Symantec DLP: Detection Innovation and Expanded Coverage Ernie Simmons, Tory Gilbert IIP Technical Field Enablement DLP: Detection Innovation and Expanded Coverage 1
Topics DLP and Detection Overview Vector Machine Learning (VML) Email Prevent and VML Endpoint Prevent and VML DLP for Tablets and VML Summary 2
DLP and Detection Overview 3
Data Loss Prevention Threat Coverage USB/CD/DVD Email DLP for Tablets: New in V11.5 Print/Fax Webmail Untrusted networks Stored data DLP Policy Monitoring & Prevention Discovery & Protection Instant Message FTP File Servers SharePoint / Lotus Notes / Exchange Databases Web servers SYMANTEC VISION 2012 4
Data Loss Policies Data Loss Policy Build from scratch or 60+ policy templates Described Data (DCM) keywords, data identifiers, regular expressions, file type Fingerprinted Data Structured data (EDM) Unstructured data (IDM) Vector Machine Learning Group-based rules (AD user groups, senders/recipients) Additional detection features Match count threshold Boolean logic (and/or/if) Exceptions Detection Rules Introduced in V11.1 Response Rules Notification by email, onscreen notification, marker file, syslog alert Blocking SMTP, HTTP/S, FTP, IM, USB/CD/DVD, Print/fax, Copy/paste File Copy or Quarantine for Network Discover (quarantine also for Endpoint Discover) Modification (SMTP) for conditional encryption, for example FlexResponse (Storage, Endpoint) API for custom responses, such as applying digital rights, encrypting files in place, and so on DLP: Detection Innovation and Expanded Coverage SYMANTEC VISION 2012 5
Detection Innovation and Expanded Coverage Vector Machine Learning Lets you detect confidential documents that can proliferate across the enterprise. Such documents often are difficult to fingerprint or describe. DLP for Tablets Extends DLP coverage, providing the DLP suite s robust policy and reporting features for ipad security. 6
Vector Machine Learning (VML) 7
Vector Machine Learning: Overview Challenges of detecting unstructured data: Keywords IDM How to identify relevant keywords? How to tune policies? What if I can t access all confidential docs? How to I account for new docs? DLP: Detection Innovation and Expanded Coverage SYMANTEC VISION 2012 Symantec Proprietary & Confidential - This information is not a commitment, promise or legal obligation to deliver any material, code or functionality 8
Vector Machine Learning: Overview (cont d) The solution: Keywords Machine Learning IDM Automates policy creation using sample docs Improves accuracy with remediation Detects new or similar content DLP: Detection Innovation and Expanded Coverage SYMANTEC VISION 2012 Symantec Proprietary & Confidential - This information is not a commitment, promise or legal obligation to deliver any material, code or functionality 9
Top VML Use Cases Create highly accurate policies around Source Code wherever it resides Detect Insurance Claim Forms that reside outside the grasp of IT Security Automatically create policies based on VML feature extraction Improve accuracy for PII policies by using VML to tune out certain categories of data DLP: Detection Innovation and Expanded Coverage SYMANTEC VISION 2012 10
VML: Definition and Uses VML detects unstructured data by determining whether analyzed content is similar to docs in a training set (collection of example documents). VML represents a third type of detection learning in addition to describing (DCM) and fingerprinting (EDM / IDM). When to use: Yes No Unstructured and textual Data set highly distributed, difficult to collect Very difficult to describe Unstructured and binary Data set centralized and/or small Easy to describe 11
VML: Example Data Source code Reports and forms Legal contracts Protect proprietary source code for a product, trading models, or actuarial algorithms Monthly or weekly sales reports, loan applications, and resumes Licensing, partnerships, and sales agreements HIPAA and HITECH ITAR (International Traffic in Arms Regulations) Patient Health Information in the form of insurance claims, billing and procedure codes, emails to patients Intellectual Property and unstructured data that may be restricted 12
VML: Selecting Sample Docs (Training Sets) Narrow Category Positive Training Set represents narrow category (ex., Endpoint DLP source code) Broader Categories Negative Training Set represents related broader categories (ex., Open source C++ code or Endpoint DLP API Guides) Both training sets: Stored on Enforce host, minimum 50 docs each (minimum 250 recommended), roughly same size, docs in ZIP (recommended), no docs >30 MB. 13
