central policies, identify, monitor, and protect data at rest, in motion, and in use through deep content analysis."! -Rich Mogull!
What DLP Provides! Helps you identify where you store sensitive information.! Helps you understand how that information is used and moved throughout your organization.! Proactively protects your information, while limiting impact on legitimate business processes.!
Defining Process!
Process Workflow!
Prepare Directory Why? DLP policies are typically user and group based.! Need to correlate activities back to warm bodies.! Poor directories are a leading obstacle to DLP deployments.! Email vs. Web vs. Endpoint! Servers!
Integrate with Infrastructure! Passive sniffer (SPAN/ Mirror)! Email (MTA)! Network! Software deployment! Endpoint! Admin credentials! Storage!
Integration Recap! For all deployments: Directory services (usually your Active Directory and DHCP servers).! Network deployments: Network gateways and mail servers.! Endpoint deployments: Software distribution tools.! Discovery/storage deployments: File shares on the key storage repositories (you generally only need a username/password pair to connect).!
Choose Flavor! Single Data Type! Information Usage!
Choose Deployment Type! Network! Storage! Endpoint!
Define Policies! Single Type! Information Usage! Leverage an existing category when possible.! Tune later.! False positives are good!! Turn on (nearly) everything.! Collect as much as possible to identify usage patterns.!
Monitor! ID! Time! Policy! Channel! Severity! User! Action! Status! 1138! 1625! PII! Email! 1.2 M! rmogull! Blocked! Open! 1139! 1632! HIPAA! IM! 2! jsmith! Notified! Assigned! 1140! 1702! PII! HTTP! 1! 192.168.0.213! None! Closed! 1141! 1712! R&D/Product X! USB! 4! bgates! Notified! Assigned! 1142! 1730! Financials! Storage! 4! 192.168.1.94! Encrypt! Escalated! 1143! 12/1/08! Source Code! Cut/Paste! 12! sjobs! Confirm! Open!
Analyze! Top violations by data type.! Top violations by business unit.! Top violations by volume.! False positive patterns.! Different violations from same source.! Unusual origins.!
What Did We Accomplish?! Established a flexible incident management process.! Integrated with major infrastructure components.! Assessed broad information usage.! Set foundation for later.!
Deployment Best Practices! Evaluate results! Integrate with Infrastructure! Define Initial Policy! Baseline scan! Tune policy! Expand scan scope! Add protection!
Rich Mogull! Securosis, L.L.C.! rmogull@securosis.com! http://securosis.com! AIM: securosis! Skype: rmogull! Twitter: rmogull!
Continuum Health Partners Deploying Data Loss Prevention Mark Moroses, Assistant CIO, Continuum Health Partners
Background Who is Continuum Health Partners? Drivers Regulations - HIPAA Joint commissions to certify best practices Regular audits Failure not an option Policy Must be able to ensure enforcement Need to prove policies are being followed 22
Solution Business Enablement IT supporting physician s needs Allow liberal web access while still having monitoring capabilities Data Risk Assessment Documented inappropriate data leakage, which helped secure budget Investigative Support McAfee DLP has become the starting point for investigations Investigations now able to occur much faster Passing Audits Proving compliance with policies and demonstrating working controls Predictable technology and process speed future audits, reduce manpower requirements 23
Lessons Learned Executive sponsorship Physician with prior first-hand experience Deployment Soft opening Communicated roll-out plan Response Plan No ready, fire, aim Work closely with HR & Legal stakeholders 24
McAfee Data Loss Prevention John Dasher, Senior Director, Data Protection, McAfee
Static DLP Leaks Data Data Violations 26 McAfee Data Protection
Static DLP Leaks Data Data Violations Bit Bucket 27 McAfee Data Protection
McAfee DLP Leverages Data Data Violations 28 McAfee Data Protection
McAfee DLP Leverages Data Data Violations Data Intelligence Capture Fast, accurate policy creation and rapid, indepth investigations 29 McAfee Data Protection
McAfee DLP 9 Advantages Tight Product Integration Integrated technologies provide superior protection Optimized oversight and control Deployment Velocity Protected sensitive data more quickly Drive down deployment and ongoing costs Data Analytics Build better policy, conduct fast investigations Anticipate risks before they become problems
McAfee DLP Solution What Others Say NetworkWorld found that McAfee has a very practical understanding of the role of DLP in a modern organization with innovative features, excellent user interfaces, and a clear vision for the future of DLP. SC Magazine finds McAfee Host DLP to be a good value for customers looking for a lot of features and a lot of flexibility in both data leakage control and enterprise rights management. 31
McAfee DLP Resources Optimized Security Architecture for Data Protection http://www.mcafee.com/us/enterprise/optimize/data_protection.html 10 Steps to Protecting Your Data Low Hanging Fruit: Quick Wins with DLP Forrester Research Total Economic Impact of McAfee DLP McAfee 48-hour Data Risk Assessment http://dataprotection.mcafee.com/forms/riskassessment Data Protection section of McAfee.com http://www.mcafee.com/us/enterprise/products/data_protection/ data_loss_prevention/index.html Continuum and BCI customer case studies Data Protection Blogs http://siblog.mcafee.com/category/data-protection/ 32
Q&A