VML: How It Works + Training? Detection Positive examples - Negative examples Select Features generate model calculate accuracy Profile Similarity Score 0.0 through 10.0 DLP: Detection Innovation and Expanded Coverage SYMANTEC VISION 2012 14
Vector Machine Learning: Demo Review Training Sets Configure Profile Train and Accept Profile Add Profile to Policy 15
Network Prevent for Email + VML 16
Network Prevent for Email + VML 4 Email inspected, then blocked or modified if in violation of policy Network Prevent (Email) 1 End user sends email 2 Email forwarded to MTA 3 MTA routes email to Prevent 5 Prevent sends email back to MTA Internet End Users Email Server 6 MTA If email is unmodified, MTA sends it downstream. If header is modified, MTA takes appropriate action (typically, rerouting). Corporate LAN DMZ The above diagram is for reflecting mode. DLP: Detection Innovation and Expanded Coverage SYMANTEC VISION 2012 17
Network Prevent for Email: Demo Send email with legal attachment (non-medicaid-related) Send email with Medicaid-related legal attachment Review email notifications Review incident snapshot and send manager notification 18
Endpoint Prevent + VML 19
Endpoint Prevent + VML Endpoint Server (Endpoint Prevent) 1 Agent inspects files/data to internal drives, USB, CD/DVD, supported email clients / IM clients / browsers, FTP, print/fax, clipboard, and network shares (Windows Explorer only) 3 Agent sends incident data to Endpoint Server Agent functions when disconnected and stores incident data 2 Any blocking, onscreen notification, or FlexResponse rules rules are initiated locally End Users Disconnected Corporate LAN DLP: Detection Innovation and Expanded Coverage SYMANTEC VISION 2012 20
Endpoint Prevent: Demo Copy non-medicaid-related file to USB Copy Medicaid-related file to USB 21
DLP for Tablets and VML 22
DLP for Tablets: Overview Comprehensive Coverage Corporate Email Personal Email Social Media Cloud Apps Most User Friendly Lowest TCO Works over Wi-Fi and 3G Enables full use & productivity of the device. Our approach does NOT o Require a restrictive sandbox approach, or o Break business processes by restricting what data can go to the ipad Symantec DLP for Tablets is tightly integrated w/ Symantec DLP Suite: Common, advanced technologies for detecting confidential information Consistent application of DLP policy, and Seamless, integrated reporting & analytics DLP: Detection Innovation and Expanded Coverage SYMANTEC VISION 2012 23
Data Loss Prevention for Tablets: Architecture Tablet Network Traffic Email Web Popular Apps Corporate Network Proxy VPN at all times Internet Direct access to Internet Symantec Data Loss Prevention Tablet Prevent Server Key Benefits Reduce risk of data loss from ipads, while giving users access to sensitive data Supports consumerization- coverage for personal and corporate use cases 24
Mobile Device Management + DLP for Tablets MDM not required, but it delivers VPN profile and may optionally enforce VPN profile MDM solution needs ability to: Set VPN profile Push certificates. Certificates required for DLP: User certificate (for VPN authentication) Proxy root certificate (to be added to ipad s list of trusted certs) Prevent tampering with VPN profile setting (optional) Enforce remediation/action if the user turns off VPN (optional) 25
Symantec Mobile Management (Optional) Symantec Mobile Management (SMM) enforces VPN settings. It is optional. Symantec Mobile Management 7.1 SP1 (DLP release) can be configured to monitor and alert if the user attempts to shut off VPN this is not done by most MDM solutions 26
DLP for Tablets: Demo Dropbox FTP Facebook Twitter Incident Review 27
DLP for Tablets: Benefits Balances protection with usability: Reduce data loss risk, preserve access to confidential data Supports consumerization: Coverage for personal and corporate use cases Preserves ipad app performance: Common apps work as expected Works with any Mobile Device Management (MDM) solution: Customer uses their preferred solution 28
Summary Vector Machine Learning (VML) lets you detect confidential documents that proliferate across the enterprise. DLP for Tablets extends coverage, providing the DLP suite s excellent policy and reporting features for ipad security. 29
Q & A 30
Thank you! Ernie Simmons, Tory Gilbert IIP Technical Field Enablement ernest_simmons@symantec.com tory_gilbert@symantec.com SYMANTEC PROPRIETARY/CONFIDENTIAL INTERNAL USE ONLY Copyright 2012 Symantec Corporation. All rights reserved. DLP: Detection Innovation and Expanded Coverage 31